Home → News → Hacking Bluetooth → Full Text

Hacking Bluetooth

By R. Colin Johnson

February 27, 2020

[article image]

Bluetooth wirelessly connects (or pairs) Internet of Things (IoT) devices—usually wireless peripherals such as ear-buds, speakers, watches, health monitors and location beacons—with host wireless devices such as smartphones or tablets. The limited physical distance between hosts and peripherals, unfortunately, has resulted in their cybersecurity being lax, according to Carl Gunter, a professor in the computer science department of the University of Illinois at Urbana-Champaign.

"There is a strong tendency to think of Bluetooth links as local so that they are isolated from security threats. As a result,  developers often prioritize ease-of-use over sound security practices, both in the implementations and in the protocols on which they are based," said Gunter.

Bluetooth low energy BLE security is especially lax, according to Gunter, since its physical range is typically less than 30 feet. For Android peripherals, a 128-bit universally unique identifier (UUID) is broadcast—often as plain text—over Bluetooth wireless channels to verify its type to the host wireless device. Unfortunately, this procedure allows hackers to identify the peripheral type and the mobile app being used, enabling man-in-the-middle (MITM) attacks, according to the paper Automatic Fingerprinting of Vulnerable BLE IoT Devices with Static UUIDs from Mobile Apps presented at the ACM's Conference on Computer and Communications Security (ACM CCS 2019) in London.

"This paper looks at the use of UUIDs in BLE and explores the idea of using the broadcasting of these IDs as a way to identify [fingerprint] devices. This will allow an adversary to know which apps and devices are being used. In some cases this can be used to make a direct attack on authentication, but in many more cases it will allow adversaries to profile locations of users and the types of devices they are using," said Gunter, who reviewed the paper but was not otherwise involved in its authorship.

"The paper demonstrated this quite well ,with a field test where the investigators covered a region of about one and a third square miles and found about 5,800 devices, of which about 95% could be fingerprinted by their technique. This provides a notable downside to this protocol; the paper is convincing that this should be revisited by the protocol designers," said Gunter.

The researchers reviewed BLE peripherals connected to Android wireless hosts. By analyzing Bluetooth data traffic—a process called "sniffing"—the researchers were able to fingerprint thousands of nearby Android devices and their Bluetooth peripherals.

"Apple's iPhone's broadcasted BLE doesn't contain UUIDs, so the attacker cannot fingerprint the iPhone with a sniffer," said Zhiqiang Lin, a professor at Ohio State University. "However, hackers could still reverse-engineer the UUID if they have access to the binary code of either an Android app or iOS app."

Just-Works Bluetooth protocols were the worst offenders, according to Lin, because they pair devices with hardcoded personal identification numbers (PINs) routinely revealed at black hat sites such as Hack Forums, allowing attackers to actively connect with these devices if there is no app-level authentication.

"Fingerprinting attacks are used to identify and locate the victim's device. A fingerprint can be considered a signature, and the attacker can use that signature to scan and locate the victim," said Lin. "Just-Works devices use a default PIN to generate the long-term key for encryption, and this is considered insecure since attackers know the default PINs."

While Bluetooth has already been identified as a target of hackers, according to cybersecurity writer Zak Doffman, the researchers claim to have revealed for the first time the details of just how easily black hats can breech Bluetooth security. They also focused on the vulnerabilities of specific types of breaches, namely privacy attacks, eavesdropping ,and unauthorized access, as well as offered solutions to eliminate these Bluetooth vulnerabilities.

"We are the first to demonstrate how these attacks are possible," said Lin. They also demonstrated that although the typical distance between wireless hosts and BLE peripherals is 30 feet, the SIG specification allows distances as far as 300 feet and their custom-built sniffer's (using a Raspberry-PI and a special BLE antenna) actual measurements found that maximum distances ranged up to 3,000 feet (over half a mile).

The researchers wrote a program—called BLEscope—that automatically fingerprints BLE devices by extracting their UUIDs from the binary code of Android apps that do not use independent authentication algorithms. Of the 18,166 apps that BLEscope scanned from Google Play, the researchers discovered 168,093 UUIDs—13,566 of which were unique among the 1,757 vulnerable Android apps.

In addition, the researchers discovered that Google's BLE framework identifies seven application programmer interfaces (APIs) that carry UUIDs as parameters, allowing hackers to target these APIs and easily extract UUIDs from Android apps using grepping. Even UUIDs that are not hardcoded into an app can be computed, as demonstrated by the researchers, by using program slicing and value-set analysis (VSA—a static binary program analysis approach first used by x86 programmers to identify worm and virus-infected code),

To remedy Bluetooth vulnerabilities, the researchers advise app programmers to encrypt all data, stop using hardcoding in plain text, hide authentication credentials in the cloud, dynamically retrieve UUIDs from the cloud, and add hardware disruption to prevent sniffing (by making UUID broadcasts non-sequential).

R. Colin Johnson is a Kyoto Prize Fellow who has worked as a technology journalist for two decades.


No entries found