Quick answer: no, and it will never. In case you are interested in a more detailed explanation of the attack and why our technology can’t be a target of such an exploit, keep on reading.
The critical security weaknesses in the Bluetooth Low Energy (BLE) specifications have been much debated in the last period, since the Perdue University and the École Polytechnique Fédérale de Lausanne (EPFL) have warned on BLESA (Bluetooth Low Energy Spoofing Attack) attacks. This vulnerability, identified in the last months, impacts the devices running the BLE protocol, and enables hackers to impersonate a BLE device to spoof important data to another device paired previously.
Bluetooth Low Energy is the most widely used protocol and it enables energy-efficient wireless short-range communication between resource-constrained devices. It is smarter and more compact than the classic original version, it is more energy-efficient and better conserves the battery power without compromising the connectivity. Moreover, it is easily adoptable, as it requires a little user interaction to establish a connection between two or more devices. Unfortunately, its simplicity is not only the root of his widespread use but also the root of its vulnerabilities, like spoofing attacks.
Researchers have stated that the new security vulnerability manifests itself during the pairing and bonding processes in which the client and the server have authenticated to pair with each other’s device. During the authentication process, reconnection verifications can be bypassed, and this may involve the sending of incorrect information to the BLE device. All this may result in erroneous decisions made by human operators and automated processes.
Each BLE connection involves a device acting as a client and another acting as a server. The first time they connect, they make a pairing procedure, which changes on the basis of the connected devices and the user-interfaces’ capabilities. In this phase the vulnerability manifests itself. The different ways of interaction between the primary and the secondary device allow controlling the whole process and the vulnerability itself. In the first kind of interaction a peripheral device connects to a primary one in an indissoluble way, the two devices are therefore bonded. In the second kind, the central device can connect to the peripheral one every time there is an interaction, without bonding the devices. The vulnerability presents in the first case, which is the one that Sofia Locks systems never use during the access control platform network configuration and communication.
Therefore, our solutions and cloud-based operation do not bear the vulnerability risk. Our systems are provided with an additional encryption protocol to the standard BLE one, to have an additional security layer. Our experts have specifically designed our solutions in this way, to avoid these kinds of attacks or technological vulnerabilities. For this reason, the BLESA attack will never affect the functioning of our systems and devices.
