BlueShield: Detecting Spoofing Attacks in Bluetooth Low Energy Networks

Many IoT devices are equipped with Bluetooth Low Energy (BLE) to support communication in an energy-efficient manner. Unfortunately, BLE is prone to spoofing attacks where an attacker can impersonate a benign BLE device and feed malicious data to its users. Defending against spoofing attacks is extremely difficult as security patches to mitigate them may not be adopted across vendors promptly; not to mention the millions of legacy BLE devices with limited I/O capabilities that do not support firmware updates. As a first line of defense against spoofing attacks, we propose BlueShield, a legacy-friendly, non-intrusive monitoring system. BlueShield is motivated by the observation that all spoofing attacks result in anomalies in certain cyber-physical features of the advertising packets containing the BLE device’s identity. BlueShield leverages these features to detect anomalous packets generated by an attacker. More importantly, the unique design of BlueShield makes it robust against an advanced attacker with the capability to mimic all features. BlueShield can be deployed on low-cost off-the-shelf platforms, and does not require any modification in the BLE device or its user. Our evaluation with nine common BLE devices deployed in a real-world office environment validates that BlueShield can effectively detect spoofing attacks at a very low false positive and false negative rate.

[1]  Carl A. Gunter,et al.  Inside Job: Understanding and Mitigating the Threat of External Device Mis-Binding on Android , 2014, NDSS.

[2]  Haiyong Luo,et al.  RSSI based Bluetooth low energy indoor positioning , 2014, IPIN.

[3]  Kang G. Shin,et al.  Protecting Privacy of BLE Device Users , 2016, USENIX Security Symposium.

[4]  Naser El-Sheimy,et al.  Smartphone-Based Indoor Localization with Bluetooth Low Energy Beacons , 2016, Sensors.

[5]  P. Deb Finite Mixture Models , 2008 .

[6]  Wenyuan Xu,et al.  Jamming sensor networks: attack and defense strategies , 2006, IEEE Network.

[7]  Richard P. Martin,et al.  Detecting and Localizing Identity-Based Attacks in Wireless and Sensor Networks , 2010, IEEE Transactions on Vehicular Technology.

[8]  Jorge Blasco,et al.  A Study of the Feasibility of Co-located App Attacks against BLE and a Large-Scale Analysis of the Current Application-Layer Security Landscape , 2018, USENIX Security Symposium.

[9]  Zhou Li,et al.  BadBluetooth: Breaking Android Security Mechanisms via Malicious Bluetooth Peripherals , 2019, NDSS.

[10]  Angelos Stavrou,et al.  Breaking BLE Beacons For Fun But Mostly Profit , 2017, EUROSEC.

[11]  Lisa Ann Osadciw,et al.  Jamming attack detection and countermeasures in wireless sensor network using ant system , 2006, SPIE Defense + Commercial Sensing.

[12]  Sunghyun Choi,et al.  CV-Track: Leveraging Carrier Frequency Offset Variation for BLE Signal Detection , 2017, HotWireless '17.

[13]  Thaier Hayajneh,et al.  Security Vulnerabilities in Bluetooth Technology as Used in IoT , 2018, J. Sens. Actuator Networks.

[14]  Yong Sheng,et al.  Detecting 802.11 MAC Layer Spoofing Using Received Signal Strength , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[15]  Marco Gruteser,et al.  Wireless device identification with radiometric signatures , 2008, MobiCom '08.

[16]  Robert Harle,et al.  Location Fingerprinting With Bluetooth Low Energy Beacons , 2015, IEEE Journal on Selected Areas in Communications.

[17]  Nils Ole Tippenhauer,et al.  The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR , 2019, USENIX Security Symposium.

[18]  Nils Ole Tippenhauer,et al.  Key Negotiation Downgrade Attacks on Bluetooth and Bluetooth Low Energy , 2020, ACM Trans. Priv. Secur..

[19]  Tien Dang Vo-Huu,et al.  Fingerprinting Wi-Fi Devices Using Software Defined Radios , 2016, WISEC.

[20]  Mathias Payer,et al.  BLESA: Spoofing Attacks against Reconnections in Bluetooth Low Energy , 2020, WOOT @ USENIX Security Symposium.

[21]  Tal Melamed An active man-in-the-middle attack on bluetooth smart devices , 2018 .

[22]  R. Araújo,et al.  The State of the Art in DNS Spoo , 2006 .

[23]  Moti Yung,et al.  Ephemeral Identifiers: Mitigating Tracking & Spoofing Threats to BLE Beacons , 2016 .

[24]  Sophie Engle,et al.  AN INTRODUCTION TO ARP SPOOFING , 2001 .

[25]  Ismail Güvenç,et al.  Drones for smart cities: Issues in cybersecurity, privacy, and public safety , 2016, 2016 International Wireless Communications and Mobile Computing Conference (IWCMC).

[26]  Jian Weng,et al.  On the (In)security of Bluetooth Low Energy One-Way Secure Connections Only Mode , 2019, ArXiv.

[27]  Mike Ryan,et al.  Bluetooth: With Low Energy Comes Low Security , 2013, WOOT.

[28]  Parth H. Pathak,et al.  Uncovering Privacy Leakage in BLE Network Traffic of Wearable Fitness Trackers , 2016, HotMobile.

[29]  Murat Demirbas,et al.  An RSSI-based scheme for sybil attack detection in wireless sensor networks , 2006, 2006 International Symposium on a World of Wireless, Mobile and Multimedia Networks(WoWMoM'06).