The Bluetooth Low Energy Invasion


August 26, 2016 Facebook Twitter LinkedIn Google+ Uncategorized


Source:

IoT connection

Slawomir-Jasek

IoT security consultant Swalomir Jasek assesses the benefits, risks and procautions associated with Bluetooth Low Energy technology.

As its name implies, Bluetooth Low Energy (also known as Bluetooth Smart or Bluetooth 4) technology, was designed from its inception to be power-efficient.

Besides having “Bluetooth” in the name, the BLE protocol is technically different than previous Bluetooth versions, utilizing additional usage scenarios (and thus risks). Focus has been put on simplicity rather than throughput, thus making the chip not only less energy hungry, but also significantly smaller and cheaper. And this key characteristic turned out to be the catalyst for the explosion of a wide assortment of new “IoT” devices and applications on the market.

The availability, low cost and ease of implementation has rendered the technology extremely popular among startups, but as IoT World News redactors already noticed BLE is also making its way into medical, industrial and government equipment.

It is forecasted that more and more BLE devices will surround our lives in the form of wearables, sensors, lightbulbs, socks, cups, medical devices, and other smart-products. Many of these connected devices are not associated with any significant risk, but some may possess serious security implications (i.e. door locks, alarms, security sensors, biometric authentication, banking tokens, keypasses etc.). Also many devices expose users to potential privacy vulnerabilities.

What about security?

According to specification, Bluetooth Low Energy “provides several features to cover the encryption, trust, data integrity and privacy of the user’s data”. In particular, to encrypt transmission, BLE devices may undergo a pairing procedure.

Surprisingly however, most devices do not implement the above-mentioned security features. For many devices’ usage scenarios (e.g. public cash registers, devices with remote sharing feature, managing thousands of beacons) it is not possible to carry out the pairing procedure in a secure environment.

728x90

Some vendors do not associate any significant risk with the possibility of intercepting the transmission, and so they accept it. Others struggle to comply with various requirements: usability, multiple users or devices, cloud backup etc. With Bluetooth Smart pairing involved it is not easy to share access or to transfer it to another device. Thus many vendors have decided to create their own security mechanisms on top of the unencrypted Bluetooth LE link.

Possible attacks

Unfortunately, entrusting security mechanisms to software developers requires caution, as confirmed by the vast amount of publicly known vulnerabilities in various software components. With significant hardware limitations, raised business expectations and tight schedules, the probability of disaster is greater than expected.

The BLE devices research conducted by the author disclosed security flaws in most of the tested devices. In effect, attacks can result among other things in:

  • disrupting functionality – e.g. you cannot control a smart home, open a smart lock, or use a smart Point-of-Sale device
  • spoofing (false indications, disabling alarms)
  • data interception of e.g. personal information, authentication etc.
  • taking control over the device (e.g. opening a smart lock, turning a smart home)

As the Bluetooth operating range is limited, an attacker needs to be close to the victim. However some scenarios may abuse proximity features, like an automatic door opening on arrival, or using remote link to the user’s smartphone away from original location (e.g. in public transport). And many attacks can be performed inconspicuously using a mobile phone or a tiny (beacon-sized) device.

Related articles

The risk associated with the attack is not always obvious. For example, the current pulse indication from a smart wristband of a regular person presumably will not be of interest for passers-by. The situation may change dramatically if the person is a highly ranked official, and an adversary would like to know their pulse during important negotiations. Or – the wristband pulse indication is used as a biometric authentication in a banking application.

What can we do about it?

If you are a vendor, try to implement BLE protocol security features properly.

In many cases where this is not possible, design own security mechanisms with caution, taking into consideration many possible attacks. Example vulnerabilities and detailed remedies are described in the linked whitepaper.

As an end-user, you can check in the Bluetooth settings of your phone whether your device is properly paired.

  • If yes – confirm the pairing process involves PIN confirmation, or requires a physical action on device (e.g. pressing button). Remember the pairing process should be performed in a safe environment. Be careful with re-pairing, as the connection problem may be an effect of active attack willing to intercept and crack it.
  • If not – do not panic. The device most likely will implement own security features on top of Bluetooth connection. However, such features may have various vulnerabilities, so ask your vendor for details, and if he can share an independent audit report.

For further information:

Smart-Home-Summit-728x90

Comments