Successfully reported this slideshow.

Bluetooth Low Energy - A Case Study

4

Share

Upcoming SlideShare
Bluetooth low energy
Bluetooth low energy
Loading in …3
×
1 of 38
1 of 38

Bluetooth Low Energy - A Case Study

4

Share

Download to read offline

Slides are mainly on the major security flaws that existed in the Bluetooth 4.0/4.1 (released 2010) specifically Bluetooth Low Energy(BLE) (a.k.a Bluetooth Smart) specification. BLE was introduced as part of Bluetooth 4.0 targeting low power devices which is quite different from classic Bluetooth. Later part contains major security enhancements that are introduced in BLE 4.2

Slides are mainly on the major security flaws that existed in the Bluetooth 4.0/4.1 (released 2010) specifically Bluetooth Low Energy(BLE) (a.k.a Bluetooth Smart) specification. BLE was introduced as part of Bluetooth 4.0 targeting low power devices which is quite different from classic Bluetooth. Later part contains major security enhancements that are introduced in BLE 4.2

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Bluetooth Low Energy - A Case Study

  1. 1. BluetoothLowEnergySecurity Presentedby: AkshayKumar DarshanRamakantBhat FreezeFrancis A case study
  2. 2. Overview ● What is Bluetooth Low Energy? ○ vs classic bluetooth ● Protocol Stack ○ PHY and Link ● Encryption ● Security Issues in BLE 4.0/4.1 ○ Eavesdropping ○ Active Attack ○ MITM ● Security Enhancements BLE 4.2 ○ ECDH
  3. 3. What is Bluetooth Low Energy? ● a.k.a Bluetooth Smart ● originally introduced under the name Wibree by Nokia in 2006 ● merged into the main Bluetooth standard in 2010 with the adoption of the Bluetooth Core Specification Version 4.0 ● operates in the unlicensed 2.4 GHz band ● new modulation and link layer for low-power devices ● vs classic Bluetooth ○ incompatible with classic Bluetooth devices ○ PHY and link layer almost completely different ○ high-level protocols the same
  4. 4. Applications
  5. 5. Bluetooth LE network
  6. 6. Protocol Stack
  7. 7. PHY Layer ● 2.4 GHz ISM band splitted into 40 channels: ○ 37 data channels ○ 3 advertising channels (37,38,39) ○ Central frequency, fn =2402 + 2n MHz
  8. 8. PHY Layer (continued..) ● Modulation scheme : Gaussian Frequency Shift Keying(GFSK) ○ Data rate : 1 Mbit/s ● Hopping ○ hop along all 37 data channels ○ duration (a.k.a hop interval) : one data packet per channel ○ hop increment (specific to a connection ) decides the next channel next channel = (channel + hop increment) mod 37
  9. 9. Link Layer ● Preamble: an alternating binary sequence for synchronization ● Access Address: unique identifier which defines a particular connection ○ Fixed value for communications in advertising channel : 0x8E89BED6 ● PDU : protocol data unit which is the actual payload (variable length) ● CRC : for error checking ○ depends on CRC Init and the PDU ○ Computed using Linear Feedback Shift Register (LFSR) ● Whitening is applied to the PDU and CRC. ○ Not complicated as it depends only on channel number. ○ Computed using LFSR ● Each Bluetooth device has a unique MAC address
  10. 10. Link layer state diagram ● Standby: does not transmit or receive any packets ● Advertising: transmitting advertising channel packets and possibly listening to and responding to responses triggered by these advertising channel packets ● Scanning: listening for advertising channel packets from devices that are advertising. ● Initiating: listening for advertising channel packets from a specific device(s) and responding to these packets to initiate a connection with another device. ● Connection : connected state, device is either master or slave and further communication happens in data channels.
  11. 11. Encryption ● Link layer ○ AES-CCM encryption scheme ○ CCM : Counter mode with CBC-MAC (Cipher Block Chaining Message Authentication Code) ○ authenticated encryption algorithm: encrypts the PDU and also generates MAC ● Application layer ○ user-defined encryption ○ generally not used in BLE devices
  12. 12. With Low Energy Comes Low Security!!! Compromises made for low power: ● Hopping rate is less aggressive (37 data channels) ● Whitening seed is straight-forward from channel number and LFSR used is known ● Overly simplified custom key exchange Combining all these resulted in a major flaw in the protocol !! ● Applications: ○ heart rate and blood pressure monitors ○ wireless door lock, low power gadgets ○ industrial monitoring sensors ○ public transportation apps
  13. 13. Eavesdropping ● Compromises make eavesdropping easy ● To sniff a connection: ○ Hop increment : to determine next channel ○ Access address : to find the start of the PDU ○ Hop interval : to determine how long to stay in a channel ○ CRC init : to filter out corrupt packets ● Two scenarios: ○ Observed the connection initialization packet: all values are known. ○ Missed the connection initialization packet: recover values by exploiting properties of BLE packets.
  14. 14. Eavesdropping attack in detail (Hardware) (Software)
  15. 15. Ubertooth (to PC) RF to packets: ● CC2400 gets bits from air ● We know Access Address ! ● MCU finds the start of PDU and gets it as packet ● Wireshark plugin available
  16. 16. Wireshark plugins
  17. 17. Recovering the unknown values ● Master and slave transmits packets in each channel, even if there is no meaningful data (empty packet). ● waits for hop_interval x 1.25 ms in a channel. ● Empty packet : PDU = header( 16 bit) + empty body ○ easy to identify looking for header ○ most traffic is empty Access address: ● Look for an empty packet and AA comes before the header ● least frequently used cache (LFU) + CRC to eliminate false positives
  18. 18. Recovering unknown values (continued..) CRC init: ● seed value used for generating CRC ● CRC computed using an LFSR ● CRC Init obtained by reversing LFSR with CRC as seed ● LFU to filter out false positives Hop interval: ● wait on particular data channel for consecutive packets ● 37 channels visited in full cycle ●
  19. 19. Recovering unknown values (continued..) Hop Increment: ● Interarrival time of packets in two data channels (say 0 and 1) (Fermat's little theorem) we can now follow a connection and sniff packets, but encryption? 0 -----> 25 -----> 50 -----> 1
  20. 20. Bypassing the encryption ● Encryption by link layer ● How to get the keys ? Custom Key Exchange Protocol: ● 3 stage process ● Stage 1 : Choosing the pairing methods which defines Temporary Key (TK) ● Stage 2 : Generate the Short Term Key (STK) ● Stage 3 : Generate the Long Term Key (LTK) ● LTK is reused and used to generate session keys ● Session keys are used during encrypted sessions (AES-CCM)
  21. 21. Pairing methods Devices chooses pairing methods based on I/O capabilities. 1. Just Works ● TK is trivial i.e TK=0 2. PassKey Entry ● TK is 6-digit PIN (user inputs) 3. Out Of Band (OOB) ● uses other means like NFC for TK exchange ● more secure ● almost never used ! The TK (also the 128-bit AES key) is used to generate a ‘confirm’ values.
  22. 22. Cracking the TK ● We already have a packet sniffer ● TK is between 0 and 99999 (if passKey entry pairing) ● brute forced in < 1 second (plain text)
  23. 23. Key Exchange Broken ● TK + pairing data is used to compute a STK ● STK is used to encrypt the LTK exchange ● Worst part : LTK is reused and used to generate session keys ● 100 % passive attack and can be done offline
  24. 24. Active Attack What if attacker missed the LTK exchange packets? Two possible active attacks: 1. Eavesdropper can jam the connection so that master will drop the connection causing force re-pairing. 2. BLE protocol has provisions for a master or slave to reject a LTK. Eavesdropper sends an appropriate link layer message (LL_REJECT_IND) that forces a key renegotiation.
  25. 25. Man In The Middle Attacks An attacker can emulate himself as the valid device and cause the data to pass through him. Authentication protects against MIMT Authentication is the method to prevent the MITM
  26. 26. Enhancements in Bluetooth 4.2 There are two major enhancements in BLE 4.2 ● New pairing method : A new pairing method is added. Both the devices should have display capabilities and one should have yes or no button. ● Elliptic Curve Diffie Hellman (ECDH) Key exchange: DH uses prime factorization whereas ECDH uses elliptic curve cryptography. Breaking the ECDH is more computationally expensive than DH and also it requires less bits than DH.
  27. 27. MITM prevention ● Before pairing both the devices must share pairing parameters that includes authentication requirements ● If authentication is required, both devices must authenticate each other using one of the association models Which model to use is based on two parameters: ● Can the device receive data from a user, or output data to the user. Involving the user in the pairing process is an important element in the secure transfer of data ● Can the device communicate Out-of-Band (OOB)? For example, if part of the security key can be transferred between the two devices over Near-Field Communication (NFC), an eavesdropper will not be able to make sense of the final data.
  28. 28. Association models (BLE 4.2) ● Numeric Comparison—Both devices display a six-digit number and the user authenticates by selecting ‘Yes’ if both devices are displaying the same number. ● Passkey Entry—The user either inputs an identical Passkey into both devices, or one device displays the Passkey and the user enters that Passkey into the other device. ● Out of Band (OOB)—The OOB association model is the model to use if the device are capable of OOB. ● Just Works—This association model is used either when MITM protection is not needed or when devices have limited IO capabilities.
  29. 29. Diffie-Hellman
  30. 30. Elliptic Curve Cryptography ● An elliptic curve E is the graph of an equation of the form y2 = x3 + ax + b ● Elliptic curves provides a different way to do the math in public key system y2 = x3 - x + 1
  31. 31. Elliptic curve maths Consider y2 = x3 + 2x + 3 (mod 5) x = 0 y2 = 3 no solution (mod 5) ; x = 1 y2 = 6 = 1 y = 1,4 (mod 5) x = 2 y2 = 15 = 0 y = 0 (mod 5); x = 3 y2 = 36 = 1 y = 1,4 (mod 5) x = 4 y2 = 75 = 0 y = 0 (mod 5) So valid points on the curve are (1,1) (1,4) (2,0) (3,1) (3,4) (4,0) and (inf,inf) These points form the finite set.
  32. 32. Addition in elliptic curve ● P1 + P2 = P3 Addition on: y2 = x3 + ax + b (mod p) P1=(x1 ,y1 ), P2=(x2 ,y2 ); P1 + P2 = P3 = (x3 ,y3 ) where x3 = (m2 - x1 - x2 ) (mod p); y3 = (m(x1 - x3 ) - y1 )(mod p) And m = (y2 -y1 )(x2 -x1 )-1 mod p, if P1 ≠P2 m = (3x1 2 +a)(2y1 )-1 mod p, if P1 = P2 What is (1,4) + (3,1) = P3 = (x3,y3) in y2 = x3 +2x+3 mod 5? m = (1-4)(3-1)-1 = (-3)(2)-1 = 2(3) = 6 = 1 (mod 5) x3 = 1 - 1 - 3 = 2 (mod 5) y3 = 1(1-2) - 4 = 0 (mod 5)
  33. 33. Diffie-Hellman using elliptic maths Public: Elliptic curve and point (x,y) on curve Secret: Alice’s A and Bob’s B Alice computes A(B(x,y)) Bob computes B(A(x,y)) These are the same since AB = BA
  34. 34. Example Public: Curve y2 = x3 + 7x + b (mod 37) and point (2,5) b = 3 Alice’s secret: A = 4 Bob’s secret: B = 7 Alice sends Bob: 4(2,5) = (7,32) Bob sends Alice: 7(2,5) = (18,35) Alice computes: 4(18,35) = (22,1) Bob computes: 7(7,32) = (22,1)
  35. 35. References ● https://www.bluetooth.com/specifications/bluetooth-core-specification ● http://blog.bluetooth.com/everything-you-always-wanted-to-know-about-blueto oth-security-in-bluetooth-4-2/ ● “Bluetooth: With Low Energy comes Low Security” by Mike Ryan, 7th USENIX conference on Offensive Technologies, 2013

×