tack in which the attacker pretends to be a previously-paired
server
device, inducing a
client
device into accepting spoofed
data.
In particular, we discovered that the BLE specification al-
lows implementing several aspects of this protocol in multiple
ways, some of which are vulnerable. For this reason, even
BLE stack implementations correctly following the speci-
fication can potentially be susceptible to spoofing attacks.
For instance, we found that the BLE protocol stack (when
accessed via
gatttool
[26]) used in Linux
client
devices
(e.g., Linux laptops), while following the BLE specification
correctly, is susceptible to the identified spoofing attack.
Furthermore, we discovered that even BLE protocol stacks
implemented in ways that are, in theory, not susceptible to
the identified attack are still vulnerable in practice due to a
specific logic vulnerability. Specifically, we found a similar
implementation issue in the BLE stack used by Android de-
vices and in that used by iOS devices. This issue makes many
Android and iOS devices vulnerable to the identified attack.
We have responsibly reported our findings to Google and Ap-
ple, and they have confirmed these vulnerabilities. As of June
2020, while Apple has assigned the CVE-2020-9770 to the
vulnerability and fixed it, the Android BLE implementation
in our tested device (i.e., Google Pixel XL running Android
10) is still vulnerable.
To showcase the identified issues, we design a novel practi-
cal attack, named
BLESA
(BLE Spoofing Attack). In
BLESA
,
the attacker pretends to be a previously-paired server device,
rejects the authentication requests coming from the
client
device, and then feeds spoofed data to it. We then show that
a Linux laptop running Ubuntu with the most updated ver-
sion of its BLE stack is vulnerable to BLESA. In addition,
we demonstrate the effectiveness of BLESA by launching
it against Google Pixel XL phone recording the informa-
tion from a wearable activity-tracking device called Oura
Ring [25]. In particular, by using
BLESA
, the attacker suc-
cessfully impersonates the ring, injects spoofed data to the
phone, and the companion application of the ring running on
the phone accepts and displays the spoofed data.
In summary, our work has these main contributions:
•
We performed a formal analysis of the BLE link-layer au-
thentication mechanism and discovered two design weak-
nesses in the BLE protocol specification.
•
We studied how these design weaknesses affect existing
BLE stack implementations, and we discovered a related
logic bug in the BLE link-layer implementations used by
Android and iOS devices.
•
Exploiting the identified design weaknesses and the discov-
ered logic bug, we crafted a novel attack, named BLESA,
which allows an attacker to impersonate a
server
device and
provide forged data to a previously-paired client device.
•
We proposed mitigation techniques to the identified security
issues, which enable systemic changes in the reconnection
procedure to make it robust against BLESA.
2 Background
The original Bluetooth (Classic) protocol was designed
for short-range wireless streaming applications such as au-
dio, video, and file transfer. Different from Bluetooth Clas-
sic, Bluetooth Low Energy (BLE) is designed for energy-
constrained low-cost IoT applications that require an intermit-
tent transfer of smaller amounts of data at lower speeds.
The BLE protocol enables a device, acting as a
server
(e.g.,
a fitness tracker), to efficiently communicate relevant data
(e.g., the number of tracked footsteps) to another connected
device, acting as a
client
(e.g., a smartphone). In BLE, the
typical communication procedure between the
server
and the
client involves five steps:
1.
The
server
advertises its presence by broadcasting adver-
tising packets containing its identity.
2.
The
client
scans for advertising packets to discover the
server and establishes a wireless connection with it.
3.
(Optionally) The
client
pairs with the
server
to share a
long-term cryptographic key. This key is used to encrypt
and authenticate the exchanged data.
4.
The
client
initiates the request to access the data stored by
the server.
5.
The
server
checks if the
client
has the right to access the
specific requested data. If this condition is true, the
server
grants read/write access to the requested data.
Security Levels.
The data stored at a
server
is organized
in attributes, and each attribute (e.g., a blood pressure mea-
surement) is identified using a unique identifier. BLE allows
the
server
to protect attributes at a fine-grained granularity. In
particular, the
server
can specify an access control policy for
each attribute. Each such policy describes how an attribute can
be accessed (read-only, write-only, or read-and-write), and
which security level is needed to access it. Specifically, there
are four possible security levels: no security (level 1), encryp-
tion only (level 2), encryption and authentication (level 3),
and strong encryption with authentication (level 4).
When an access request is received from the
client
, the
server
checks whether the current connection meets the se-
curity level required to access the requested attribute. If the
connection satisfies the required security level, the
server
grants access to the requested attribute. Otherwise, the
server
denies the request and sends an error message back to the
client.
Pairing and Key Generation.
The pairing between the
client
and the
server
is optional, and it depends on the security
level requested by the
server
. When encryption or authentica-
tion is needed to access an attribute, the
client
and the
server
must be paired to establish a (long-term) shared secret key.
Once the long-term key is generated between two devices, the