Vulnerabilities and Attacks on Bluetooth LE Devices—Reviewing Recent Info
To understand known vulnerabilities and attacks on Bluetooth LE devices, we review some studies from the past 4+ years.
As our world continues to delve deeper into the age of digital connectivity, Bluetooth Low Energy (LE) has become a technological mainstay. Nestled within your everyday devices—be it your smartphone, wearable tech, or even your smart home appliances—Bluetooth LE functionality is virtually ubiquitous.
For those who haven't been following our investigative series into Bluetooth LE security, I strongly recommend visiting our prior article about Bluetooth security protocol. It lays the groundwork by detailing the fundamental security protocols in Bluetooth LE, setting the stage for the examination of vulnerabilities and attacks in the current discussion.
As product designers, it is incumbent upon us to understand the vulnerabilities and potential attacks that are inherent to Bluetooth LE devices. As the adoption of Bluetooth LE technology continues to expand across numerous applications, so does the importance of securing these devices. The aim of this article is to shed light on the known vulnerabilities and attacks on Bluetooth LE devices from 2019 through 2023.
To explore Bluetooth LE vulnerabilities and attacks, I used Google Scholar as my go-to research tool due to its extensive repository of scholarly articles. I won’t go into the details of my search here, but I discovered a treasure trove of articles using the keyword phrase "Security 'Bluetooth Low Energy'", and limited my search results to articles published between 2019 to 2023.
Diving into all this literature reveals that attacks on Bluetooth LE can be primarily categorized into three types:
- Device tracking
- Passive eavesdropping
- Man-In-The-Middle (MITM) attacks
In this article, for each attack type, I outline the related Bluetooth LE security feature to defend against it, the identified vulnerabilities within it, and how those vulnerabilities could be exploited.
Device Tracking: A Stalker in the Shadows
Device tracking remains a notable privacy issue for Bluetooth LE devices. In its simplest form, device tracking allows the movements of Bluetooth LE devices—and consequently, their users—to be followed by malicious entities, leading to potential privacy breaches.
To combat this, Bluetooth LE has introduced a feature known as Address Randomization, as part of its LE Privacy feature. So, instead of a device broadcasting their real identity address, they can hide it and instead broadcast a periodically changing random address, also known as a private address. This act of “identity swapping” is intended to thwart tracking attempts.
Figure 1. Device tracking attack. Image courtesy of Hossain and coauthors
The effectiveness of BLE address randomization as a privacy measure is debated. Numerous researchers have found ways to bypass this protection.
As Pierluigi and his team reveals, the implementation of address randomization isn't always flawless. Some manufacturers, for example, do not change the address as frequently as needed, leaving the address static for periods longer than the advised 15 minutes. This reduces the effectiveness of this feature.
Also, some Bluetooth LE devices unintentionally give away too much information. They broadcast hardware details and software information. Anyone with a scanner device can connect and read this information, creating an identifiable fingerprint of the device.
Radiometric fingerprinting presents another concern. Researchers in both this study and this one found that Bluetooth LE devices can be tracked based on their unique hardware characteristics or imperfections, much like a digital fingerprint.
A further vulnerability arises from the GATT profiles. The Bluetooth specification allows for these profiles to be read without authentication. This paper has shown that these profiles can be exploited to create a unique device fingerprint, undermining efforts MAC randomization.
One investigation reverse-engineered Apple's Continuity protocol across multiple iOS devices and versions, revealing that certain messages leak user behavior data. These messages could potentially enable adversaries to pinpoint a device's model and OS version, and also bypass MAC address randomization.
Meanwhile, Android wasn't immune to vulnerabilities either. A study unveiled two vulnerabilities in Android's Bluetooth LE features. The first flaw allows BLE scans without obtaining location permissions, while the second bypasses the requirement for active location during scanning. Collectively, these vulnerabilities could facilitate unauthorized user location tracking. Although these issues were addressed in subsequent Android updates, older, unmaintained devices remain vulnerable.
And lastly, this paper shows that the Resolvable Private Address (RPA) mechanism also has cracks in its armor. An attacker can track a device by observing Identity Addresses during initial connection procedures, or by replaying used RPAs to a known counterpart device.
Passive Eavesdropping: Listening in on the Whispered Secrets
The Passive Eavesdropping attack involves the interception and analysis of data exchanged between two devices. The eavesdropper doesn't alter the data; they merely 'listen in', gaining access to potentially sensitive information.
To ward off these silent observers, Bluetooth LE uses the Adaptive Frequency-Hopping Spread Spectrum (AFH) technique. AFH ensures that the central frequency of successive transmissions is not fixed but continuously shifts amongst 40 narrow-band channels. Moreover, this hopping sequence is a well-guarded secret, known only by the transmitter and the receiver, making eavesdropping a challenging task.
Moreover, Bluetooth 5.4 introduced the Encrypted Advertising Data (EAD) feature, adding an additional layer of protection. Just like a coded message, the advertising data transmitted between devices is encrypted, thereby making it unintelligible to passive eavesdroppers.
However, researchers have discovered various ways to navigate these safeguards.
Figure 2. Privacy in the context of Bluetooth personal communicaitons. Image courtesy of Address Privacy of Bluetooth Low Energy (MDPI)
A study found that Bluetooth LE modules emit a telltale electromagnetic field during operation. Analyzing this field could reveal the data in the GATT server. Another study presented an open-source tool capable of eavesdropping on BLE data sessions in real-time, a task traditionally hampered by BLE's adaptive frequency-hopping mechanism.
This tool, like an all-seeing eye, captures an 80 MHz signal spanning the entire 2.4 GHz ISM band and can detect active BLE connections, recognize their characteristics, and even predict hopping sequences.
Interestingly, there seems to be a gap in current research regarding the analysis of the Encrypted Advertising Data (EAD) feature. Could you possibly be the one to bridge this gap and provide further insights?
Man-In-The-Middle (MITM) Attacks: The Invisible Intermediaries
Picture this: You believe you're having a direct conversation with a friend, but unbeknownst to you, all your messages are being intercepted, read, and relayed by a third party.
This is the essence of a Man-In-The-Middle (MITM) attack. Instead of connecting two devices directly, a third, malicious device intercepts their connection, relaying information between the two and creating the illusion of a direct link. This attacking device can monitor, manipulate, and control the communication between the two unsuspecting devices.
Figure 3. Man-in-the-mddile (MITM) attack. Image courtesy of Security and Privacy Threats for Bluetooth Low Energy in IoT and Wearable Devices: A Comprehensive Survey (IEEExplore)
Bluetooth LE combats MITM attacks primarily through pairing protocols. Pairing is akin to two devices shaking hands and agreeing to trust each other. They authenticate each other by sharing a secret key, which they then use to encrypt their exchanges.
In the first step of pairing, known as pairing feature exchange, the devices share their authentication requirements and capabilities. A key parameter in this process is the MITM field. If set, this field indicates the device's requirement for protection against MITM attacks.
The most recent pairing method is the BLE Secure Connections (BLE-SC). In BLE-SC pairing, authenticated MITM protection is obtained through the passkey entry association method or the numeric comparison method.
These methods involve either entering a shared passkey into both devices ITALICS (The user is displayed a 6-digit passkey on one device and is asked to enter it into the other device) or comparing a number displayed on both devices ITALICS (The user is displayed a 6-digit number on both devices and has to confirm if they are equal).
Alternatively, protection may also be achieved using the out-of-band association method, where an external method (for example, NFC) is used to exchange or confirm the pairing information.
However, no fortress is impregnable, and a slew of research studies have exposed the cracks in Bluetooth LE's MITM defenses.
Bluetooth LE assumes the pairing request/response messages exchanged during feature exchange is safe. However, researchers have found that these exchanges aren't encrypted, leaving the door open for a potential attacker to come in and change fields like IOCap or KeySize, opening up the possibility for different types of MITM attacks.
One such attack, revealed in a study by Tschirschnitz and his colleagues, is known as a "method confusion attack". In this case, an attacker changes the IOCAP fields and tricks the devices into following different association models, causing confusion. This trick works because the current specifications don't provide a way to check whether both partners have used the same Association Model, allowing the attacker to take a stronger MITM position.
In addition, this paper described a "Key Downgrade" attack. As its name suggests, during the pairing feature exchange stage, a MITM attacker changes the KeySize parameter. This results in the agreed entropy being reduced from a recommended 16 bytes to a low of 1 byte for Long Term Keys (LTK) and 7 bytes for session keys. The attacker can then more easily brute-force the keys and gain access.
Another attack, known as the “Keysize Confusion Attack”, involves the attacker causing the two devices to use different key size entropies. This results in an invalid pairing, all without the user being aware of the change.
The literature also points to MITM spoofing attacks. This risk is particularly high for Bluetooth LE devices that lack sufficient I/O capabilities to implement secure authentication mechanisms. Also, as seen in this study, reconnection procedures using reactive authentication or a poorly implemented proactive authentication puts devices at risk of MITM spoofing attacks.
Finally, a study highlighted a "race-condition" attack, or "InjectBLE". This attack takes advantage of the 'window widening' feature in the Bluetooth Low Energy (BLE) specification, which is designed to cope with potential clock inaccuracies between devices. An attacker can use this widened 'window' to insert malicious frames into an ongoing connection.
Other Vulnerabilities: Beyond the Typical Scope
In addition to the traditional forms of attack, there exist other less conventional vulnerabilities that can be exploited in the Bluetooth LE protocol.
One such vulnerability, discussed in a recent paper, is the lack of application-level restrictions in BLE, which could lead to unauthorized data access. Since pairing happens at the device level, when a BLE peripheral device interacts with multi-app platforms, access granted to one application could be inadvertently extended to others, exposing sensitive data.
In a bid to better understand and mitigate LE security vulnerabilities, a testing framework was developed to probe the BLE protocol's implementations. This framework, acting as a central device, sends either malformed packets or regular packets at inappropriate times to a connected peripheral device and then monitors the responses.
Security Goalposts in Motion
All these findings serve as a reminder that while Bluetooth LE has made significant strides in security, there remains a need for continued vigilance and improvement. In the world of digital security, the goalposts are always moving.
The next article (part 3) in the Bluetooth LE Security series will cover the subject of pairing.