Slides are mainly on the major security flaws that existed in the Bluetooth 4.0/4.1 (released 2010) specifically Bluetooth Low Energy(BLE) (a.k.a Bluetooth Smart) specification. BLE was introduced as part of Bluetooth 4.0 targeting low power devices which is quite different from classic Bluetooth. Later part contains major security enhancements that are introduced in BLE 4.2

1. BluetoothLowEnergySecurity
Presentedby:
AkshayKumar
DarshanRamakantBhat
FreezeFrancis
A case study

2. Overview
● What is Bluetooth Low Energy?
○ vs classic bluetooth
● Protocol Stack
○ PHY and Link
● Encryption
● Security Issues in BLE 4.0/4.1
○ Eavesdropping
○ Active Attack
○ MITM
● Security Enhancements BLE 4.2
○ ECDH

3. What is Bluetooth Low Energy?
● a.k.a Bluetooth Smart
● originally introduced under the name Wibree by Nokia in 2006
● merged into the main Bluetooth standard in 2010 with the adoption of the
Bluetooth Core Specification Version 4.0
● operates in the unlicensed 2.4 GHz band
● new modulation and link layer for low-power devices
● vs classic Bluetooth
○ incompatible with classic Bluetooth devices
○ PHY and link layer almost completely different
○ high-level protocols the same

5. Applications

7. Bluetooth LE network

8. Protocol Stack

9. PHY Layer
● 2.4 GHz ISM band splitted into 40 channels:
○ 37 data channels
○ 3 advertising channels (37,38,39)
○ Central frequency, fn
=2402 + 2n MHz

10. PHY Layer (continued..)
● Modulation scheme : Gaussian Frequency Shift Keying(GFSK)
○ Data rate : 1 Mbit/s
● Hopping
○ hop along all 37 data channels
○ duration (a.k.a hop interval) : one data packet per channel
○ hop increment (specific to a connection ) decides the next channel
next channel = (channel + hop increment) mod 37

11. Link Layer
● Preamble: an alternating binary sequence for synchronization
● Access Address: unique identifier which defines a particular connection
○ Fixed value for communications in advertising channel : 0x8E89BED6
● PDU : protocol data unit which is the actual payload (variable length)
● CRC : for error checking
○ depends on CRC Init and the PDU
○ Computed using Linear Feedback Shift Register (LFSR)
● Whitening is applied to the PDU and CRC.
○ Not complicated as it depends only on channel number.
○ Computed using LFSR
● Each Bluetooth device has a unique MAC address

12. Link layer state diagram
● Standby: does not transmit or receive any packets
● Advertising: transmitting advertising channel
packets and possibly listening to and responding to
responses triggered by these advertising channel
packets
● Scanning: listening for advertising channel packets
from devices that are advertising.
● Initiating: listening for advertising channel packets
from a specific device(s) and responding to these
packets to initiate a connection with another device.
● Connection : connected state, device is either
master or slave and further communication happens
in data channels.

13. Encryption
● Link layer
○ AES-CCM encryption scheme
○ CCM : Counter mode with CBC-MAC (Cipher Block Chaining Message Authentication Code)
○ authenticated encryption algorithm: encrypts the PDU and also generates MAC
● Application layer
○ user-defined encryption
○ generally not used in BLE devices

14. With Low Energy Comes Low Security!!!
Compromises made for low power:
● Hopping rate is less aggressive (37 data channels)
● Whitening seed is straight-forward from channel number and LFSR used is
known
● Overly simplified custom key exchange
Combining all these resulted in a major flaw in the protocol !!
● Applications:
○ heart rate and blood pressure monitors
○ wireless door lock, low power gadgets
○ industrial monitoring sensors
○ public transportation apps

15. Eavesdropping
● Compromises make eavesdropping easy
● To sniff a connection:
○ Hop increment : to determine next channel
○ Access address : to find the start of the PDU
○ Hop interval : to determine how long to stay in a channel
○ CRC init : to filter out corrupt packets
● Two scenarios:
○ Observed the connection initialization packet: all values are known.
○ Missed the connection initialization packet: recover values by exploiting properties of BLE packets.

16. Eavesdropping attack in detail
(Hardware)
(Software)

17. Ubertooth
(to PC)
RF to packets:
● CC2400 gets bits from air
● We know Access Address !
● MCU finds the start of PDU and gets it
as packet
● Wireshark plugin available

18. Wireshark plugins

19. Recovering the unknown values
● Master and slave transmits packets in each channel, even if
there is no meaningful data (empty packet).
● waits for hop_interval x 1.25 ms in a channel.
● Empty packet : PDU = header( 16 bit) + empty body
○ easy to identify looking for header
○ most traffic is empty
Access address:
● Look for an empty packet and AA comes before the header
● least frequently used cache (LFU) + CRC to eliminate false
positives

20. Recovering unknown values (continued..)
CRC init:
● seed value used for generating CRC
● CRC computed using an LFSR
● CRC Init obtained by reversing LFSR with CRC as seed
● LFU to filter out false positives
Hop interval:
● wait on particular data channel for consecutive packets
● 37 channels visited in full cycle
●

21. Recovering unknown values (continued..)
Hop Increment:
● Interarrival time of packets in two data channels (say 0 and 1)
(Fermat's little theorem)
we can now follow a connection and sniff packets, but encryption?
0 -----> 25 -----> 50 -----> 1

22. Bypassing the encryption
● Encryption by link layer
● How to get the keys ?
Custom Key Exchange Protocol:
● 3 stage process
● Stage 1 : Choosing the pairing methods which defines Temporary Key (TK)
● Stage 2 : Generate the Short Term Key (STK)
● Stage 3 : Generate the Long Term Key (LTK)
● LTK is reused and used to generate session keys
● Session keys are used during encrypted sessions (AES-CCM)

23. Pairing methods
Devices chooses pairing methods based on I/O capabilities.
1. Just Works
● TK is trivial i.e TK=0
2. PassKey Entry
● TK is 6-digit PIN (user inputs)
3. Out Of Band (OOB)
● uses other means like NFC for TK exchange
● more secure
● almost never used !
The TK (also the 128-bit AES key) is used to generate a ‘confirm’ values.

24. Cracking the TK
● We already have a packet sniffer
● TK is between 0 and 99999 (if passKey entry pairing)
● brute forced in < 1 second
(plain text)

25. Key Exchange Broken
● TK + pairing data is used to compute a STK
● STK is used to encrypt the LTK exchange
● Worst part : LTK is reused and used to generate session keys
● 100 % passive attack and can be done offline

26. Active Attack
What if attacker missed the LTK exchange packets?
Two possible active attacks:
1. Eavesdropper can jam the connection so that master will drop the connection
causing force re-pairing.
2. BLE protocol has provisions for a master or slave to reject a LTK. Eavesdropper
sends an appropriate link layer message (LL_REJECT_IND) that forces a key
renegotiation.

27. Man In The Middle Attacks
An attacker can emulate himself as the valid device and cause the data to pass
through him.
Authentication protects against MIMT
Authentication is the method to prevent the MITM

28. Enhancements in Bluetooth 4.2
There are two major enhancements in BLE 4.2
● New pairing method : A new pairing method is added. Both the devices should
have display capabilities and one should have yes or no button.
● Elliptic Curve Diffie Hellman (ECDH) Key exchange:
DH uses prime factorization whereas ECDH uses elliptic curve cryptography.
Breaking the ECDH is more computationally expensive than DH and also it
requires less bits than DH.

29. MITM prevention
● Before pairing both the devices must share pairing parameters that includes
authentication requirements
● If authentication is required, both devices must authenticate each other using one of the
association models
Which model to use is based on two parameters:
● Can the device receive data from a user, or output data to the user. Involving the user in
the pairing process is an important element in the secure transfer of data
● Can the device communicate Out-of-Band (OOB)? For example, if part of the security key
can be transferred between the two devices over Near-Field Communication (NFC), an
eavesdropper will not be able to make sense of the final data.

30. Association models (BLE 4.2)
● Numeric Comparison—Both devices display a six-digit number and the user
authenticates by selecting ‘Yes’ if both devices are displaying the same number.
● Passkey Entry—The user either inputs an identical Passkey into both devices, or one
device displays the Passkey and the user enters that Passkey into the other device.
● Out of Band (OOB)—The OOB association model is the model to use if the device are
capable of OOB.
● Just Works—This association model is used either when MITM protection is not needed
or when devices have limited IO capabilities.

31. Diffie-Hellman

32. Elliptic Curve Cryptography
● An elliptic curve E is the graph of an equation of the form
y2
= x3
+ ax + b
● Elliptic curves provides a different way to do
the math in public key system
y2 = x3 - x + 1

33. Elliptic curve maths
Consider y2
= x3
+ 2x + 3 (mod 5)
x = 0 y2
= 3 no solution (mod 5) ; x = 1 y2
= 6 = 1 y = 1,4 (mod 5)
x = 2 y2
= 15 = 0 y = 0 (mod 5); x = 3 y2
= 36 = 1 y = 1,4 (mod 5)
x = 4 y2
= 75 = 0 y = 0 (mod 5)
So valid points on the curve are (1,1) (1,4) (2,0) (3,1) (3,4) (4,0) and (inf,inf)
These points form the finite set.

34. Addition in elliptic curve
● P1 + P2 = P3
Addition on: y2
= x3
+ ax + b (mod p)
P1=(x1
,y1
), P2=(x2
,y2
); P1 + P2 = P3 = (x3
,y3
) where
x3
= (m2
- x1
- x2
) (mod p); y3
= (m(x1
- x3
) - y1
)(mod p)
And m = (y2
-y1
)(x2
-x1
)-1
mod p, if P1 ≠P2
m = (3x1
2
+a)(2y1
)-1
mod p, if P1 = P2
What is (1,4) + (3,1) = P3 = (x3,y3) in y2
= x3
+2x+3 mod 5? m = (1-4)(3-1)-1
= (-3)(2)-1
= 2(3) = 6 = 1 (mod 5)
x3
= 1 - 1 - 3 = 2 (mod 5) y3
= 1(1-2) - 4 = 0 (mod 5)

35. Diffie-Hellman using elliptic maths
Public: Elliptic curve and point (x,y) on curve
Secret: Alice’s A and Bob’s B
Alice computes A(B(x,y))
Bob computes B(A(x,y))
These are the same since AB = BA

36. Example
Public: Curve y2
= x3
+ 7x + b (mod 37) and point (2,5) b = 3
Alice’s secret: A = 4
Bob’s secret: B = 7
Alice sends Bob: 4(2,5) = (7,32)
Bob sends Alice: 7(2,5) = (18,35)
Alice computes: 4(18,35) = (22,1)
Bob computes: 7(7,32) = (22,1)

37. References
● https://www.bluetooth.com/specifications/bluetooth-core-specification
● http://blog.bluetooth.com/everything-you-always-wanted-to-know-about-blueto
oth-security-in-bluetooth-4-2/
● “Bluetooth: With Low Energy comes Low Security” by Mike Ryan, 7th USENIX
conference on Offensive Technologies, 2013