LAS VEGAS -- These days Bluetooth Low Energy is considered "smart" Bluetooth but most of the security smarts either...
aren't that clever or are readily circumvented, especially with the introduction of a new software proxy tool released at the Black Hat 2016 conference.
Slawomir Jasek, a security researcher for Polish consulting firm SecuRing began his session, "GATTacking Bluetooth Smart Devices – Introducing a New BLE Proxy Tool," by pointing out that of 10 Bluetooth LE (technically, Bluetooth Smart, but as often called BLE) devices he'd examined to see whether they used the security features built into the latest version of Bluetooth, only two actually used the Bluetooth LE security capabilities incorporated in the short-range radio protocol. The others attempted to create their own security controls within their specific applications.
The problem is that these roll-your-own protections are readily subverted by a classic man-in-the-middle attack. Jasek pointed out that the desire of product designers to make the consumer experience seamless quite frequently leads to sins like unauthenticated pairing and not using the Bluetooth LE security capabilities for encrypting sessions.
To insert a malicious device into the connection between a smartphone and a Bluetooth LE device, attackers are faced with the problem that the target device will be advertising its services and there's no practical way to isolate the signal so that the user's smartphone doesn't receive it. "How do you man-in-the-middle radio?" Jasek asked. "How do you make sure the smartphone connects to you instead of the original device?"
It turns out to be fairly simple. Because the original device advertises its availability at regular intervals, the attacking device can advertise its availability at faster intervals, greatly increasing the likelihood that the smartphone will find the attacking device, not the real one. Even more conveniently, Jasek said, "while you are connected to a device, it doesn't advertise." So the original device effectively disappears from the airwaves.
One module connects to the original device, scans it for cloning and maintains the connection to the device, a second advertises the fake service, while a third module handles the interception and manipulation of data as it traverses between target device and the real service. The open source and free proxy is called GATTack because the application queries the GATT (Generic ATTribute Profile) of the targeted device. Jasek noted that it doesn't require sophisticated hardware; his testing ran on a Raspberry Pi.
The MiTM attack approach should in theory only work in situations where the built-in Bluetooth LE security options have been ignored are or improperly used. In particular, so-called "bonded" connections should mean that two previously paired devices have exchanged secret keys for future communication and that neither device should allow a connection with a device with a MAC address matching the other device unless the key is used. An attack device that clones the MAC address of the target system, however, can merely request to re-establish the bonding and most users will simply accept the request for a new connection with the device they are familiar with.
There are ways to guard against even this attack, but it was clear from the presentation that most implementations have at least a few rough edges that enable denial of service attacks. And while one might be tempted to think that DoS attacks are easy because this is a radio service, in point of fact Bluetooth Smart is specifically designed to overcome the various forms of interference that radio systems encounter in short-range, low-power scenarios.
One employee for a global entertainment company couldn't speak with her name on the record, but was watching closely because she is charged with developing embedded applications for IoT devices being introduced by her employer. "It's great to have a tool now—there haven't really been any attack tools for Bluetooth," she said. "And having a tool will mean we'll see a whole lot more bugs."
Kevin Gennuso, senior information security architect at Dick's Sporting Goods who attended the talk, said afterwards that retail companies are actively in the process of deploying beacons and are always trying to evaluate what kind of security these devices. "And now we know it's not very much," he said.
Learn the implications of Bluetooth LE in healthcare
Privacy implications of beacons and other Bluetooth LE-IoT deployments
Delve into the issues of who owns which kinds of data in the IoT era