Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

BLE as Active RFID


Published on

Traditional active RFID deployments have typically involved tags and readers made by (or for) a single vendor, resulting in tight control over the system. With the widespread commercial adoption of Bluetooth Low Energy (BLE), today it is common to detect everything from consumer products such as smartphones, wearables and smart home electronics, to commercial and industrial products, which actively identify themselves using standardised advertising packets. Moreover, there are plenty of off-the-shelf devices capable of acting as readers, from purpose-built devices to generic single-board-computers to the smartphone in your pocket. Presented at IEEE RFID 2017 in Phoenix.

Published in: Technology
  • Be the first to comment

BLE as Active RFID

  1. 1. BLE as Active RFID Tutorial presented by Jeffrey Dungen at IEEE RFID 2017
  2. 2. What’s BLE? (Bluetooth Low Energy) Bluetooth 4.0 Bluetooth LE (Ericsson 199x) (Nokia 200x) (2007) IEEE RFID 2017Jeffrey Dungen
  3. 3. What’s Active RFID? Device which spontaneously transmits, via radio frequencies, its identifier, using its own source of power. IEEE RFID 2017Jeffrey Dungen
  4. 4. Is BLE Active RFID? ❏ spontaneously transmits (“advertises”) ❏ radio frequencies (2400MHz) ❏ identifier ❏ own source of power ✓ ✓ ✓ ✓ IEEE RFID 2017Jeffrey Dungen
  5. 5. Is BLE anything else? Indeed! Many other things! IEEE RFID 2017Jeffrey Dungen But let’s talk about the Active RFID part because it’s often overshadowed by the rest...
  6. 6. Motivation #1 IEEE RFID 2017Jeffrey Dungen BLE has become the de facto standard. No longer need to create yet-another-standard. I’ve had the (dis)pleasure of developing Active RFID protocols from scratch at Purelink Technology (5.8GHz) and at reelyActive (sub-GHz). Couldn’t be happier to adopt BLE as a global standard!
  7. 7. Motivation #2 IEEE RFID 2017Jeffrey Dungen Billions of products, places and even people are carrying Active RFID devices right now! If you had told me a decade ago that this would happen (voluntarily even!), I would not have believed you. IncrediBLE! Now let’s put this to good use!
  8. 8. Questions we’ll answer IEEE RFID 2017Jeffrey Dungen ➔ How are BLE devices identified? ➔ What can you include in the payload? ➔ What about privacy and security? ➔ What best (and worst) practices are emerging? ➔ Can you build a RTLS with BLE? ➔ What tools are available?
  9. 9. IEEE RFID 2017Jeffrey Dungen How are BLE devices identified?
  10. 10. BLE Device Identification IEEE RFID 2017Jeffrey Dungen MANDATORY ➔ 48-bit advertiser address OPTIONAL ➔ Short name (ASCII) ➔ 128-bit UUID ➔ 16-bit company code ➔ 16-bit member services ➔ EUI-48 / EUI-64 ➔ User-defined IDs 48:b1:7a:dd:4e:55 Example
  11. 11. 48-bit Advertiser Address IEEE RFID 2017Jeffrey Dungen PUBLIC OPTION ➔ IEEE-assigned MAC ➔ Static A single header bit, txAdd, affords two options: RANDOM OPTION ➔ Choose your own! ➔ Change it whenever and as often as you like! MANDATORY
  12. 12. Local Name IEEE RFID 2017Jeffrey Dungen Choose a short ASCII string, ex: ✓ ✓ ((( I <3 RFID ))) OPTIONAL
  13. 13. 128-bit UUID IEEE RFID 2017Jeffrey Dungen Choose your own, ex: ✓ ✓ 128B171D-1EEE-4F1D-2017-85004C090517 OPTIONAL
  14. 14. 16-bit Company Code IEEE RFID 2017Jeffrey Dungen Request from the Bluetooth SIG, ex: ~ ✓ 004C → Apple OPTIONAL
  15. 15. 16-bit Member Services IEEE RFID 2017Jeffrey Dungen Purchase from the Bluetooth SIG, ex: x ✓ FEAA → OPTIONAL
  16. 16. Identification Summary IEEE RFID 2017Jeffrey Dungen Every packet includes a 48-bit advertiser address. Each packet may also contain one or more additional identifiers, limited by the max payload of the packet.
  17. 17. IEEE RFID 2017Jeffrey Dungen What can I include in the payload?
  18. 18. BLE Packet Overview* IEEE RFID 2017Jeffrey Dungen Preamble & Access Address 5 Bytes Packet Data Unit 8-39 Bytes CRC 3 Bytes Header 2 Bytes Advertiser Address 6 Bytes Optional Payload Up to 31 Bytes * Bluetooth 4.x advertising packets
  19. 19. 31 Bytes of Payload Freedom? IEEE RFID 2017Jeffrey Dungen Sure, as long as you respect the Generic Access Profile (GAP): Data Type 1 Byte Length 1 Byte Data Up to 29 Bytes Data Up to 29 Bytes ... Pick and choose data types, as long as together they all fit! Data Type 1 Byte Length 1 Byte
  20. 20. What’s a GAP Data Type? IEEE RFID 2017Jeffrey Dungen Full list: 0x01 Flags 0x07 Complete List of 128-bit Service Class UUIDs 0x09 Complete Local Name 0x16 Service Data - 16-bit UUID 0xff Manufacturer Specific Data
  21. 21. Examples IEEE RFID 2017Jeffrey Dungen How about some ASCII text and a 128-bit UUID: Data Type 0x09 Length 18 Complete Local Name ((( I <3 RFID ))) Complete List of 128-bit Service Class UUIDs 128B171D-1EEE-4F1D-2017-85004C090517 Together they’re over 31 bytes so won’t fit in a single packet! Data Type 0x07 Length 17
  22. 22. Service Data IEEE RFID 2017Jeffrey Dungen Eddystone uses member service data to squeeze in a URL: Data Type 0x16 Length 18 Member Service 0xfeaa URL & TX Power Eddystone specification: Purchased Defined
  23. 23. Manufacturer Specific Data IEEE RFID 2017Jeffrey Dungen Apple uses manufacturer specific data extensively: Data Type 0xff Length -- Company Code 0x004c iBeacon, AirPlay, AirDrop, Nearby, Handoff, etc. iBeacon is an open standard. Others are not. Requested Defined
  24. 24. Payload Data we’ve Observed IEEE RFID 2017Jeffrey Dungen X Y Z Accelerometer Gyroscope Magnetometer Battery Level Appearance URL Temperature Pressure Humidity Typically closed/proprietary standards, poorly documented or incorrectly implemented! ➔ Nonetheless, can often be deciphered through observation
  25. 25. Payload Summary IEEE RFID 2017Jeffrey Dungen Up to 27-bytes which you can stuff as you please. Respect GAP and vendor-defined open standards.
  26. 26. IEEE RFID 2017Jeffrey Dungen What about privacy and security?
  27. 27. Overview of Concerns IEEE RFID 2017Jeffrey Dungen Can I now be identified & tracked by all the BLE devices I carry??? Can my identity or sensor payload be spoofed??? Normal ALERT!
  28. 28. Advertiser Beware IEEE RFID 2017Jeffrey Dungen Transmissions on the advertising channels can be observed on the advertising channels. BLE affords plenty of flexibility for privacy/security. Apply best practices to reach the best compromise!
  29. 29. IEEE RFID 2017Jeffrey Dungen Best and worst practices?
  30. 30. NotaBLE Practices IEEE RFID 2017Jeffrey Dungen ➔ Privacy-sensitive identification ➔ Making standards work for you ➔ Security by obscurity
  31. 31. Privacy-Sensitive Identification IEEE RFID 2017Jeffrey Dungen Periodically cycle the 48-bit advertiser address to hamper repeat-visit tracking and spoofing: Type: random Cycle: every TX Type: random Cycle: ~15 mins Type: random Cycle: never BALANCEDEXCESSIVE INSUFFICIENT
  32. 32. GOOD: ~15 min cycle IEEE RFID 2017Jeffrey Dungen ➔ easily track you for up to ~15 mins (ex: store visit) ➔ possibly track you for longer, while in range ➔ not associate you with a previous visit ➔ identify device type, at best, by company code or other identifiers, if present An observer can:
  33. 33. (Potentially) BAD: no cycle IEEE RFID 2017Jeffrey Dungen Jeff’s Fitbit Charge HR has used the same identifier for over two years now... d9:01:4f:6b:a8:b2 Not good for privacy. - but - Convenient for demos!
  34. 34. BIZARRE: cycle + static ID IEEE RFID 2017Jeffrey Dungen Estimote sticker changes its address constantly, but includes static ID in payload... Excessive address cycling can wreak havoc on observers with resource-constrained BLE stacks! xx:xx:xx:xx:xx:xx 2b-ad-2b-ad-2b-ad-2b-ad
  35. 35. Standards = Interoperability IEEE RFID 2017Jeffrey Dungen Beneficial that any observer understand your broadcasts? 21°C 21°C Advertiser from Company X Observer from Company Y OBSERVE EXISTING STANDARDS
  36. 36. Standard Precedence IEEE RFID 2017Jeffrey Dungen 1. Check Bluetooth GAP Types 2. Check Bluetooth GATT Services 3. Check open standards by vendors No standard? Check again. Still no? Create your own open standard.
  37. 37. Temperature Example IEEE RFID 2017Jeffrey Dungen GAP: No. GATT: Yes, service & characteristic. Service 0x181a: Environmental Sensing | Characteristic 0x2a6e: Temperature Open Standards: Yes. Eddystone-TLM, ...
  38. 38. Temperature-as-a-Service IEEE RFID 2017Jeffrey Dungen Data Type 0x16 Length 5 Service 0x2a6e Temperature 2100 = 0x0834 = 21°C * we’ve observed this practice from reputable vendors and assume it conforms to the core specification!
  39. 39. Temperature as Eddystone-TLM IEEE RFID 2017Jeffrey Dungen Data Type 0x16 Length 5 Service 0xfeaa Eddystone-TLM 0x2000----1500...
  40. 40. Security by Obscurity IEEE RFID 2017Jeffrey Dungen Beneficial that no foreign observer understand your broadcasts? 21°C WTF Advertiser from Company X Observer from Company Y DESIGN YOUR OWN CLOSED STANDARD
  41. 41. Obscure Thoughts IEEE RFID 2017Jeffrey Dungen ➔ Encryption keys ➔ Cyclic counts ➔ Random noise bits ➔ Secret, deterministic address cycling (id & period) A clever security design will allow your packet to be transported via any channel and subsequently decoded and authenticated by a trusted recipient. Think M2M.
  42. 42. *Encrypted* Eddystone-TLM IEEE RFID 2017Jeffrey Dungen Data Type 0x16 Length 5 Service 0xfeaa Eddystone-TLM 0x2001--------... Alternatively, use or inspire yourself from existing open standards:
  43. 43. Best Practices Summary IEEE RFID 2017Jeffrey Dungen Be sensitive to privacy concerns. Understand it’s a compromise. Stick to standards whenever possible. Leverage BLE’s flexibility for elegant DIY security.
  44. 44. IEEE RFID 2017Jeffrey Dungen How about BLE real-time location?
  45. 45. BLE RTLS Overview IEEE RFID 2017Jeffrey Dungen Observers can estimate the location of a device each time it transmits an advertising packet. ID is within 10m of meID The flexibility of BLE affords many options...
  46. 46. BLE RTLS Approaches IEEE RFID 2017Jeffrey Dungen Broadcaster Observer Vendors Vendor Vendor 9Solutions,, ... Any* Vendor Quuppa Any Vendor Bluvision, (reelyActive), ... Any Any reelyActive Consistency Opportunity * requires specific bit-pattern in payload “Bring-your-own-device” & “use-our-device” strategies:
  47. 47. BLE SCAN is “Exciting” stuff IEEE RFID 2017Jeffrey Dungen ADV_DISCOVER_IND SCAN_REQ SCAN_RSP “Readers” can incite devices to transmit a SCAN_REQ packet which they may in turn observe.
  48. 48. IEEE RFID 2017Jeffrey Dungen What tools are available?
  49. 49. Overview of Tools IEEE RFID 2017Jeffrey Dungen As BLE matures, an increasing number of tools and documentation are becoming available - but - most focus on paired applications (central-peripheral) rather than Active RFID (broadcaster-observer). Heed the distinction!
  50. 50. Breakdown of Tools IEEE RFID 2017Jeffrey Dungen Advertise Observe Interpret ➔ Mobile apps/SDKs ➔ Commercial beacons ➔ Dev kits ➔ Your PC / SBC ➔ Commercial sniffers ➔ Dev kits ➔ Open source software ➔ Commercial software ➔ Develop from scratch
  51. 51. Sniff and Learn on Mobile! IEEE RFID 2017Jeffrey Dungen RaMBLE for Android “RaMBLE collects BLE advertising packets, and tries to identify devices based on their MAC address and the content of these packets.”
  52. 52. Sniff and Learn on a Pi! IEEE RFID 2017Jeffrey Dungen Raspberry Pi 3 BLE Sniffer Detect, visualise and explore BLE advertising packets using the ubiquitous Raspberry Pi, open source software and an easy to follow tutorial.
  53. 53. Open Source Projects IEEE RFID 2017Jeffrey Dungen advlib Javascript library to decode BLE packets. Presented at IEEE WF-IoT 2015 Sniffypedia “Phone book” of BLE identifiers and metadata. Open Database License
  54. 54. Live Demo! IEEE RFID 2017Jeffrey Dungen This dashboard is open source under MIT License: advlib + Sniffypedia Commercial version
  55. 55. BLE as Active RFID @reelyActive |