News about possible fixes for android devices has been uploaded. This article was originally published on September 16, 2020.

Billions of Android smartphones and tablets, Linux PCs and servers, and smart home and wearable devices are vulnerable to a Bluetooth flaw that hackers and pranksters can access without permission, giving devices false data could end up with, academic researchers based at Purdue University in Indiana have found.

The flaw, named BLESA (Bluetooth Low Energy Spoofing Attack), also affects iOS devices, but Apple patched it in the March iOS 13.4 and iPad OS 13.4 updates.

Windows devices are not vulnerable. Principal researcher Jianlang Wu told Tom's Guide that he was unable to test macOS devices for vulnerabilities.

"To facilitate its adoption, BLE (Bluetooth Low Energy protocol) requires limited or no user interaction to establish a connection between two devices," the researchers wrote in their academic paper. Unfortunately, this simplicity is the root cause of several security problems."

The researchers informed Google of the Android BLESA flaw in April 2019, only to hear that another team had informed Google of the same flaw just three days earlier. Nonetheless, Android 10 running on the Google Pixel XL is "still vulnerable" to BLESA attacks as of June 2020, the researchers said.

According to the researchers, many smart home and wearable devices, such as the August smart lock, Fitbit Versa smartwatch, Nest Cam indoor camera, and Nest Protect smoke detector, also properly not authenticated, making them vulnerable to BLESA attacks.

Tom'sGuide has asked Google for clarification on Android and will update this article when we hear back; ZDNet was one of the first publications to report this story.

The BLESA flaw does not exist in the older "classic" version of Bluetooth used to connect wireless headphones to smartphones. Rather, it is present in the newer Bluetooth Low Energy (BLE) protocol, which consumes less power and transmits data at a slower rate than regular Bluetooth.

BLE is ideal for connecting smart home and wearable devices, such as fitness bands and light bulbs, that do not need to transmit large amounts of data and would quickly drain their batteries with regular Bluetooth.

Unfortunately, most smartphones do not allow BLE to be turned off while regular Bluetooth is turned on. Therefore, to avoid being affected by a BLESA attack, the Android phone's Bluetooth must be turned off whenever it is not in use. It is also necessary to go into the Bluetooth settings and "forget" previously paired devices that are no longer in use.

If you are using an iPhone, make sure it is updated to iOS 13.4 or later; Linux distributions will patch vulnerable BLE software libraries by replacing them with ones that do not have BLESA issues.

When one Bluetooth device is paired with another, each device "remembers" the other so that it can reconnect without having to repeat the pairing process. However, when reconnecting, the devices must verify each other's identity.

BLESA flaws occur when previously paired devices do not properly request verification upon reconnection or do not properly implement verification. An attacker can exploit these flaws and gain access by impersonating the other device. Researchers cite figures estimating that 5 billion devices worldwide will use BLE by 2023.

Using the BLESA flaw, an attacker in the vicinity could connect to your phone by pretending to be the device your phone is already paired with; only one of the two devices would need to have the BLESA flaw, and the other would need to be paired to your phone.

"According to researchers, this could lead to several scenarios," the Purdue University website states. For example, malicious keystrokes could be made when a smartphone or desktop reconnects to a BLE keyboard. Or, false glucose level values could be injected into a smartphone while the user is reading data from a BLE glucose monitor. Upon reconnecting to the fitness tracker, the user can receive the fake fitness data.

The attacker must know at least some of the identifying features of one of the two devices, which can be easily obtained by "sniffing" legitimate Bluetooth traffic between the two devices.

The researchers demonstrated this attack on video, showing first an Android phone connecting to an Oura "smart" ring and then to a laptop pretending to be an Oura ring; the Oura Android app is unable to tell the difference. (Oura itself, however, was more protected from BLESA than most other wearable devices the researchers tested.)

"By using BLESA, an attacker could successfully impersonate the ring and inject spoofed data into the phone, and the ring's companion application running on the phone would accept and display the spoofed data," the academic paper states. [The research team was led by Jianlang Wu and included five of his Purdue University colleagues and one researcher from the Lausanne University of Technology in Switzerland. They presented their research at the USENIX WOOT '20 virtual conference in August and won the conference's best paper award.

Their entire USENIX presentation, viewing of slides, and research papers are available online without restrictions.

Then on September 16, PI Jianliang Wu emailed Tom's Guide to inform us of a new statement by the research team.

"We were recently advised by Google that a fix (part of the December 2019 Android security update) to a previous CVE (2019-2225) mitigates BLESA. Due to time constraints, we have not independently verified its effectiveness against BLESA, but will do so soon. I would like to thank my colleagues at Google for sharing this information.

Mitigation is not a complete fix, but it does mitigate the impact of the vulnerability; Tom's Guide has not received a response from Google regarding the potential BLESA vulnerability in the Android Bluetooth Low Energy software.