IoT BLE Security Vulnerability

Results of a study undertaken by an SRA supported by School RKE funds.

“Things” as referred to in The Internet of “Things”, are everyday objects that have been adapted to be hosts for low energy sensors. These sensors provide the data thus enabling  these “Things” (Devices) to communicate with a network of some kind, in order to either share data or be managed, using a range of Bluetooth and Wireless technologies.

Low energy sensors can be embedded into many devices such as light switches, door locks, power sockets and actuators, which in turn are used to control or monitor more complex things such as central heating systems and home security systems.

In its infancy there was a great deal of speculation as to how the Internet of Things technologies would evolve in popularity. In 2012 IBM forecast “A world of 1 trillion connected devices by 2015 (IEEE Spectrum: Technology, Engineering, and Science News, 2017)”. However, more recently Gartner predicted that “6.4 Billion connected “Things” would be in use in 2016… [reaching a staggering] 20.8 billion by 2020 (Gartner.com, 2015)”.

As IoT devices evolved and the numbers increased, so too has the access to sensitive and personal data. Considering one mobile phone could be connected to as many as 50 or 60 devices, which in turn can be connected to, and accessed via the Cloud. The vulnerability to hacking is increased through the connectivity, raising concerns as to the security of many IoT devices, which needed to be addressed.

HP Enterprise conducted a study of the 10 most popular IoT devices in 2014 and released a report in 2015 which found:

“90% of devices collected at least one piece of personal information via the device, the cloud or its mobile application.

70% of devices used unencrypted network services.

80% of devices along with their cloud and mobile application components failed to require passwords of sufficient complexity and length.

6 out of 10 devices that provide user interfaces we vulnerable to a range of issues such as persistent XSS (cross site scripting) and weak credentials.”

(Hewlett Packard Enterprise Security, 2015)

In light of the findings of the study, HP Enterprise made recommendations that manufacturers of IoT devices should follow in order to make the “Things” secure for the future. It was suggested that vendors should conduct a security review of their devices and all associated components.

To help with the security review process an OWASP (Open Web Application Security Project) Internet of Things top 10 project site (www.owasp.org) was created to assist vendors with securing their products.

HP Enterprise also recommended vendors implemented security standards that all devices must meet before production, and ensure that security is a consideration throughout the product lifecycle.

In March 2016 a student studying Forensic Computing at the School of Law, Criminal Justice and Computing  within Canterbury Christ Church University was commissioned to undertake a study on the current state of security in IoT devices under the supervision of a staff member Dr Abhaya Induruwa. This study was supported by the School’s Research and Knowledge Exchange (RKE) funds. It was during this study that the following security flaw  was discovered on a Personal Tracking device equipped with Bluetooth Low Energy (BLE). BLE, also called Bluetooth smart, is essentially a modulation and link layer for low-power devices.

In layman terms it is an intelligent, battery friendly version of the classic Bluetooth Wireless Technology. However, when compared with Classic Bluetooth, the two are physically incompatible. They cannot talk to each other, the PHY layer and Link Layer are almost completely different.

Nonetheless, Bluetooth Smart is a subset of Bluetooth 4.0 which was introduced in 2010, and is mostly found in high end smartphones; sports / fitness devices; door locks and up and coming medical devices. BLE processors are small low energy devices that process relatively simple instructions due to their size and structure, “Although they can be secure using optional 128 bit AES encryption” (Heydon and Hunn, 2016).

BLE uses a channel hopping technique and is equipped with 40 communication channels “37 data channels (Technical Considerations | Bluetooth Technology Website, 2016)”, and 3 in which communication is initiated “advertising channels (Technical Considerations | Bluetooth Technology Website, 2016)”, followed by an instruction as to which channel to hop to for the following part of the communication and so on.

Initially a specialist BLE packet sniffing tool was used to capture data transmitted between the BLE Tracker and a Mobile phone that hosted the Tracker Application. A log file was created and viewed in the Wireshark application as below (Figure 1).

ble_shark

Figure 1: Wireshark to view logfile (sync between BLE Tracker and Mobile App)

The screenshot above represents 50 bytes of 190 kilobytes of data captured during a sync between the BLE Tracker and Mobile App, the data throughout the log appeared as if it had been scrambled or encrypted but this could not be determined with the limited resources available. This scrambling may well have been the direct result of channel hopping used by BLE devices when communicating.

After successfully capturing BLE data, the next step was to turn it into useful information, a task that would be time consuming if not impossible. What was needed was a way to capture data and feed it directly into an application that could make sense of it quickly.

Ideally the data in the log file would be input direct into an application that could interpret the code directly. The App that accompanied the Tracker was looked at to see if it could be used to decipher the captured data from a log file, for this the app was installed onto a second Mobile Phone. Unfortunately, there was no way available to insert the captured data into the application, but whilst trying to utilise the application it was noted that no user name or password was required to access the application and the BLE tracker did not require pairing with the original mobile phone. So with this in mind an attempt was made to sync phone 2 with the tracker. It was successful, then phone 1 with the tracker which was still successful.

While the BLE Tracker is dormant it is undetectable, it is only visible momentarily when a button on the tracker is pressed either to check the time or to instigate a sync operation. Once the button was pressed a sync operation was started between phone 1 and the Tracker whilst this operation was in progress a sync request was sent from phone 2 to the Tracker. After completing the sync with phone 1 the Tracker then synced with Phone 2 without any indication or control input required. When checked both Mobile Phones contained the same data.

nubandble

Figure 2: Nuband NU-G0002 Activity Tracker Sync Vulnerability

Figure 3: Nuband and Samsung (left) Moto E (right) at multiple stages

References

Hewlett Parkard Enterprise Security, (2015). Internet of Things Research Study. [online] Hewlett Parkard Enterprise. Available at: https://www.hpe.com/h20195/v2/GetPDF.aspx/4AA5-4759ENN.pdf (Accessed 12 Feb. 2017).

Heydon, R. and Hunn, N. (2016) Bluetooth low energy. 1st ed. CSR. Available at: https://www.bluetooth.org/DocMan/handlers/DownloadDoc.ashx?doc_id=227336 (Accessed: 28 November 2016).

Gartner. (2015) Gartner Says 6.4 Billion Connected “Things” Will Be in Use in 2016, Up 30 Percent From 2015. Available at: https://www.gartner.com/newsroom/id/3165317 (Accessed 28 November 2016).

Technical Considerations | Bluetooth Technology Website (2016) Bluetooth.com. Available at: https://www.bluetooth.com/specifications/bluetooth-core-specification/technical-considerations (Accessed: 28 November 2016).

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s