Alternative to classic Bluetooth, Bluetooth Low Energy is chosen increasingly for the IoT. This technology, also known as the abbreviation BLE, is establishing itself for connected devices, as it is ideal to send small amounts of data between devices and to preserve the battery; which matches the IoT’s needs perfectly. Classic Bluetooth, on its side, is used to send large amounts of data between a device and a user (wireless headphones and speakers are using Bluetooth for example).
While these two Bluetooth protocols are used for different purposes and are not compatible, they are nevertheless to some extent similar, as they have common technologies (software and hardware), such as the one managing pairing. Thus, security manager has to keep in mind that security breaches that impact classic Bluetooth affect sometimes Bluetooth Low Energy too; however, the latter has its own features and therefore its specific flaws.
Risks of Using Bluetooth Low Energy
Using a protocol suitable for connected devices is not enough to guarantee its security. To realize how easy it is to crack a connected device using BLE, you only need to do a quick search on the internet. Many articles cover for example connected locks or keys that have been hacked. However, let’s keep it in proportion.
While some vulnerabilities are due to the Bluetooth protocol itself, others are caused by the way BLE was implemented. They are specific to a connected device or to a particular component and can generally be corrected, either with a firmware update or a modification of the hardware.
Regarding native Bluetooth problems, they are regularly studied when a new version of the standard is published (we have since January 2019 Bluetooth 5.1).
Regarding security flaws specific to implementations, they require an understanding of security issues and a knowledge of the BLE protocol. Functionalities are available to prevent flaws, and if you follow the standard strictly, you’ll avoid many inconveniences. When creating the product, the developers of connected objects have to remind (or insist on) that security issues are addressed with the same importance as user experience and price.
Good news, it is usually possible to protect its devices against the exploitation of native vulnerabilities and the ones due to a wrong implementation. However, if security has not been incorporated during product conception, it will be limited by the hardware and firmware capacities of the developed product. The aim is to avoid having to make urgen changes to the product during its commercialisation.
For example, the pairing method Passkey Entry enables a protection against the attacks by Man-In-The-Middle (ou MITM). It requires a screen or a keyboard to be used. This functionality demands therefore to think about it from the development phase to be integrated into the product.
To sum up, a device can be vulnerable because of either flaws in the standard itself, either a wrong choice of functionalities (especially in the pairing process), either a wrong implementation of BLE, which is the most common.
Testing BLE Implementations
To verify the security of devices communicating with BLE, a pentest can be conducted to test specifically Blueetooth Low Energy, either in the development, production or commercialization phase.
The main objectives of a pentest on the implementation of BLE are to establish if it is possible for an attacker to collect sensible information or personal data, to control the device remotely and to make it unusable or inaccessible. The three main points to test therefore
- the resistance to passive listening to exchanges (eavesdropping),
- the resistance to interception and corruption,
- and the resistance to denial of service attacks.
More concretely, pentesters try first to listen and to understand communications with the support of dedicated scripts and programs, such as Wireshark. They verify if the communications are correctly encrypted.
They attempt also to do Man-In-The-Middle attacks, i.e. becoming an intermediary between the devices tested (usually a smartphone and a connected device). Pentesters send then fraudulent instructions to the device to see if they can control it and make it do what they want.
These two types of attacks are generally done during the pairing phase.
DoS attacks are then carried out to see if it is possible to make the device inaccessible to users (from their smartphone) and to other devices that communicate with it. One of the methods is to empty the battery of the device by using it massively.
One element to notice regarding the security of devices using Bluetooth Low Energy is that tools necessary for the attacks are easily available.
Indeed, the equipment used by an attacker (or a pentester) consists of a Bluetooth adapter (with antenna), a smartphone, a computer or a simple Raspberry Pi. For example, one of these adapters, the Ubertooth, is available for sale over the internet for about one hundred euros.
As for the software used for the attacks, most of them are open source and freely downloadable.
Consequently, anyone can try to hack devices communicating with BLE.
To protect your devices and your users, here are some suggestions to consider:
– Implementing the protocol BLE as closely as possible to the standard
– Encrypting the data exchanged, in particular if they are sensible
– Applying the corrective patches
– Integrating the security issues into the planning and development of devices
– Using security functionalities of BLE appropriate for your product (such as Low Energy Link layer, Passkey, OOB Bonding, etc.)
– Ensuring that keys and passwords are not determinable
– Choosing components that offer integrated security
…