Design flaws endanger low energy Bluetooth devices

[German]A design flaw compromises the safety of low energy Bluetooth devices such as fitness trackers or smart speakers. These are prone to hacker attacks due to the flaw.

A professor of engineering and computer science at Ohio State University and his team discovered the design flaw. I just came across the topic via the following tweet.

Zhiqiang Lin, Associate Professor of Computer Science and Engineering at the University, found that the commonly used Bluetooth low energy devices, such as fitness trackers and intelligent speakers, are vulnerable when they communicate with their associated apps on the owner's mobile phone. The information was published at the Association for Computing Machinery's Conference on Computer and Communications Security conference. In this document, Zhiqiang Lin is quoted as follows: 

"There is a fundamental flaw that leaves these devices vulnerable – first when they are initially paired to a mobile app, and then again when they are operating. And while the magnitude of that vulnerability varies, we found it to be a consistent problem among Bluetooth low energy devices when communicating with mobile apps."

Health and fitness trackers, intelligent thermostats, intelligent loudspeakers or other intelligent household aids communicate with apps on mobile devices. The devices send their UUID as a universal and unique identifier to the mobile device. This identifier enables the corresponding apps on the mobile device to recognize the Bluetooth device and connect to the communication.

This UUID is also embedded in the code of the mobile app. Otherwise, mobile apps would not be able to recognize the device. However, such UUIDs in the mobile apps make the devices vulnerable to fingerprinting attacks, Lin and his research team discovered.

"A hacker could determine whether users have a particular Bluetooth device, such as an intelligent speaker, at home. All he needs to do is determine whether or not an intelligent device is sending the UUIDs identified by the corresponding mobile applications," Lin said. But in some cases, where no encryption is involved or encryption is used improperly between mobile applications and devices, the attacker would be able to track conversations and collect that data.

Normally it is said that signals from Bluetooth low energy devices only reach up to 100 meters. Lin and his team built a Bluetooth sniffer that can identify Bluetooth devices based on the messages sent by the devices. In tests, the researchers found that the signal can be sniffed (or electronically found) up to 1,000 meters away using a simple receiver adapter and amplifier.

They then drove the sniffer through a 1.28 square kilometer area near the Ohio State campus to test the vulnerability. At the researchers found more than 5,800 Bluetooth low energy devices. Of these, about 5,500 (94.6 percent) were identifiable by fingerprint. 431 devices (7.4 percent) were vulnerable to unauthorized access or eavesdropping.

"We believe the problem should be relatively easy to fix, and we have made recommendations to app developers and Bluetooth industry groups," Lin said. Details can be found here and here.

This entry was posted in devices, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *