Billions of smartphones, laptops, IoT units and tablets are at risk thanks to a Bluetooth network security flaw found within the Bluetooth Low Energy protocol. Academics and security analysts at Purdue University in the US have been examining the vulnerability that can be exploited by cybercriminals, because of how these IoT client and server devices pair and reconnect. With the ability to cause widespread havoc to Bluetooth users, law firms must keep their IoT devices secure to ensure that their confidential client data remains protected.
Understanding How BLESA Works
Bluetooth Low Energy is a protocol that has been adopted as an alternative to traditional Bluetooth. The protocol is seen as an upgrade as it allows your devices to conserve battery power, without minimising the stability of your connections. As a result of these key features, BLE has been integrated into a wide range of devices. Unfortunately, hackers are now able to exploit this Bluetooth network security protocol due to the way in which client and server devices reconnect to each other. If one of your devices moves out of range, and then arrives back within range, then this pairing will have the authority to authenticate with each other.
Exploitation of BLESA
Unfortunately, this reconnection process is not as secure as it should be. When two BLE devices reconnect, ideally the cryptographic keys negotiated during pairing should be rechecked before continuing to exchange information. However, the Purdue research team discovered two enormous flaws:
- Reconnection authentication appears to be optional rather than required
- Reconnection authentication can be avoided entirely if the IoT device is unable to approve the communication.
These two Bluetooth network security threats have created the possibility of BLESA attacks, which hackers are now using as a means to gain access to your systems. BLESA, or Bluetooth Low Energy Spoofing Attack, is possible when bad actors exploit a vulnerability by navigating around the reconnection authentication requirements. After they have sidestepped the security stage, the hackers are able to send spoofed data to their target IoT devices. As a malicious type of cybercrime, this strategy enables the hackers to control your Bluetooth systems and get them to carry out undesired behaviours.
The BLE protocol is used widely and requires zero human interaction, which up until now has been its main selling point. However, the simplicity of its design, which uses plain-text packets to transmit data, means that it is relatively easy for a hacker to take control of your networked Bluetooth devices.
Bluetooth Network Security Risks for Law Firms
Bluetooth network security should be a top priority for law firms, due to the confidential client data and related compliance regulations involved. Lawyers have access to the latest devices such as smartphones, tablets and desktops which allow them to carry out their work efficiently, whether in the office or from a remote location. However, particularly with the changes to remote working models during the pandemic, security needs to be watertight across all devices and all locations. A BLESA attack on your law firm would be catastrophic, as it could potentially expose or destroy your client data. This would be a significant compliance issue, which would see you failing in regulations set out by The Information Commissioner’s Office, The Bar Council and the Attorney General. However, you could also expect to experience a severe loss of reputation if your systems don’t hold up against a BLESA attack.
Protecting Your Systems With Robust Security
The latest BLESA news is only one type of Bluetooth network security flaw, and there are countless other vulnerabilities, which law firms are at risk of. Although this may sound daunting, the great news is that by outsourcing your security management, you can benefit from the knowledge and technical skills of our team of experts. We’ll ensure your systems are constantly updated with the latest fixes and can monitor for any threats on a 24/7 basis to ensure your confidential client data is always protected. Want to know more? Get in touch with City Business Solutions for a FREE security review.