BadBluetooth: Breaking Android Security Mechanisms via Malicious Bluetooth Peripherals

Bluetooth is a widely used communication technology, especially under the scenarios of mobile computing and Internet of Things. Once paired with a host device, a Bluetooth device then can exchange commands and data, such as voice, keyboard/mouse inputs, network, blood pressure data, and so on, with the host. Due to the sensitivity of such data and commands, some security measures have already been built into the Bluetooth protocol, like authentication, encryption, authorization, etc. However, according to our studies on the Bluetooth protocol as well as its implementation on Android system, we find that there are still some design flaws which could lead to serious security consequences. For example, it is found that the authentication process on Bluetooth profiles is quite inconsistent and coarsegrained: if a paired device changes its profile, it automatically gets trust and users would not be notified. Also, there is no strict verification on the information provided by the Bluetooth device itself, so that a malicious device can deceive a user by changing its name, profile information, and icon to be displayed on the screen. To better understand the problem, we performed a systematic study over the Bluetooth profiles and presented three attacks to demonstrate the feasibility and potential damages of such Bluetooth design flaws. The attacks were implemented on a Raspberry Pi 2 device and evaluated with different Android OS versions ranging from 5.1 to the latest 8.1. The results showed adversaries could bypass existing protections of Android (e.g., permissions, isolations, etc.), launch Man-in-the-Middle attack, control the victim apps and system, steal sensitive information, etc. To mitigate such threats, a new Bluetooth validation mechanism was proposed. We implemented the prototype system based on the AOSP project and deployed it on a Google Pixel 2 phone for evaluation. The experiment showed our solution could effectively prevent the attacks.

[1]  Carl A. Gunter,et al.  Inside Job: Understanding and Mitigating the Threat of External Device Mis-Binding on Android , 2014, NDSS.

[2]  Patrick Traynor,et al.  Making USB Great Again with USBFILTER , 2016, USENIX Security Symposium.

[3]  Angelos Stavrou,et al.  Breaking BLE Beacons For Fun But Mostly Profit , 2017, EUROSEC.

[4]  Andrew J. Blumberg,et al.  Defending against Malicious Peripherals with Cinch , 2016, USENIX Security Symposium.

[5]  Yanick Fratantonio,et al.  Cloak and Dagger: From Two Permissions to Complete Control of the UI Feedback Loop , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[6]  Kevin Fu,et al.  Secure Software Updates: Disappointments and New Challenges , 2006, HotSec.

[7]  Angelos Stavrou,et al.  Exploiting smart-phone USB connectivity for fun and profit , 2010, ACSAC '10.

[8]  Yang Su,et al.  USB Snooping Made Easy: Crosstalk Leakage Attacks on USB Hubs , 2017, USENIX Security Symposium.

[9]  Kevin R. B. Butler,et al.  ProvUSB: Block-level Provenance-Based Data Protection for USB Storage Devices , 2016, CCS.

[10]  Dennis Kügler,et al.  "Man in the Middle" Attacks on Bluetooth , 2003, Financial Cryptography.

[11]  Vinod Sharma,et al.  Cross-App Tracking via Nearby Bluetooth Low Energy Devices , 2018, CODASPY.

[12]  Avishai Wool,et al.  Cracking the Bluetooth PIN , 2005, MobiSys '05.

[13]  Deepak Kumar,et al.  SoK: “Plug & Pray” Today – Understanding USB Insecurity in Versions 1 through C , 2017 .

[14]  Hovav Shacham,et al.  Mouse Trap: Exploiting Firmware Updates in USB Peripherals , 2014, WOOT.

[15]  Shi-Min Hu,et al.  Staying Secure and Unprepared: Understanding and Mitigating the Security Risks of Apple ZeroConf , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[16]  Kevin R. B. Butler,et al.  Defending Against Malicious USB Firmware with GoodUSB , 2015, ACSAC.

[17]  Jorge Blasco Alís,et al.  A Low Energy Profile: Analysing Characteristic Security on BLE Peripherals , 2018, CODASPY.

[18]  Parth H. Pathak,et al.  Uncovering Privacy Leakage in BLE Network Traffic of Wearable Fitness Trackers , 2016, HotMobile.

[19]  Mike Ryan,et al.  Bluetooth: With Low Energy Comes Low Security , 2013, WOOT.

[20]  Kang G. Shin,et al.  Protecting Privacy of BLE Device Users , 2016, USENIX Security Symposium.

[21]  Andrea Bittau,et al.  BlueSniff: Eve Meets Alice and Bluetooth , 2007, WOOT.