On the (In)security of Bluetooth Low Energy One-Way Secure Connections Only Mode

To defeat security threats such as man-in-the-middle (MITM) attacks, Bluetooth Low Energy (BLE) 4.2 and 5.x introduce the Secure Connections Only mode, under which a BLE device accepts only secure paring protocols including Passkey Entry and Numeric Comparison from an initiator, e.g., an Android mobile. However, the BLE specification does not explicitly require the Secure Connection Only mode of the initiator. Taking the Android's BLE programming framework for example, we found that it cannot enforce secure pairing, invalidating the security protection provided by the Secure Connection Only mode. The same problem applies to Apple iOS too. Specifically, we examine the life cycle of a BLE pairing process in Android and identify four severe design flaws. These design flaws can be exploited by attackers to perform downgrading attacks, forcing the BLE pairing protocols to run in the insecure mode without the users' awareness. To validate our findings, we selected and tested 18 popular BLE commercial products and our experimental results proved that downgrading attacks and MITM attacks were all possible to these products. All 3501 BLE apps from Androzoo are also subject to these attacks. For defense, we have designed and implemented a prototype of the Secure Connection Only mode on Android 8 through the Android Open Source Project (AOSP). We have reported the identified BLE pairing vulnerabilities to Bluetooth Special Interest Group (SIG), Google, Apple, Texas Instruments (TI) and all of them are actively addressing this issue. Google rated the reported security flaw a High Severity.

[1]  Carl A. Gunter,et al.  Inside Job: Understanding and Mitigating the Threat of External Device Mis-Binding on Android , 2014, NDSS.

[2]  Dan Curticapean,et al.  Magic of Light , 2010, Optical Engineering + Applications.

[3]  Brian Cusack,et al.  Assessment of security vulnerabilities in wearable devices , 2017 .

[4]  S. Sandhya,et al.  Analysis of Bluetooth threats and v4.0 security features , 2012, 2012 International Conference on Computing, Communication and Applications.

[5]  Zhiyao Liang,et al.  Security analysis of bluetooth low energy based smart wristbands , 2017, 2017 2nd International Conference on Frontiers of Sensors Technologies (ICFST).

[6]  Thaier Hayajneh,et al.  Security Vulnerabilities in Bluetooth Technology as Used in IoT , 2018, J. Sens. Actuator Networks.

[7]  Dennis Kügler,et al.  "Man in the Middle" Attacks on Bluetooth , 2003, Financial Cryptography.

[8]  Jacques Klein,et al.  AndroZoo: Collecting Millions of Android Apps for the Research Community , 2016, 2016 IEEE/ACM 13th Working Conference on Mining Software Repositories (MSR).

[9]  George Loukas,et al.  Evaluating the impact of malicious spoofing attacks on Bluetooth low energy based occupancy detection systems , 2017, 2017 IEEE 15th International Conference on Software Engineering Research, Management and Applications (SERA).

[10]  Shi-Min Hu,et al.  Staying Secure and Unprepared: Understanding and Mitigating the Security Risks of Apple ZeroConf , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[11]  Tal Melamed An active man-in-the-middle attack on bluetooth smart devices , 2018 .

[12]  I. Mahgoub,et al.  Bluetooth Security in Wearable Computing Applications , 2008, 2008 International Symposium on High Capacity Optical Networks and Enabling Technologies.

[13]  Daniela Miao,et al.  Security Analysis of Wearable Fitness Devices ( Fitbit ) , 2014 .

[14]  Yi Mu,et al.  Man-in-the-middle attacks on Secure Simple Pairing in Bluetooth standard V5.0 and its countermeasure , 2018, Personal and Ubiquitous Computing.

[15]  Mike Ryan,et al.  Bluetooth: With Low Energy Comes Low Security , 2013, WOOT.

[16]  Wondimu K. Zegeye Exploiting Bluetooth Low Energy Pairing Vulnerability in Telemedicine , 2015 .

[17]  Sunghyun Cho,et al.  Bluetooth low energy security vulnerability and improvement method , 2016, 2016 IEEE International Conference on Consumer Electronics-Asia (ICCE-Asia).

[18]  Avishai Wool,et al.  Cracking the Bluetooth PIN , 2005, MobiSys '05.

[19]  Jorge Blasco Alís,et al.  A Low Energy Profile: Analysing Characteristic Security on BLE Peripherals , 2018, CODASPY.

[20]  Parth H. Pathak,et al.  Uncovering Privacy Leakage in BLE Network Traffic of Wearable Fitness Trackers , 2016, HotMobile.

[21]  Zhou Li,et al.  BadBluetooth: Breaking Android Security Mechanisms via Malicious Bluetooth Peripherals , 2019, NDSS.

[22]  Keijo Haataja,et al.  Two practical man-in-the-middle attacks on Bluetooth secure simple pairing and countermeasures , 2010, IEEE Transactions on Wireless Communications.

[23]  Kang G. Shin,et al.  Protecting Privacy of BLE Device Users , 2016, USENIX Security Symposium.

[24]  Jorge Blasco,et al.  A Study of the Feasibility of Co-located App Attacks against BLE and a Large-Scale Analysis of the Current Application-Layer Security Landscape , 2018, USENIX Security Symposium.

[25]  M. Ufuk Çaglayan,et al.  Relay Attacks on Bluetooth Authentication and Solutions , 2004, ISCIS.

[26]  吉田 則裕,et al.  Android Open Source Projectを対象としたパッチレビュー活動の調査 , 2012 .

[27]  Jason Uher,et al.  Denial of Sleep attacks in Bluetooth Low Energy wireless sensor networks , 2016, MILCOM 2016 - 2016 IEEE Military Communications Conference.

[28]  Tomás Rosa,et al.  Bypassing Passkey Authentication in Bluetooth Low Energy , 2013, IACR Cryptol. ePrint Arch..

[29]  Laurie J. Hendren,et al.  Optimizing Java Bytecode Using the Soot Framework: Is It Feasible? , 2000, CC.

[30]  K. Hypponen,et al.  “Nino” man-in-the-middle attack on bluetooth secure simple pairing , 2007, 2007 3rd IEEE/IFIP International Conference in Central Asia on Internet.

[31]  Jorge Blasco,et al.  Attacks Against BLE Devices by Co-located Mobile Applications , 2018, ArXiv.

[32]  K. Haataja,et al.  Practical Man-in-the-Middle Attacks Against Bluetooth Secure Simple Pairing , 2008, 2008 4th International Conference on Wireless Communications, Networking and Mobile Computing.

[33]  Naresh Gupta,et al.  Inside Bluetooth Low Energy , 2016 .

[34]  Jacques Klein,et al.  Reflection-aware static analysis of Android apps , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

[35]  Andrea Bittau,et al.  BlueSniff: Eve Meets Alice and Bluetooth , 2007, WOOT.