A Study of the Feasibility of Co-located App Attacks against BLE and a Large-Scale Analysis of the Current Application-Layer Security Landscape

Bluetooth Low Energy (BLE) is a fast-growing wireless technology with a large number of potential use cases, particularly in the IoT domain. Increasingly, these use cases require the storage of sensitive user data or critical device controls on the BLE device, as well as the access of this data by an augmentative mobile application. Uncontrolled access to such data could violate user privacy, cause a device to malfunction, or even endanger lives. The BLE standard provides security mechanisms such as pairing and bonding to protect sensitive data such that only authenticated devices can access it. In this paper we show how unauthorized co-located Android applications can access pairing-protected BLE data, without the user's knowledge. We discuss mitigation strategies in terms of the various stakeholders involved in this ecosystem, and argue that at present, the only possible option for securing BLE data is for BLE developers to implement remedial measures in the form of application-layer security between the BLE device and the Android application. We introduce BLECryptracer, a tool for identifying the presence of such application-layer security, and present the results of a large-scale static analysis over 18,900+ BLE-enabled Android applications. Our findings indicate that over 45% of these applications do not implement measures to protect BLE data, and that cryptography is sometimes applied incorrectly in those that do. This implies that a potentially large number of corresponding BLE peripheral devices are vulnerable to unauthorized data access.

[1]  Sankardas Roy,et al.  Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps , 2014, CCS.

[2]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[3]  David Brumley,et al.  An empirical study of cryptographic misuse in android applications , 2013, CCS.

[4]  Daniela Miao,et al.  Security Analysis of Wearable Fitness Devices ( Fitbit ) , 2014 .

[5]  Mahmoud Elkhodr,et al.  Emerging Wireless Technologies in the Internet of Things: a Comparative Study , 2016, ArXiv.

[6]  Jacques Klein,et al.  AndroZoo: Collecting Millions of Android Apps for the Research Community , 2016, 2016 IEEE/ACM 13th Working Conference on Mining Software Repositories (MSR).

[7]  Murad Khan,et al.  Internet of Things: A Comprehensive Review of Enabling Technologies, Architecture, and Challenges , 2018 .

[8]  Kang G. Shin,et al.  Protecting Privacy of BLE Device Users , 2016, USENIX Security Symposium.

[9]  Eric Bodden,et al.  Do Android taint analysis tools keep their promises? , 2018, ESEC/SIGSOFT FSE.

[10]  Thorsten Holz,et al.  Slicing droids: program slicing for smali code , 2013, SAC '13.

[11]  Carl A. Gunter,et al.  Inside Job: Understanding and Mitigating the Threat of External Device Mis-Binding on Android , 2014, NDSS.

[12]  Christopher Krügel,et al.  Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications , 2014, NDSS.

[13]  Vinod Sharma,et al.  Cross-App Tracking via Nearby Bluetooth Low Energy Devices , 2018, CODASPY.

[14]  Thomas Engel,et al.  Bluetooth Low Energy performance and robustness analysis for Inter-Vehicular Communications , 2016, Ad Hoc Networks.

[15]  Carles Gomez,et al.  Overview and Evaluation of Bluetooth Low Energy: An Emerging Low-Power Wireless Technology , 2012, Sensors.

[16]  Yingying Wang,et al.  Analyzing the analyzers: FlowDroid/IccTA, AmanDroid, and DroidSafe , 2018, ISSTA.

[17]  Mira Mezini,et al.  CogniCrypt: Supporting developers in using cryptography , 2017, 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[18]  Shivank Dhote,et al.  Implementation and design issues for using Bluetooth low energy in passive keyless entry systems , 2016, 2016 IEEE Annual India Conference (INDICON).

[19]  Mike Ryan,et al.  Bluetooth: With Low Energy Comes Low Security , 2013, WOOT.

[20]  Gongping Yang,et al.  On the Class Imbalance Problem , 2008, 2008 Fourth International Conference on Natural Computation.

[21]  Fernando De la Torre,et al.  Facing Imbalanced Data--Recommendations for the Use of Performance Metrics , 2013, 2013 Humaine Association Conference on Affective Computing and Intelligent Interaction.

[22]  Parth H. Pathak,et al.  Uncovering Privacy Leakage in BLE Network Traffic of Wearable Fitness Trackers , 2016, HotMobile.

[23]  Igor Bisio,et al.  A new asset tracking architecture integrating RFID, Bluetooth Low Energy tags and ad hoc smartphone applications , 2016, Pervasive Mob. Comput..