Using bluetooth low energy spoofing to dispute device details: demo

In this demo, we will show the effects of multiple Bluetooth Low Energy spoofing attacks, including a novel cache poisoning attack. Bluetooth Low Energy (BLE) is often used for communication between devices, ranging from headphones to medical sensors. Our attacks target the BLE advertising mechanism to cause Denial of Service and Man-in-the-Middle conditions. BLE Peripheral Devices are discovered through an advertising process, in which the Peripheral broadcasts advertising packets to listening Central Devices. Such packets typically include the advertising address of the device, name of the device, and information about the connectability of the device. Peripheral Devices are generally assumed to have distinct advertising addresses. If a device advertises with the same address as another device, Central Devices need to decide which information is correct. We term the condition where advertisements contain contradictory information a "Disputed Advertisement". In the case where an advertisement contains optional information, there may be a condition where one of the packets contains maliciously included information, but is not contradicted by a legitimate packet. We call this condition an "Undisputed Advertisement", which is the basis for a novel attack that we call Bluestaking. The Bluestaking attack poisons advertising name cache on Central Devices with attacker-selected address-to-name mappings. Because BLE devices are not required to be named, an attacker can spoof a device and provide a name without any dispute from the victim device. This causes scanning Central Devices to cache the name indefinitely.