Flat 70% Discount On Pendrive / Android Courses, Valid Till 29th Feb'20 Call On : 9354229384, 9315859773, 9354252518, 9999830584

Current Affairs

Security design flaw in Bluetooth devices

Date: 18 November 2019 Tags: IT, Mobile & Computers

Issue

An inherent design flaw makes mobile apps that work with Bluetooth Low Energy devices vulnerable to hacking, according to a study at the Association for Computing Machinery.

 

Background

Bluetooth is a wireless technology standard used for exchanging data between fixed and mobile devices over short distances using short-wavelength UHF radio waves in the industrial, scientific and medical radio bands and building personal area networks.

 

Details

  • There is a fundamental flaw that leaves these devices vulnerable,  first when they are initially paired to a mobile app, and then again when they are operating.

  • The study found it to be a consistent problem among Bluetooth low energy devices when communicating with mobile apps.

  • Devices like wearable health and fitness tracker, smart thermostat, smart speaker or smart home assistant communicates with the apps on mobile device by broadcasting something called a UUID, a universally unique identifier.

  • The identifier allows the corresponding apps on the phone to recognise the Bluetooth device, creating a connection that allows the phone and device to talk to one another.

  • The identifier itself is also embedded into the mobile app code. Otherwise, mobile apps would not be able to recognise the device. However, such UUIDs in the mobile apps make the devices vulnerable to a fingerprinting attack.

  • Cases in which no encryption is involved or encryption is used improperly between mobile apps and devices, the attacker would be able to ‘listen in’ on your conversation and collect that data.

  • In addition to building the databases directly from mobile apps of the Bluetooth devices in the market, the team’s evaluation also identified 1,434 vulnerable apps that allow unauthorised access.

  • The experts say that the problem should be relatively easy to fix if app developers tightened defences in that initial authentication.