SlideShare a Scribd company logo
1 of 38
Download to read offline
BluetoothLowEnergySecurity
Presentedby:
AkshayKumar
DarshanRamakantBhat
FreezeFrancis
A case study
Overview
● What is Bluetooth Low Energy?
○ vs classic bluetooth
● Protocol Stack
○ PHY and Link
● Encryption
● Security Issues in BLE 4.0/4.1
○ Eavesdropping
○ Active Attack
○ MITM
● Security Enhancements BLE 4.2
○ ECDH
What is Bluetooth Low Energy?
● a.k.a Bluetooth Smart
● originally introduced under the name Wibree by Nokia in 2006
● merged into the main Bluetooth standard in 2010 with the adoption of the
Bluetooth Core Specification Version 4.0
● operates in the unlicensed 2.4 GHz band
● new modulation and link layer for low-power devices
● vs classic Bluetooth
○ incompatible with classic Bluetooth devices
○ PHY and link layer almost completely different
○ high-level protocols the same
Applications
Bluetooth LE network
Protocol Stack
PHY Layer
● 2.4 GHz ISM band splitted into 40 channels:
○ 37 data channels
○ 3 advertising channels (37,38,39)
○ Central frequency, fn
=2402 + 2n MHz
PHY Layer (continued..)
● Modulation scheme : Gaussian Frequency Shift Keying(GFSK)
○ Data rate : 1 Mbit/s
● Hopping
○ hop along all 37 data channels
○ duration (a.k.a hop interval) : one data packet per channel
○ hop increment (specific to a connection ) decides the next channel
next channel = (channel + hop increment) mod 37
Link Layer
● Preamble: an alternating binary sequence for synchronization
● Access Address: unique identifier which defines a particular connection
○ Fixed value for communications in advertising channel : 0x8E89BED6
● PDU : protocol data unit which is the actual payload (variable length)
● CRC : for error checking
○ depends on CRC Init and the PDU
○ Computed using Linear Feedback Shift Register (LFSR)
● Whitening is applied to the PDU and CRC.
○ Not complicated as it depends only on channel number.
○ Computed using LFSR
● Each Bluetooth device has a unique MAC address
Link layer state diagram
● Standby: does not transmit or receive any packets
● Advertising: transmitting advertising channel
packets and possibly listening to and responding to
responses triggered by these advertising channel
packets
● Scanning: listening for advertising channel packets
from devices that are advertising.
● Initiating: listening for advertising channel packets
from a specific device(s) and responding to these
packets to initiate a connection with another device.
● Connection : connected state, device is either
master or slave and further communication happens
in data channels.
Encryption
● Link layer
○ AES-CCM encryption scheme
○ CCM : Counter mode with CBC-MAC (Cipher Block Chaining Message Authentication Code)
○ authenticated encryption algorithm: encrypts the PDU and also generates MAC
● Application layer
○ user-defined encryption
○ generally not used in BLE devices
With Low Energy Comes Low Security!!!
Compromises made for low power:
● Hopping rate is less aggressive (37 data channels)
● Whitening seed is straight-forward from channel number and LFSR used is
known
● Overly simplified custom key exchange
Combining all these resulted in a major flaw in the protocol !!
● Applications:
○ heart rate and blood pressure monitors
○ wireless door lock, low power gadgets
○ industrial monitoring sensors
○ public transportation apps
Eavesdropping
● Compromises make eavesdropping easy
● To sniff a connection:
○ Hop increment : to determine next channel
○ Access address : to find the start of the PDU
○ Hop interval : to determine how long to stay in a channel
○ CRC init : to filter out corrupt packets
● Two scenarios:
○ Observed the connection initialization packet: all values are known.
○ Missed the connection initialization packet: recover values by exploiting properties of BLE packets.
Eavesdropping attack in detail
(Hardware)
(Software)
Ubertooth
(to PC)
RF to packets:
● CC2400 gets bits from air
● We know Access Address !
● MCU finds the start of PDU and gets it
as packet
● Wireshark plugin available
Wireshark plugins
Recovering the unknown values
● Master and slave transmits packets in each channel, even if
there is no meaningful data (empty packet).
● waits for hop_interval x 1.25 ms in a channel.
● Empty packet : PDU = header( 16 bit) + empty body
○ easy to identify looking for header
○ most traffic is empty
Access address:
● Look for an empty packet and AA comes before the header
● least frequently used cache (LFU) + CRC to eliminate false
positives
Recovering unknown values (continued..)
CRC init:
● seed value used for generating CRC
● CRC computed using an LFSR
● CRC Init obtained by reversing LFSR with CRC as seed
● LFU to filter out false positives
Hop interval:
● wait on particular data channel for consecutive packets
● 37 channels visited in full cycle
●
Recovering unknown values (continued..)
Hop Increment:
● Interarrival time of packets in two data channels (say 0 and 1)
(Fermat's little theorem)
we can now follow a connection and sniff packets, but encryption?
0 -----> 25 -----> 50 -----> 1
Bypassing the encryption
● Encryption by link layer
● How to get the keys ?
Custom Key Exchange Protocol:
● 3 stage process
● Stage 1 : Choosing the pairing methods which defines Temporary Key (TK)
● Stage 2 : Generate the Short Term Key (STK)
● Stage 3 : Generate the Long Term Key (LTK)
● LTK is reused and used to generate session keys
● Session keys are used during encrypted sessions (AES-CCM)
Pairing methods
Devices chooses pairing methods based on I/O capabilities.
1. Just Works
● TK is trivial i.e TK=0
2. PassKey Entry
● TK is 6-digit PIN (user inputs)
3. Out Of Band (OOB)
● uses other means like NFC for TK exchange
● more secure
● almost never used !
The TK (also the 128-bit AES key) is used to generate a ‘confirm’ values.
Cracking the TK
● We already have a packet sniffer
● TK is between 0 and 99999 (if passKey entry pairing)
● brute forced in < 1 second
(plain text)
Key Exchange Broken
● TK + pairing data is used to compute a STK
● STK is used to encrypt the LTK exchange
● Worst part : LTK is reused and used to generate session keys
● 100 % passive attack and can be done offline
Active Attack
What if attacker missed the LTK exchange packets?
Two possible active attacks:
1. Eavesdropper can jam the connection so that master will drop the connection
causing force re-pairing.
2. BLE protocol has provisions for a master or slave to reject a LTK. Eavesdropper
sends an appropriate link layer message (LL_REJECT_IND) that forces a key
renegotiation.
Man In The Middle Attacks
An attacker can emulate himself as the valid device and cause the data to pass
through him.
Authentication protects against MIMT
Authentication is the method to prevent the MITM
Enhancements in Bluetooth 4.2
There are two major enhancements in BLE 4.2
● New pairing method : A new pairing method is added. Both the devices should
have display capabilities and one should have yes or no button.
● Elliptic Curve Diffie Hellman (ECDH) Key exchange:
DH uses prime factorization whereas ECDH uses elliptic curve cryptography.
Breaking the ECDH is more computationally expensive than DH and also it
requires less bits than DH.
MITM prevention
● Before pairing both the devices must share pairing parameters that includes
authentication requirements
● If authentication is required, both devices must authenticate each other using one of the
association models
Which model to use is based on two parameters:
● Can the device receive data from a user, or output data to the user. Involving the user in
the pairing process is an important element in the secure transfer of data
● Can the device communicate Out-of-Band (OOB)? For example, if part of the security key
can be transferred between the two devices over Near-Field Communication (NFC), an
eavesdropper will not be able to make sense of the final data.
Association models (BLE 4.2)
● Numeric Comparison—Both devices display a six-digit number and the user
authenticates by selecting ‘Yes’ if both devices are displaying the same number.
● Passkey Entry—The user either inputs an identical Passkey into both devices, or one
device displays the Passkey and the user enters that Passkey into the other device.
● Out of Band (OOB)—The OOB association model is the model to use if the device are
capable of OOB.
● Just Works—This association model is used either when MITM protection is not needed
or when devices have limited IO capabilities.
Diffie-Hellman
Elliptic Curve Cryptography
● An elliptic curve E is the graph of an equation of the form
y2
= x3
+ ax + b
● Elliptic curves provides a different way to do
the math in public key system
y2 = x3 - x + 1
Elliptic curve maths
Consider y2
= x3
+ 2x + 3 (mod 5)
x = 0 y2
= 3 no solution (mod 5) ; x = 1 y2
= 6 = 1 y = 1,4 (mod 5)
x = 2 y2
= 15 = 0 y = 0 (mod 5); x = 3 y2
= 36 = 1 y = 1,4 (mod 5)
x = 4 y2
= 75 = 0 y = 0 (mod 5)
So valid points on the curve are (1,1) (1,4) (2,0) (3,1) (3,4) (4,0) and (inf,inf)
These points form the finite set.
Addition in elliptic curve
● P1 + P2 = P3
Addition on: y2
= x3
+ ax + b (mod p)
P1=(x1
,y1
), P2=(x2
,y2
); P1 + P2 = P3 = (x3
,y3
) where
x3
= (m2
- x1
- x2
) (mod p); y3
= (m(x1
- x3
) - y1
)(mod p)
And m = (y2
-y1
)(x2
-x1
)-1
mod p, if P1 ≠P2
m = (3x1
2
+a)(2y1
)-1
mod p, if P1 = P2
What is (1,4) + (3,1) = P3 = (x3,y3) in y2
= x3
+2x+3 mod 5? m = (1-4)(3-1)-1
= (-3)(2)-1
= 2(3) = 6 = 1 (mod 5)
x3
= 1 - 1 - 3 = 2 (mod 5) y3
= 1(1-2) - 4 = 0 (mod 5)
Diffie-Hellman using elliptic maths
Public: Elliptic curve and point (x,y) on curve
Secret: Alice’s A and Bob’s B
Alice computes A(B(x,y))
Bob computes B(A(x,y))
These are the same since AB = BA
Example
Public: Curve y2
= x3
+ 7x + b (mod 37) and point (2,5) b = 3
Alice’s secret: A = 4
Bob’s secret: B = 7
Alice sends Bob: 4(2,5) = (7,32)
Bob sends Alice: 7(2,5) = (18,35)
Alice computes: 4(18,35) = (22,1)
Bob computes: 7(7,32) = (22,1)
References
● https://www.bluetooth.com/specifications/bluetooth-core-specification
● http://blog.bluetooth.com/everything-you-always-wanted-to-know-about-blueto
oth-security-in-bluetooth-4-2/
● “Bluetooth: With Low Energy comes Low Security” by Mike Ryan, 7th USENIX
conference on Offensive Technologies, 2013
BLE Security Issues and Enhancements

More Related Content

What's hot

The Differences Between Bluetooth, ZigBee and WiFi
The Differences Between Bluetooth, ZigBee and WiFiThe Differences Between Bluetooth, ZigBee and WiFi
The Differences Between Bluetooth, ZigBee and WiFiMostafa Ali
 
Presentation of H323 protocol
Presentation of H323 protocolPresentation of H323 protocol
Presentation of H323 protocolMd. Taiseen Azam
 
3 Software Stacks for IoT Solutions
3 Software Stacks for IoT Solutions3 Software Stacks for IoT Solutions
3 Software Stacks for IoT SolutionsIan Skerrett
 
bluetooth-security
bluetooth-securitybluetooth-security
bluetooth-securityAnand Dhana
 
Bluetooth Technology and its uses by Prince Rohan
Bluetooth Technology and its uses by Prince RohanBluetooth Technology and its uses by Prince Rohan
Bluetooth Technology and its uses by Prince RohanRohan Das
 
Gpon the technology --rev 1
Gpon the technology --rev 1Gpon the technology --rev 1
Gpon the technology --rev 1guerrid
 
Bluetooth technology presentation
Bluetooth technology presentationBluetooth technology presentation
Bluetooth technology presentationKrishna Kumari
 
Chap 2. lte channel structure .eng
Chap 2. lte  channel structure .engChap 2. lte  channel structure .eng
Chap 2. lte channel structure .engsivakumar D
 
Bluetooth & Bluetooth Low Energy internals
Bluetooth & Bluetooth Low Energy internalsBluetooth & Bluetooth Low Energy internals
Bluetooth & Bluetooth Low Energy internalsDavy Jacops
 

What's hot (20)

Bluetooth
BluetoothBluetooth
Bluetooth
 
The Differences Between Bluetooth, ZigBee and WiFi
The Differences Between Bluetooth, ZigBee and WiFiThe Differences Between Bluetooth, ZigBee and WiFi
The Differences Between Bluetooth, ZigBee and WiFi
 
Presentation of H323 protocol
Presentation of H323 protocolPresentation of H323 protocol
Presentation of H323 protocol
 
3 Software Stacks for IoT Solutions
3 Software Stacks for IoT Solutions3 Software Stacks for IoT Solutions
3 Software Stacks for IoT Solutions
 
Bluetooth
BluetoothBluetooth
Bluetooth
 
Ccna
CcnaCcna
Ccna
 
bluetooth-security
bluetooth-securitybluetooth-security
bluetooth-security
 
Bluetooth Technology and its uses by Prince Rohan
Bluetooth Technology and its uses by Prince RohanBluetooth Technology and its uses by Prince Rohan
Bluetooth Technology and its uses by Prince Rohan
 
Gpon the technology --rev 1
Gpon the technology --rev 1Gpon the technology --rev 1
Gpon the technology --rev 1
 
Bluetooth technology presentation
Bluetooth technology presentationBluetooth technology presentation
Bluetooth technology presentation
 
Cisco ospf
Cisco ospf Cisco ospf
Cisco ospf
 
IoT architecture
IoT architectureIoT architecture
IoT architecture
 
Bluetooth ppt
Bluetooth pptBluetooth ppt
Bluetooth ppt
 
Nb iot presentation
Nb iot presentationNb iot presentation
Nb iot presentation
 
Chap 2. lte channel structure .eng
Chap 2. lte  channel structure .engChap 2. lte  channel structure .eng
Chap 2. lte channel structure .eng
 
VOLTE Presentation
VOLTE PresentationVOLTE Presentation
VOLTE Presentation
 
5 g core overview
5 g core overview5 g core overview
5 g core overview
 
An introduction to MQTT
An introduction to MQTTAn introduction to MQTT
An introduction to MQTT
 
LoRa and NB-IoT
LoRa and NB-IoT LoRa and NB-IoT
LoRa and NB-IoT
 
Bluetooth & Bluetooth Low Energy internals
Bluetooth & Bluetooth Low Energy internalsBluetooth & Bluetooth Low Energy internals
Bluetooth & Bluetooth Low Energy internals
 

Viewers also liked

Introduction to bluetooth low energy - JFokus IoT 2015
Introduction to bluetooth low energy - JFokus IoT 2015Introduction to bluetooth low energy - JFokus IoT 2015
Introduction to bluetooth low energy - JFokus IoT 2015Shahzada Hatim
 
About BLE server profile
About BLE server profile About BLE server profile
About BLE server profile Lin Steven
 
Smart home management system based on BLE
Smart home management system based on BLESmart home management system based on BLE
Smart home management system based on BLEsanamsupraja12
 
IoT-Stockholm-Intro_to_BLE
IoT-Stockholm-Intro_to_BLEIoT-Stockholm-Intro_to_BLE
IoT-Stockholm-Intro_to_BLEShahzada Hatim
 
Interfacing two arduino boards using rn 42 bluetooth
Interfacing two arduino boards using rn 42 bluetoothInterfacing two arduino boards using rn 42 bluetooth
Interfacing two arduino boards using rn 42 bluetoothsumit chakraborty
 
Developing Beacons with Bluetooth® Low Energy (BLE) Technology
 Developing Beacons with Bluetooth® Low Energy (BLE) Technology Developing Beacons with Bluetooth® Low Energy (BLE) Technology
Developing Beacons with Bluetooth® Low Energy (BLE) TechnologyPallavi Das
 
R U aBLE? BLE Application Hacking
R U aBLE? BLE Application HackingR U aBLE? BLE Application Hacking
R U aBLE? BLE Application HackingTal Melamed
 
Bluetooth and profiles on WEC7
Bluetooth and profiles on WEC7Bluetooth and profiles on WEC7
Bluetooth and profiles on WEC7gnkeshava
 
Bluetooth low energy
Bluetooth low energyBluetooth low energy
Bluetooth low energyNoor Azam
 
Bluetooth Reinvented. Smart connectivity in consumer devices: Bluetooth Low ...
Bluetooth Reinvented.  Smart connectivity in consumer devices: Bluetooth Low ...Bluetooth Reinvented.  Smart connectivity in consumer devices: Bluetooth Low ...
Bluetooth Reinvented. Smart connectivity in consumer devices: Bluetooth Low ...CSR
 
Bluetooth low energy final version
Bluetooth low energy final versionBluetooth low energy final version
Bluetooth low energy final versionFrederick Bousson
 
Wearable Device (Bluetooth Low Energy BLE ) connect with Android
Wearable Device (Bluetooth Low Energy BLE ) connect with  AndroidWearable Device (Bluetooth Low Energy BLE ) connect with  Android
Wearable Device (Bluetooth Low Energy BLE ) connect with AndroidAdun Nanthakaew
 
Android Gadgets, Bluetooth Low Energy, and the WunderBar
Android Gadgets, Bluetooth Low Energy, and the WunderBarAndroid Gadgets, Bluetooth Low Energy, and the WunderBar
Android Gadgets, Bluetooth Low Energy, and the WunderBarrelayr
 
Home automation using FPGA controller
Home automation  using FPGA controller Home automation  using FPGA controller
Home automation using FPGA controller Ajay1120539
 

Viewers also liked (20)

Introduction to bluetooth low energy - JFokus IoT 2015
Introduction to bluetooth low energy - JFokus IoT 2015Introduction to bluetooth low energy - JFokus IoT 2015
Introduction to bluetooth low energy - JFokus IoT 2015
 
About BLE server profile
About BLE server profile About BLE server profile
About BLE server profile
 
Smart home management system based on BLE
Smart home management system based on BLESmart home management system based on BLE
Smart home management system based on BLE
 
Summer Internship Report
Summer Internship ReportSummer Internship Report
Summer Internship Report
 
REPORT RI 15BPE104
REPORT RI 15BPE104 REPORT RI 15BPE104
REPORT RI 15BPE104
 
IoT-Stockholm-Intro_to_BLE
IoT-Stockholm-Intro_to_BLEIoT-Stockholm-Intro_to_BLE
IoT-Stockholm-Intro_to_BLE
 
Interfacing two arduino boards using rn 42 bluetooth
Interfacing two arduino boards using rn 42 bluetoothInterfacing two arduino boards using rn 42 bluetooth
Interfacing two arduino boards using rn 42 bluetooth
 
Carwhisperer Bluetooth Attack
Carwhisperer Bluetooth AttackCarwhisperer Bluetooth Attack
Carwhisperer Bluetooth Attack
 
Developing Beacons with Bluetooth® Low Energy (BLE) Technology
 Developing Beacons with Bluetooth® Low Energy (BLE) Technology Developing Beacons with Bluetooth® Low Energy (BLE) Technology
Developing Beacons with Bluetooth® Low Energy (BLE) Technology
 
Shenzhen2015
Shenzhen2015Shenzhen2015
Shenzhen2015
 
R U aBLE? BLE Application Hacking
R U aBLE? BLE Application HackingR U aBLE? BLE Application Hacking
R U aBLE? BLE Application Hacking
 
Bluetooth and profiles on WEC7
Bluetooth and profiles on WEC7Bluetooth and profiles on WEC7
Bluetooth and profiles on WEC7
 
Bluetooth
BluetoothBluetooth
Bluetooth
 
Bluetooth low energy
Bluetooth low energyBluetooth low energy
Bluetooth low energy
 
Bluetooth Reinvented. Smart connectivity in consumer devices: Bluetooth Low ...
Bluetooth Reinvented.  Smart connectivity in consumer devices: Bluetooth Low ...Bluetooth Reinvented.  Smart connectivity in consumer devices: Bluetooth Low ...
Bluetooth Reinvented. Smart connectivity in consumer devices: Bluetooth Low ...
 
Bluetooth low energy final version
Bluetooth low energy final versionBluetooth low energy final version
Bluetooth low energy final version
 
Hijacking bluetooth headsets
Hijacking bluetooth headsetsHijacking bluetooth headsets
Hijacking bluetooth headsets
 
Wearable Device (Bluetooth Low Energy BLE ) connect with Android
Wearable Device (Bluetooth Low Energy BLE ) connect with  AndroidWearable Device (Bluetooth Low Energy BLE ) connect with  Android
Wearable Device (Bluetooth Low Energy BLE ) connect with Android
 
Android Gadgets, Bluetooth Low Energy, and the WunderBar
Android Gadgets, Bluetooth Low Energy, and the WunderBarAndroid Gadgets, Bluetooth Low Energy, and the WunderBar
Android Gadgets, Bluetooth Low Energy, and the WunderBar
 
Home automation using FPGA controller
Home automation  using FPGA controller Home automation  using FPGA controller
Home automation using FPGA controller
 

Similar to BLE Security Issues and Enhancements

Basic Study on the WT12 Family of Bluetooth Devices
Basic Study on the WT12 Family of Bluetooth DevicesBasic Study on the WT12 Family of Bluetooth Devices
Basic Study on the WT12 Family of Bluetooth DevicesPremier Farnell
 
Digital logic-formula-notes-final-1
Digital logic-formula-notes-final-1Digital logic-formula-notes-final-1
Digital logic-formula-notes-final-1Kshitij Singh
 
Gl embedded starterkit_ethernet
Gl embedded starterkit_ethernetGl embedded starterkit_ethernet
Gl embedded starterkit_ethernetRoman Brovko
 
One-Wire-Serial-Communication.pdf
One-Wire-Serial-Communication.pdfOne-Wire-Serial-Communication.pdf
One-Wire-Serial-Communication.pdfshamtekawambwa1
 
G3 phase1 final ppt.pptx
G3 phase1 final ppt.pptxG3 phase1 final ppt.pptx
G3 phase1 final ppt.pptxvisheshs4
 
Kernel Recipes 2015: Greybus
Kernel Recipes 2015: GreybusKernel Recipes 2015: Greybus
Kernel Recipes 2015: GreybusAnne Nicolas
 
Client server computing in mobile environments part 2
Client server computing in mobile environments part 2Client server computing in mobile environments part 2
Client server computing in mobile environments part 2Praveen Joshi
 
Networking essentials lect1
Networking essentials lect1Networking essentials lect1
Networking essentials lect1Roman Brovko
 
DEF CON 27 - CHRISTOPHER WADE - tag side attacks against nfc
DEF CON 27 - CHRISTOPHER WADE - tag side attacks against nfcDEF CON 27 - CHRISTOPHER WADE - tag side attacks against nfc
DEF CON 27 - CHRISTOPHER WADE - tag side attacks against nfcFelipe Prado
 
Embedded systems and robotics by scmandota
Embedded systems and robotics by scmandotaEmbedded systems and robotics by scmandota
Embedded systems and robotics by scmandotascmandota
 
Network Topologies, L1-L2 Basics, Networking Devices
Network Topologies, L1-L2 Basics, Networking DevicesNetwork Topologies, L1-L2 Basics, Networking Devices
Network Topologies, L1-L2 Basics, Networking DevicesAalok Shah
 
Computer System and Architecture
Computer System and ArchitectureComputer System and Architecture
Computer System and Architecturesarfraz1411
 
Module: drand - the Distributed Randomness Beacon
Module: drand - the Distributed Randomness BeaconModule: drand - the Distributed Randomness Beacon
Module: drand - the Distributed Randomness BeaconIoannis Psaras
 
Micro c lab8(serial communication)
Micro c lab8(serial communication)Micro c lab8(serial communication)
Micro c lab8(serial communication)Mashood
 

Similar to BLE Security Issues and Enhancements (20)

Bluetooth security
Bluetooth securityBluetooth security
Bluetooth security
 
Basic Study on the WT12 Family of Bluetooth Devices
Basic Study on the WT12 Family of Bluetooth DevicesBasic Study on the WT12 Family of Bluetooth Devices
Basic Study on the WT12 Family of Bluetooth Devices
 
spins
spinsspins
spins
 
G05215356
G05215356G05215356
G05215356
 
Digital logic-formula-notes-final-1
Digital logic-formula-notes-final-1Digital logic-formula-notes-final-1
Digital logic-formula-notes-final-1
 
Gl embedded starterkit_ethernet
Gl embedded starterkit_ethernetGl embedded starterkit_ethernet
Gl embedded starterkit_ethernet
 
FastBFT
FastBFTFastBFT
FastBFT
 
Cryptography 202
Cryptography 202Cryptography 202
Cryptography 202
 
One-Wire-Serial-Communication.pdf
One-Wire-Serial-Communication.pdfOne-Wire-Serial-Communication.pdf
One-Wire-Serial-Communication.pdf
 
G3 phase1 final ppt.pptx
G3 phase1 final ppt.pptxG3 phase1 final ppt.pptx
G3 phase1 final ppt.pptx
 
Kernel Recipes 2015: Greybus
Kernel Recipes 2015: GreybusKernel Recipes 2015: Greybus
Kernel Recipes 2015: Greybus
 
Client server computing in mobile environments part 2
Client server computing in mobile environments part 2Client server computing in mobile environments part 2
Client server computing in mobile environments part 2
 
Networking essentials lect1
Networking essentials lect1Networking essentials lect1
Networking essentials lect1
 
DEF CON 27 - CHRISTOPHER WADE - tag side attacks against nfc
DEF CON 27 - CHRISTOPHER WADE - tag side attacks against nfcDEF CON 27 - CHRISTOPHER WADE - tag side attacks against nfc
DEF CON 27 - CHRISTOPHER WADE - tag side attacks against nfc
 
Embedded systems and robotics by scmandota
Embedded systems and robotics by scmandotaEmbedded systems and robotics by scmandota
Embedded systems and robotics by scmandota
 
Network Topologies, L1-L2 Basics, Networking Devices
Network Topologies, L1-L2 Basics, Networking DevicesNetwork Topologies, L1-L2 Basics, Networking Devices
Network Topologies, L1-L2 Basics, Networking Devices
 
Bluetooth
BluetoothBluetooth
Bluetooth
 
Computer System and Architecture
Computer System and ArchitectureComputer System and Architecture
Computer System and Architecture
 
Module: drand - the Distributed Randomness Beacon
Module: drand - the Distributed Randomness BeaconModule: drand - the Distributed Randomness Beacon
Module: drand - the Distributed Randomness Beacon
 
Micro c lab8(serial communication)
Micro c lab8(serial communication)Micro c lab8(serial communication)
Micro c lab8(serial communication)
 

Recently uploaded

Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS:  6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS:  6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 

Recently uploaded (20)

Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS:  6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS:  6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 

BLE Security Issues and Enhancements

  • 2. Overview ● What is Bluetooth Low Energy? ○ vs classic bluetooth ● Protocol Stack ○ PHY and Link ● Encryption ● Security Issues in BLE 4.0/4.1 ○ Eavesdropping ○ Active Attack ○ MITM ● Security Enhancements BLE 4.2 ○ ECDH
  • 3. What is Bluetooth Low Energy? ● a.k.a Bluetooth Smart ● originally introduced under the name Wibree by Nokia in 2006 ● merged into the main Bluetooth standard in 2010 with the adoption of the Bluetooth Core Specification Version 4.0 ● operates in the unlicensed 2.4 GHz band ● new modulation and link layer for low-power devices ● vs classic Bluetooth ○ incompatible with classic Bluetooth devices ○ PHY and link layer almost completely different ○ high-level protocols the same
  • 4.
  • 6.
  • 9. PHY Layer ● 2.4 GHz ISM band splitted into 40 channels: ○ 37 data channels ○ 3 advertising channels (37,38,39) ○ Central frequency, fn =2402 + 2n MHz
  • 10. PHY Layer (continued..) ● Modulation scheme : Gaussian Frequency Shift Keying(GFSK) ○ Data rate : 1 Mbit/s ● Hopping ○ hop along all 37 data channels ○ duration (a.k.a hop interval) : one data packet per channel ○ hop increment (specific to a connection ) decides the next channel next channel = (channel + hop increment) mod 37
  • 11. Link Layer ● Preamble: an alternating binary sequence for synchronization ● Access Address: unique identifier which defines a particular connection ○ Fixed value for communications in advertising channel : 0x8E89BED6 ● PDU : protocol data unit which is the actual payload (variable length) ● CRC : for error checking ○ depends on CRC Init and the PDU ○ Computed using Linear Feedback Shift Register (LFSR) ● Whitening is applied to the PDU and CRC. ○ Not complicated as it depends only on channel number. ○ Computed using LFSR ● Each Bluetooth device has a unique MAC address
  • 12. Link layer state diagram ● Standby: does not transmit or receive any packets ● Advertising: transmitting advertising channel packets and possibly listening to and responding to responses triggered by these advertising channel packets ● Scanning: listening for advertising channel packets from devices that are advertising. ● Initiating: listening for advertising channel packets from a specific device(s) and responding to these packets to initiate a connection with another device. ● Connection : connected state, device is either master or slave and further communication happens in data channels.
  • 13. Encryption ● Link layer ○ AES-CCM encryption scheme ○ CCM : Counter mode with CBC-MAC (Cipher Block Chaining Message Authentication Code) ○ authenticated encryption algorithm: encrypts the PDU and also generates MAC ● Application layer ○ user-defined encryption ○ generally not used in BLE devices
  • 14. With Low Energy Comes Low Security!!! Compromises made for low power: ● Hopping rate is less aggressive (37 data channels) ● Whitening seed is straight-forward from channel number and LFSR used is known ● Overly simplified custom key exchange Combining all these resulted in a major flaw in the protocol !! ● Applications: ○ heart rate and blood pressure monitors ○ wireless door lock, low power gadgets ○ industrial monitoring sensors ○ public transportation apps
  • 15. Eavesdropping ● Compromises make eavesdropping easy ● To sniff a connection: ○ Hop increment : to determine next channel ○ Access address : to find the start of the PDU ○ Hop interval : to determine how long to stay in a channel ○ CRC init : to filter out corrupt packets ● Two scenarios: ○ Observed the connection initialization packet: all values are known. ○ Missed the connection initialization packet: recover values by exploiting properties of BLE packets.
  • 16. Eavesdropping attack in detail (Hardware) (Software)
  • 17. Ubertooth (to PC) RF to packets: ● CC2400 gets bits from air ● We know Access Address ! ● MCU finds the start of PDU and gets it as packet ● Wireshark plugin available
  • 19. Recovering the unknown values ● Master and slave transmits packets in each channel, even if there is no meaningful data (empty packet). ● waits for hop_interval x 1.25 ms in a channel. ● Empty packet : PDU = header( 16 bit) + empty body ○ easy to identify looking for header ○ most traffic is empty Access address: ● Look for an empty packet and AA comes before the header ● least frequently used cache (LFU) + CRC to eliminate false positives
  • 20. Recovering unknown values (continued..) CRC init: ● seed value used for generating CRC ● CRC computed using an LFSR ● CRC Init obtained by reversing LFSR with CRC as seed ● LFU to filter out false positives Hop interval: ● wait on particular data channel for consecutive packets ● 37 channels visited in full cycle ●
  • 21. Recovering unknown values (continued..) Hop Increment: ● Interarrival time of packets in two data channels (say 0 and 1) (Fermat's little theorem) we can now follow a connection and sniff packets, but encryption? 0 -----> 25 -----> 50 -----> 1
  • 22. Bypassing the encryption ● Encryption by link layer ● How to get the keys ? Custom Key Exchange Protocol: ● 3 stage process ● Stage 1 : Choosing the pairing methods which defines Temporary Key (TK) ● Stage 2 : Generate the Short Term Key (STK) ● Stage 3 : Generate the Long Term Key (LTK) ● LTK is reused and used to generate session keys ● Session keys are used during encrypted sessions (AES-CCM)
  • 23. Pairing methods Devices chooses pairing methods based on I/O capabilities. 1. Just Works ● TK is trivial i.e TK=0 2. PassKey Entry ● TK is 6-digit PIN (user inputs) 3. Out Of Band (OOB) ● uses other means like NFC for TK exchange ● more secure ● almost never used ! The TK (also the 128-bit AES key) is used to generate a ‘confirm’ values.
  • 24. Cracking the TK ● We already have a packet sniffer ● TK is between 0 and 99999 (if passKey entry pairing) ● brute forced in < 1 second (plain text)
  • 25. Key Exchange Broken ● TK + pairing data is used to compute a STK ● STK is used to encrypt the LTK exchange ● Worst part : LTK is reused and used to generate session keys ● 100 % passive attack and can be done offline
  • 26. Active Attack What if attacker missed the LTK exchange packets? Two possible active attacks: 1. Eavesdropper can jam the connection so that master will drop the connection causing force re-pairing. 2. BLE protocol has provisions for a master or slave to reject a LTK. Eavesdropper sends an appropriate link layer message (LL_REJECT_IND) that forces a key renegotiation.
  • 27. Man In The Middle Attacks An attacker can emulate himself as the valid device and cause the data to pass through him. Authentication protects against MIMT Authentication is the method to prevent the MITM
  • 28. Enhancements in Bluetooth 4.2 There are two major enhancements in BLE 4.2 ● New pairing method : A new pairing method is added. Both the devices should have display capabilities and one should have yes or no button. ● Elliptic Curve Diffie Hellman (ECDH) Key exchange: DH uses prime factorization whereas ECDH uses elliptic curve cryptography. Breaking the ECDH is more computationally expensive than DH and also it requires less bits than DH.
  • 29. MITM prevention ● Before pairing both the devices must share pairing parameters that includes authentication requirements ● If authentication is required, both devices must authenticate each other using one of the association models Which model to use is based on two parameters: ● Can the device receive data from a user, or output data to the user. Involving the user in the pairing process is an important element in the secure transfer of data ● Can the device communicate Out-of-Band (OOB)? For example, if part of the security key can be transferred between the two devices over Near-Field Communication (NFC), an eavesdropper will not be able to make sense of the final data.
  • 30. Association models (BLE 4.2) ● Numeric Comparison—Both devices display a six-digit number and the user authenticates by selecting ‘Yes’ if both devices are displaying the same number. ● Passkey Entry—The user either inputs an identical Passkey into both devices, or one device displays the Passkey and the user enters that Passkey into the other device. ● Out of Band (OOB)—The OOB association model is the model to use if the device are capable of OOB. ● Just Works—This association model is used either when MITM protection is not needed or when devices have limited IO capabilities.
  • 32. Elliptic Curve Cryptography ● An elliptic curve E is the graph of an equation of the form y2 = x3 + ax + b ● Elliptic curves provides a different way to do the math in public key system y2 = x3 - x + 1
  • 33. Elliptic curve maths Consider y2 = x3 + 2x + 3 (mod 5) x = 0 y2 = 3 no solution (mod 5) ; x = 1 y2 = 6 = 1 y = 1,4 (mod 5) x = 2 y2 = 15 = 0 y = 0 (mod 5); x = 3 y2 = 36 = 1 y = 1,4 (mod 5) x = 4 y2 = 75 = 0 y = 0 (mod 5) So valid points on the curve are (1,1) (1,4) (2,0) (3,1) (3,4) (4,0) and (inf,inf) These points form the finite set.
  • 34. Addition in elliptic curve ● P1 + P2 = P3 Addition on: y2 = x3 + ax + b (mod p) P1=(x1 ,y1 ), P2=(x2 ,y2 ); P1 + P2 = P3 = (x3 ,y3 ) where x3 = (m2 - x1 - x2 ) (mod p); y3 = (m(x1 - x3 ) - y1 )(mod p) And m = (y2 -y1 )(x2 -x1 )-1 mod p, if P1 ≠P2 m = (3x1 2 +a)(2y1 )-1 mod p, if P1 = P2 What is (1,4) + (3,1) = P3 = (x3,y3) in y2 = x3 +2x+3 mod 5? m = (1-4)(3-1)-1 = (-3)(2)-1 = 2(3) = 6 = 1 (mod 5) x3 = 1 - 1 - 3 = 2 (mod 5) y3 = 1(1-2) - 4 = 0 (mod 5)
  • 35. Diffie-Hellman using elliptic maths Public: Elliptic curve and point (x,y) on curve Secret: Alice’s A and Bob’s B Alice computes A(B(x,y)) Bob computes B(A(x,y)) These are the same since AB = BA
  • 36. Example Public: Curve y2 = x3 + 7x + b (mod 37) and point (2,5) b = 3 Alice’s secret: A = 4 Bob’s secret: B = 7 Alice sends Bob: 4(2,5) = (7,32) Bob sends Alice: 7(2,5) = (18,35) Alice computes: 4(18,35) = (22,1) Bob computes: 7(7,32) = (22,1)