Developing a New Security Framework for Bluetooth Low Energy Devices

Wearable devices are becoming more popular in our daily life. They are usually used to monitor health status, track fitness data, or even do medical tests, etc. Since the wearable devices can obtain a lot of personal data, their security issues are very important. Motivated by the consideration that the current pairing mechanisms of Bluetooth Low Energy (BLE) are commonly impractical or insecure for many BLE based wearable devices nowadays, we design and implement a security framework in order to protect the communication between these devices. The security framework is a supplement to the Bluetooth pairing mechanisms and is compatible with all BLE based wearable devices. The framework is a module between the application layer and the GATT (Generic Attribute Profile) layer in the BLE architecture stack. When the framework starts, a client and a server can automatically and securely establish shared fresh keys following a designed protocol; the services of encrypting and decrypting messages are provided to the applications conveniently by two functions; application data are securely transmitted following another protocol using the generated keys. Prudential principles are followed by the design of the framework for security purposes. It can protect BLE based wearable devices from replay attacks, Man-in-The-Middle attacks, data tampering, and passive eavesdropping. We conduct experiments to show that the framework can be conveniently deployed with practical operational cost of power consumption. The protocols in this framework have been formally verified that the designed security goals are satisfied.

[1]  Hao Jiang,et al.  A Medical Healthcare System for Privacy Protection Based on IoT , 2015, 2015 Seventh International Symposium on Parallel Architectures, Algorithms and Programming (PAAP).

[2]  Yao Zheng,et al.  Scalable and Secure Sharing of Personal Health Records in Cloud Computing Using Attribute-Based Encryption , 2019, IEEE Transactions on Parallel and Distributed Systems.

[3]  Fang Liu,et al.  Security and Privacy in the Medical Internet of Things: A Review , 2018, Secur. Commun. Networks.

[4]  Yanzhen Qu,et al.  Assessing Vulnerabilities in Bluetooth Low Energy (BLE) Wireless Network Based IoT Systems , 2016, 2016 IEEE 2nd International Conference on Big Data Security on Cloud (BigDataSecurity), IEEE International Conference on High Performance and Smart Computing (HPSC), and IEEE International Conference on Intelligent Data and Security (IDS).

[5]  Bruno. Blanchet,et al.  Modeling and Verifying Security Protocols with the Applied Pi Calculus and ProVerif , 2016, Found. Trends Priv. Secur..

[6]  Vitaly Shmatikov,et al.  Formal Analysis of Authentication in Bluetooth Device Pairing , 2007 .

[7]  Zhiyao Liang,et al.  Security analysis of bluetooth low energy based smart wristbands , 2017, 2017 2nd International Conference on Frontiers of Sensors Technologies (ICFST).

[8]  Rakesh M. Verma,et al.  Correcting and Improving the NP Proof for Cryptographic Protocol Insecurity , 2009, ICISS.

[9]  Rakesh M. Verma,et al.  Improving Techniques for Proving Undecidability of Checking Cryptographic Protocols , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[10]  Joshua D. Guttman,et al.  Security protocol design via authentication tests , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[11]  Gavin Lowe,et al.  An Attack on the Needham-Schroeder Public-Key Authentication Protocol , 1995, Inf. Process. Lett..

[12]  Mike Ryan,et al.  Bluetooth: With Low Energy Comes Low Security , 2013, WOOT.