Conf42 Web 3.0 2022 - Online

Attacking Bluetooth LE design and implementation in mobile + wearables ecosystems

Video size:

Abstract

Consumer IoT devices manifest in many forms, including fitness bands. We deep-dive into the wireless protocol of choice for wearables -Bluetooth Low Energy (BLE), and its impact from a security perspective. We’ll perform a live demo on stealing info from a fitness tracker using standard Android app.

Summary

  • Today we'll ble discussing about attacking Bluetooth, le design and implementation in mobile and also wearing Lego system. After the demo we'll be also providing the recommendation for this ecosystem security.
  • The typical Iot wearable ecosystem has four components. There's a backend services that is nothing but a cloud, and there's a smartphone and there are protocols. Based on the requirement, there can be multiple nodes and multiple gateways.
  • Everybody would want to buy us fitness tracker like nothing but smartwatches. The main reason is because they're very comfortable. Also they're smart enough to take user commands and also give the required output to the user. This overall improves the quality of a user.
  • These variable advisors are prone to attacks like the many attacks that has been taken place on these kind of wearable devices. Along with hardware part, we need to also protect cloud and mobile applications as well. There's no much research made on IoT security.
  • Bluetooth and ble are protocols for short read data exchange. BLE is nothing but Bluetooth low energy. Popular use cases include wearables devices, smartphone system. All are maintained and governed by Bluetooth Special interest group.
  • Bluetooth security mainly depends on pairing mechanism. There are like four of them, four methods. Once the pairing is done, the network traffic between the two will be encrypted via AdS 128 algorithm. The fourth one and the most important one is the app on the fourth.
  • We are going to attack wearables device with the help of mobile ecosystems. For today's demo we'll be using Mi bands. The problem mainly occurs when we have a malicious application residing on our phone. The root cause of this issue is app trust.

Transcript

This transcript was autogenerated. To make changes, submit a PR.
Hello everyone. Today we'll ble discussing about attacking Bluetooth, le design and implementation in mobile and also wearing Lego system. Before starting with our presentation, I would like to introduce ourselves. I am Ananya Mkauda. I work as a security analyst at Deep Armor. Today I have with me my colleague Megana Vidarali who also works as a security analyst and deeparmer. So coming to deeparmer we are a cybersecurity forms based in Bengaluru. So we have got consulting services and cloud security as our two platforms. Coming to consulting services, we provide secure design and threat modeling, vulnerability assessment bands, penetration testing, and the third one is certifications and regulatory compliances. So coming to cloud platforms we have got two in house products that is gauntlet and recon. So let's get into the agenda of a presentation. So we'll be discussing about blueprint of an IoT available ecosystem. Also challenges faced in securing these kind of modern day gadgets. Also introduction to bluetooth and ble security. And finally, we will be showing a demo about attacking bluetooth and ble networks. So after the demo we'll be also providing the recommendation for this ecosystem security. With that we'll be summarizing our presentation. So let's start with our presentation. So as you can see, the first slide is about IoT or wearable ecosystem. So this is how the typical Iot wearable ecosystem looks like. So it has got four components. So as you can see in the picture, there's a backend services that is nothing but a cloud, and there's a smartphone and there are protocols and also there's a gateway. These all like four components make up a wearable ecosystems or IoT ecosystem. So let's take an example of home automation system. So coming to home automation system, there will be devices which are called as nodes, and these nodes will be having sensors. And these sensors could be deployed across the house. So what are these sensors going to do? So they would collect information like temperature, fire alarm, and also fire security alarm. So the same information is sent back to backend services. That is nothing but a cloud which could be private or public. So you will know. Most of the examples like have to talk about cloud could be AWS or Microsoft Azure, many more. So the same whatever the information is sent to cloud could be viewed on your smartphones too. So as you can see in the diagram that there are nodes present and there's gateways of present show. So based on the requirement, there can be multiple nodes and multiple gateways. And it is not restricted to one or two like how we have given. So based on the requirement, you can have your own nodes there. So coming to next slide here we are mainly taken fitness trackers as an example and we have given a case study about them. So everybody would want to buy us fitness tracker like nothing but smartwatches. The main reason is because they're very comfortable. When I talk about comfortable, it's nothing but they don't have wires around them that makes IoT easier and simpler for a user to use them. Also they're smart enough to take user commands and also give the required output to the user. And also they're into continuous learning, they keep learning bands, they keep evolving as the user requirement. So this overall improves the quality of a user. So as I told you in the previous slide, that why anyone would want to buy a wearable device, why they would want to use it in the daily life. So now let us talk about the challenges in securing this modern day gadget. Here we would mainly using to understand what kind of challenges they're facing today's world. So these variable advisors are prone to attacks like the many attacks that has been taken place on these kind of wearable devices. So therefore it is very quite challenging to secure these kind of gadgets, mainly because the traditional STLC frameworks are applied to products which are having a long shelf life with constant requirement. But whereas with these type of gadgets, time to market would be very less and the requirement will ble continuously evolving. So that is one of the reason one of the main challenge. And the other one would be like there are 30 to 40 protocols and to choose the right one by a developer would be very difficult. And the fourth one is like there's not much privacy. And last one would be, there's no much research made on IoT security. So there's a lack of research that is being done. So next, as we saw the challenges in those devices, there could be even technical challenges. So if I have to take an example of these wearables devices, these wearable devices contain lots of information, they have lots of data in them. So it could be geolocation information, or it could be biometric data, or it could be sensor data, or it could be payment services. So it is must for us to secure these kind of gadgets because they have lots of information stored in them. So one of the challenge is because these gadgets will be running with limited software stack, which makes it very difficult for us to provide them with asymmetric key cryptos because they're heavy on these kind of limited software. Stack. So because of which the security will obviously get compromised in the same way. Coming to cloud, there could be cross domain flows or it could be multiple exposure points is because of this kind of limitations. So along with the hardware part, we need to also protect cloud and mobile applications as well. So coming to today's agenda, so we'll be mainly using on two protocols, that is Bluetooth and the other one is ble. BLE is nothing but Bluetooth low energy. So let's get into so ble and Bluetooth. So coming to them, there are various protocol for short read data exchange. So coming to Bluetooth, it is having a range of one to 100 meters. And blE, which is nothing but Bluetooth low energy, is having a range of ten to 600 meters. So this ble is a lightweight subset of classic bluetooth with low power consumption. So these are used where there's less throughput and less power consumption. And also they're having a frequency of range from 2.4 to 2.45 ghz. So this ble, Bluetooth and all are maintained and governed by Bluetooth Special interest group. Any updates that are being made is done by the same group. So coming to popular use cases, there could be wearables devices, smartphone system. You also heard about Alexa is a famous devices being used. These are all few of the examples where Bluetooth is being used. So coming to Bluetooth security. So Bluetooth security mainly depends on pairing mechanism, like how they are getting paired, like how the variable device bands, the Bluetooth, which is like via phone is getting paired. So let's discuss more on that. So there are like four of them, four methods. First one is deskworks. Coming to deskwork, it's very limited bands is having no user interface and by default IoT will have four or six zeros. And the second one is numeric comparison. Coming to numeric comparison, we are having a device with a display which will have yes or no button. When you have to pair your device, you have to type in s. And the third one is pass key entry, wherein you will be provided with six digit pin. You have to enter the same pin in order to pair your device with that of a Bluetooth. And the fourth one is out of bands. And I can tell this is the most secure one because here the user authentication is being done using other protocols like WiFi, direct or NSC. And once the pairing is done, the network traffic between the two will be encrypted via AdS 128 algorithm. So we understood about the pairing mechanism, that is like four of them. And once the pairing is done. The network traffic is being encrypted. So now let us understand more about the weaknesses in this bluetooth or ble. So coming to the weaknesses, I just spoke about the pairing algorithm. Simply the algorithm we're compromising with our security. The first one is the same thing. That is security of the communication link depends on pairing algorithm. So if it's more complex then the security is also good enough. And the third one is as I told dustworks method will take keys by default and it will have these four or six zeros. So it will be prone to man in the middle attacks. So also there is key exchange that is taking place between the two during pairing mechanism that could lead to eavesdropping. The fourth one and the most important one is the app on the fourth. So the more about it we'll be discussing further in our slides. Thank you Ananya. Hello everyone, I'm Meghana Rao. I work as security analyst at Deep Armor. As we now understood the problems and weaknesses of Bluetooth IoT ecosystems, let's dive into practical exploitations of ble system. Here we are going to attack wearables device with the help of mobile ecosystems. So for today's demo we'll be using Mi bands. It is a fitness tracking device, performs activities like sending app notifications, calculating calories, step count, heart rate, sleep rate, et cetera. Let's see how this device can be breached. And this is the ecosystems overview. Similar to IoT ecosystems, this overview is specific to wearable device. It comprises of wearable device, mobile application, cloud and here wearable device communicates with its application via Bluetooth. That is ble protocol. Sometimes wearable device and mobile app communicates with cloud directly using HTTPs protocol. In today's presentation, our main focus is on the communication that is happening between the band and the app. This is how a device communication looks like. We can see that there is lot of data exchange happening from mobile to device and back. So mobile sends information like put device into recovery mode, firmware update, social app notifications, et cetera and band sends notifications about user activity, data profile update and response to social app notifications. So the traffic between the band and its app is encrypted using LTK. That is the long term key. When attacker is in this vicinity bands, he's trying to sniff this traffic. Then he would be ending up with the garbage data that is encrypted data. Then where does the problem exactly occur? The problem mainly occurs when we have a malicious application residing on our phone because whenever encrypted data from variable device reaches the Bluetooth layer. The Bluetooth layer decrypts the encrypted BLE data which will be forwarded to mobile app to display the actual content in user readable format. Just like if encrypted data says XYZ and it would be decrypted as calories count is 30. During this data transfer, any app residing on the phone can sniff and fetch all the data that is being exchanged. For this demo, I'll be pairing my Mi band with its companion application. That is mifit app which is installed on my smartphone. As an attacker, I'll try to sniff the traffic, steal step counts and calories using the farmer's custom malware app. Okay, so let's get started. The white screen here is from Android Studios. It is a cat window. It displays all the logs on the phone. I've added a filter here to display logs from malware application and I'm casting my phone using wiser app. We can see that I've installed both mifit app and ble malware app to begin with. So to begin with, I've launched my malware app which is configured with band's Bluetooth address. Now I'll access this MIF tab which is paired with my Mi band. I'm trying to perform certain activities so that I can add step counts or I can simulate step counts. I'm rotating my hand, I'm performing a few activities. We can see that step counts are getting updated on MI application and we can also see that it is getting updated on malware app due to data traffic sniffing. So the latest or the last updated value I see is 1026. It is same on Lockcat Window as well because Lockcat Window is capturing the logs from malware app and it says the step count is 1026 and calories are 30. A quick recap, we paired our Mi bands to phone, tried sniffing the traffic between phone and the device where we were able to steal step counts and calories information. This is the Gat profile and these are the UUIds. That is universal unique ids that are responsible for heart rate and step count and the universal unique id or uuId that is ending with f nine b 34. FB is responsible for heart rate bands. One that is ending with seven double zero is responsible for step count. So coming to root cause of this issue the root cause of this issue is app. On any app on Android or iOS that is subscribed to Bluetooth services can rewrite or fetch all the Bluetooth data just like a legitimate app all that app needs is Bluetooth and Bluetooth admin permission. Bluetooth admin permission is needed to make device discoverable or to find a device that is discoverable. And Android documentation has clearly added this clause that all the apps will have. Like all the apps with these permissions will have this extra feature but application using it should not misuse this power and it goes same with the iOS as well in which we need core Bluetooth framework permission. As we previously discussed, LTK encrypted data gets decrypted on reaching Bluetooth layer and in order to mitigate this malware attack we have to encrypt this data with app specific key bands Bluetooth layer so that only legitimate application can access it. And problem with this trust model is device is trusting entire phone and all the apps on it and the only solution to this problem is confining the trust boundary. That is the trust boundary should ble from device to its companion application or legitimate application. Let's quickly summarize the next generation IoT device has next generation problem and entire IoT security comprises of device, phone, communication protocol and cloud. So all these components has to be included in SDLC process that is secure development lifecycle process a development phase itself and continuous security should be including as part of CI CD pipeline. And today privacy is of bigger concern. So privacy security bands legal has to be oven from the development cycle itself. We also have to consider integration and interoperability problem while finding solution to the existing problems and make sure the entire Iot security is like entire Iot ecosystems is secure. Thank you.
...

Meghana Rao

Security Analyst @ Deep Armor

Meghana Rao's LinkedIn account Meghana Rao's twitter account

Ananya M Gowda

Security Analyst @ Deep Armor

Ananya M Gowda's LinkedIn account



Join the community!

Learn for free, join the best tech learning community for a price of a pumpkin latte.

Annual
Monthly
Newsletter
$ 0 /mo

Event notifications, weekly newsletter

Delayed access to all content

Immediate access to Keynotes & Panels

Community
$ 8.34 /mo

Immediate access to all content

Courses, quizes & certificates

Community chats

Join the community (7 day free trial)