INTERNET OF THINGS HANDBOOK
Breaking BLE Despite built-in safe-guards, Bluetooth Low Energy IoT devices are vulnerable to hacks when they communicate over the air. Here are the basics of the problem. Leland Teschler, Executive Editor
If you eyeball internet-of-things items ranging from smart ac plugs to motion sensors you typically find connectivity via the Bluetooth Low Energy (BLE) standard. A lot of IoT devices use BLE because the protocol is well suited for transferring small amounts of data while consuming little power. But though BLE incorporates several security measures, vulnerabilities in the protocol have emerged over time. For example, BLE communications can be hacked via man-in-the-middle (MITM) attacks where an attacker secretly alters messages between parties who think they are communicating with each other. BLE credentials can also be sniffed using a sniffing device that examines data sent on the advertising channels used to let BLE devices find each other. In BLE spoofing, an attacker mimics the MAC address of a BLE device as a means of impersonation. Denial-of-service attacks are also possible because peripheral BLE IoT devices are usually designed to connect with only one master at a time. Bombarding the BLE device with connection requests in response to advertising packets can prevent legitimate users from connecting. In addition, unauthorized co-located apps can also hijack the connection between legitimate mobile apps and BLE devices.
30
DESIGN WORLD — EE NETWORK
4 • 2020
Many vulnerabilities pertain to the process of pairing devices, verifying and authenticating the identity of BLE nodes wishing to connect up. Part of the problem is that there are several ways of pairing devices, and not all of them have a high level of security. Ditto for BLE traffic encryption. Data encryption is used to prevent MITM eavesdropping attacks on BLE links by making data unintelligible to all but the BLE master and slave devices forming the link. Earlier versions of BLE had communication modes that didn’t incorporate a public key exchange for encryption/decryption, probably because more computing power (and a faster battery drain) was involved in running encryption/decryption algorithms. Recent versions of the BLE standard incorporate modes where users must enter credentials to connect with IoT devices. Unfortunately, researchers have found that many BLE IoT devices don’t implement applevel authentication properly. In particular, numerous BLE IoT devices use “Just Works” for pairing (no invocation of app-device bonding at all), which allows any nearby attackers to arbitrarily connect and possibly do something devious. To understand the problem with Just Works pairing, consider that there are four different pairing methods, but they all take place in three phases. In phase one, the two devices let each other know what pairing method is going to be used and what the BLE devices can do and expect. In phase two, a Short Term Key (STK) gets generated eeworldonline.com
|
designworldonline.com
