Bluetooth Low Energy Makes “Just Works” Not Work

BLE (Bluetooth Low Energy) is being heavily deployed in many devices and IoT (Internet of Things) smart applications of various fields, such as medical, home automation, transportation and agriculture. It has transformed the classic Bluetooth into a technology that can be embedded into resource constrained devices running on a cell coin battery for months or years. Most BLE devices that are sold in the market use the Just Works pairing mode to establish a connection with peer devices. This mode is so lightweight that it leaves the implementation of security to application developers and device manufacturers. Unfortunately, as the market does not want to pay for security, a number of vulnerable smart devices are strolling around in the market. In this paper, we discuss how Bluetooth devices that use the Just Works pairing mode can be exploited to become nonoperational. We conduct a case study on three different Bluetooth smart devices. We show how these devices can be attacked and abused to not work properly. We also present a vulnerability that is due to the behavior of BLE smart devices and the Just Works pairing mode. This vulnerability can be exploited to generate an attack that affects BLE availability. We propose a solution to mitigate the attack.

[1]  Yier Jin,et al.  Privacy and Security in Internet of Things and Wearable Devices , 2015, IEEE Transactions on Multi-Scale Computing Systems.

[2]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[3]  Pai H. Chou,et al.  Security and privacy challenges in IoT-based machine-to-machine collaborative scenarios , 2016, 2016 International Conference on Hardware/Software Codesign and System Synthesis (CODES+ISSS).

[4]  Simon Heron,et al.  Encryption: Advanced Encryption Standard (AES) , 2009 .

[5]  Jeffrey Knockel,et al.  Every step you fake: a comparative analysis of fitness tracker privacy and security , 2016 .

[6]  Zhiyao Liang,et al.  Security analysis of bluetooth low energy based smart wristbands , 2017, 2017 2nd International Conference on Frontiers of Sensors Technologies (ICFST).

[7]  Mohammad Zulkernine,et al.  Connection Dumping Vulnerability Affecting Bluetooth Availability , 2018, CRiSIS.

[8]  Dirk Fox,et al.  Advanced Encryption Standard (AES) , 1999, Datenschutz und Datensicherheit.

[9]  Tang Ming . Wei Lian. Si Tuo Lin Si,et al.  Cryptography and Network Security - Principles and Practice , 2015 .

[10]  Thaier Hayajneh,et al.  Security Vulnerabilities in Bluetooth Technology as Used in IoT , 2018, J. Sens. Actuator Networks.

[11]  Daniela Miao,et al.  Security Analysis of Wearable Fitness Devices ( Fitbit ) , 2014 .