Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

BLE Talk

2,494 views

Published on

An overview of Bluetooth Low Energy with emphasis on security.

Published in: Technology
  • Be the first to comment

BLE Talk

  1. 1. Using Bluetooth LE (For Good)
  2. 2. Who? • Donald Ness • Software Developer from Boulder, CO • Learned Bluetooth building wireless controls for robots • See Anarchy as a giant engineering project • IANAC
  3. 3. What is this talk about? • What is Bluetooth Low Energy? • Why does it matter? • How can we use it for good?
  4. 4. What is BLE? • New wireless scheme for low power devices • small size, small cost • same spectrum as WiFi, Bluetooth Classic • a.k.a. Bluetooth SMART • Subset of Bluetooth 4.0 spec since 2010
  5. 5. BLE vs Bluetooth Classic BLE Classic security broken key exchange* secure pairing protocol (ECDH) throughput 0.2 Mbit/s 2-3 Mbit/s range 10 - 30m 50 - 300m power consumption 0.01 to 0.5W 1W faster connection 0.1s 5s smaller size very small small lower cost ~$2 @ 5000 ~$7 @ 5000 * unless done out-of-band. more on that soon.
  6. 6. Why does it matter? It is everywhere!
  7. 7. Why does it matter? • Low energy and small size ➡ Convenient devices that can fit on a keychain • Low cost and flexible development ➡ Good solution for DIY open source hardware
  8. 8. A Safe Haven For Private Keys Problem: • 0-day exploits • backdoors in proprietary hardware • web wallets require third party trust • cold storage wallets are cumbersome Hardware wallets are best current solution, but • expensive! ~$120 • don’t work with mobile • require USB cables
  9. 9. Technical Overview
  10. 10. Protocol Stack GATT/GAP ATT L2CAP Link Layer PHY • generic attribute/access protocol • groups attributes into services • attribute protocol • bound to L2CAP • similar to SDP in BT Classic • logical link control and adaptation protocol • segments and assembles packets • optional QoS via retransmission + CRC • 3 advertising channels • 37 data channels • hop increment + interval negotiated • 2.4GHz ISM spectrum • GFSK RF modulation
  11. 11. Security • 128-bit AES block cipher at link layer. Great! Right…? • PROBLEM: in-band key exchange is broken • Passive attack can snoop for LTK during pairing. • Active attack can force new LTK exchange and then snoop. • SOLUTION: use out-of-band key exchange • Simple Secure Pairing at application layer • Uses ECDH: ~5 sec on 8-bit CPU • For more info: http://lacklustre.net/bluetooth/
  12. 12. Device Roles • Peripheral as Server • ex. a controller for an Aquaponics system • It advertises to Centrals • Central as Client • ex. a Smartphone • It connects to Peripherals
  13. 13. Services and Characteristics • A Service is a collection of data and functions, or characteristics, associated with a peripheral. • ex. A service representing aquaponics sensors • A Characteristic represents a single aspect of a peripheral. It has properties which determine how it can be used (i.e. read, write) • ex. Temperature, pH level, oxygen level
  14. 14. UUID • Services and Characteristics are identified by UUIDs • 16-bit defined by Bluetooth SIG • http://developer.bluetooth.org • 128-bit user defined
  15. 15. Advertising Central Scan Scan Peripheral Adv Adv Adv Adv Adv Adv Adv Adv Adv • A peripheral broadcasts advertising packets to tell the world about itself: • A name • Some primary Service UUIDs • Transmit Power • Manufacturer Data • A central scans for advertising packets to find something to connect to.
  16. 16. Characteristic Properties • Read • Write PDU C C C C • With Response (guaranteed write) • Without Response • Notify • Subscribe to a value and get events when value changes • Limitations • 20 byte limit for characteristics PDU C PDU C C C
  17. 17. A Note on Beacons • Beacons are just specially formatted advertising packets, usually emitted at a fast interval (~20ms) • It allows proximity-based micro location using RSSI to determine distance. • iBeacons are Apple’s version: UUID (16 bytes) Best Buy Major ID (2 bytes) Store 101 Minor ID (2 bytes) TV Aisle
  18. 18. Example Code
  19. 19. Using Bluetooth LE Peripherals Sign Bitcoin Transactions • Store a private key (or a password-protected private key) safely in the flash memory of a microcontroller. • Send a transaction input via Bluetooth LE to the microcontroller. • Hash the input with our private key, and send it back to the central to complete the transaction.
  20. 20. Other Uses • Signing messages with GPG key • Exchanging public keys in person • Replacing LED screens with BLE radios for hardware projects • Drop Safes • Many other things…?
  21. 21. Software Stacks • Linux — BlueZ • Mac & iOS — CoreBluetooth • Chrome APIs • Node.js — noble/bleno
  22. 22. Hardware • Popular Manufacturers • Nordic Semiconductor NRF51 • Packed with a ARM M0-cortex • Great development kit • Texas Instruments CC2640 • BlueGiga • BlueRadios • DIY • RedBearLab BLE Mini — $25 • RFDuino — $25 • Intel Edison SoC — $50
  23. 23. Firmware • micro-ecc • https://github.com/kmackay/micro-ecc • ECDH and ECDSA for 8-bit, 32-bit, and 64-bit processors. • nano-ecc • https://github.com/iSECPartners/nano-ecc • A very small ECC implementation for 8-bit microcontrollers
  24. 24. Questions? Twitter: @programmarchy

×