Design flaw could open Bluetooth devices to hacking
Mobile apps that work with Bluetooth devices have an inherent design flaw that makes them vulnerable to hacking, new research has found.
The problem lies in the way Bluetooth Low Energy devices—a type of Bluetooth used by most modern gadgets—communicate with the mobile apps that control them, said Zhiqiang Lin, associate professor of computer science and engineering at The Ohio State University. Lin presented the findings this week at the Association for Computing Machinery's Conference on Computer and Communications Security (ACM CCS 2019).
"There is a fundamental flaw that leaves these devices vulnerable—first when they are initially paired to a mobile app, and then again when they are operating," Lin said. "And while the magnitude of that vulnerability varies, we found it to be a consistent problem among Bluetooth low energy devices when communicating with mobile apps."
Consider a wearable health and fitness tracker, smart thermostat, smart speaker or smart home assistant. Each first communicates with the apps on your mobile device by broadcasting something called a UUID—a universally unique identifier. That identifier allows the corresponding apps on your phone to recognize the Bluetooth device, creating a connection that allows your phone and device to talk to one another.