Smartphones, tablets, laptops, and IoT devices are now using Bluetooth software stacks that are potentially susceptible to a new security flaw. Referred to as BLESA (Bluetooth Low Energy Spoofing Attack), the vulnerability was identified over the summer and is said to impact devices running the Bluetooth Low Energy (BLE) protocol.
For those who are not aware, BLE is a compact and smart version of the traditional Bluetooth that is designed to be more energy-efficient to conserve battery power without compromising on the connectivity. Due to its battery-saving features, BLE has been massively adopted over the last years in many IoT and wireless smart devices.
According to the research, the BLESA vulnerability manifests itself during the pairing and bonding process – the client and the server have authentication to pair with each other’s devices. It is a process that is part of the standard security of the BLE technology, which SALTO devices do not use in any case during the access control platform network configuration or communications in any of the SALTO smart access platforms (SALTO Space Data-on-Card, SALTO KS Keys as a Service or SALTO Danalock) and smart door locking solutions.
Defending against most Bluetooth attacks usually means pairing devices in controlled environments and network architecture, but defending against BLESA is a much harder task, since the attack targets the more often-occurring reconnect operation.
When SALTO implemented BLE technology into its access control platforms to achieve smart-locking communication between the network and devices of the system, we decided to use SALTO security measures instead of standard BLE security measures, adding an additional security layer. We did this specifically to avoid the risk of being affected by these types of attacks from the mainstream standard.
In summary, regarding the recent BLESA Bluetooth spoofing attacks, this vulnerability DOES NOT AFFECT SALTO Systems and BLUEnet based technology platforms (SALTO Space, SALTO KS), nor SALTO Mobile Keys (JustIN, KS) products and communication, nor products of the Danalock platform.