Attacks Against BLE Devices by Co-located Mobile Applications
Bluetooth Low Energy (BLE) is a fast-growing wireless technology with a large number of potential use cases, particularly in the IoT domain. With many of these use cases, the BLE device stores sensitive user data or critical device controls, which may be accessed by an augmentative Android or iOS application. Uncontrolled access to such data could violate a user's privacy, cause a device to malfunction, or even endanger lives. The BLE specification aims to solve this with network layer security mechanisms such as pairing and bonding. Unfortunately, this doesn't take into account the fact that many applications may be co-located on the same mobile device, which introduces the possibility of unauthorised applications being able to access and modify sensitive data stored on a BLE device. In this paper, we present an attack in which an unauthorised Android application can access pairing-protected data from a BLE device by exploiting the bonding relationship previously triggered by an authorised application. We discuss possible mitigation strategies, and perform an analysis over 13,500+ BLE-enabled Android applications to identify how many of them implement such strategies to avoid this attack. Our results indicate that over 60 in the form of application-layer security, and that cryptography is sometimes implemented incorrectly in those that do. This implies that the corresponding BLE devices are potentially vulnerable to unauthorised data access by malicious applications.
READ FULL TEXT