Bluetooth low energy security, how good is it? Petter Myhre Bluetooth World, San Jose March 2017

Size: px

Start display at page:

Download "Bluetooth low energy security, how good is it? Petter Myhre Bluetooth World, San Jose March 2017"

Moses Randall
5 years ago
Views:

1 Bluetooth low energy security, how good is it? Petter Myhre Bluetooth World, San Jose March 2017

2 Common Types of Attack Man-In-The-Middle Passive Eavesdropping Man-in-the-Middle (MITM) attack Active eavesdropping Attacker monitors and injects packets Acts as a relay between the two peers Passive Eavesdropping Sniffing packets sent between two peers

3 Basics Pairing is authenticating another device establishing temporary shared secret keys which can be used to encrypt a link Bonding is pairing followed by distribution of keys which can be used to encrypt the link in

4 Security Modes and Levels

5 Security Mode 1 Level 1 No security. No authentication and no encryption Level 2 Unauthenticated pairing with encryption, but no MITM protection Level 3 Authenticated pairing with encryption and MITM protection Level 4 Authenticated LE Secure Connections (LESC) pairing with encryption and possible MITM protection

6 Security Mode 2 (Not covered) Level 1 Unauthenticated pairing with data signing Level 2 Authenticated pairing with data signing

7 Authentication and Encryption Procedures Each time 2 devices connect - connection operate in security level 1 no security. Higher level of security achieved by performing: Authentication procedure Unauthenticated pairing results security level 2 Authenticated pairing results in security level 3 or 4 Encryption procedure Connection encrypted with encryption keys already available Typically if keys were shared and stored after previously bonding Original pairing determines achieved security level

8 Phases Pairing - two phase process, bonding includes a 3rd phase: 2A 1 Legacy Pairing - Short Term Key (STK) Generation 3 Feature Exchange 2B Key Distributi on LESC Long Term Key (LTK) Generation

9 Phase 1 Feature Exchange Determines: How Phase 2 should be performed If Phase 3 should be performed Features: LESC support Authenticated MITM protection IO Capabilites Out of Band (OOB) authentication data availability Bonding

10 Phase 2A Legacy Pairing STK Generation Just Works Encryption secure if no attack performed during pairing Security Level 2 Unauthenticated pairing with encryption, but no MITM protection Passkey Entry 6 numeric digits shared between devices using their IO capabilities Provides protection against MITM attacks, very limited protection against eavesdropping during pairing Security Level 3 Authenticated pairing with encryption and MITM protection

11 Phase 2A Legacy Pairing STK Generation Out-of-Band (OOB) Encryption keys based on data transferred by other means, for example NFC Provides protection, assuming that OOB communication is secure Security Level 3 Authenticated pairing with encryption and MITM protection

12 LE Secure Connections Added in the Bluetooth Core Specification version 4.2 Provides protection against eavesdropping Provides better protection against MITM attacks FIPS-approved algorithms Uses Elliptic Curve Diffie-Hellman (ECDH) key agreement Allows two peers, each having public-private key pair, to establish shared secret key over insecure channel Secret key used in derivation of encryption keys

13 Phase 2B LESC LTK Generation Just Works No protection against MITM attacks during pairing Passkey Entry Provides protection Numeric Comparison Provides protection A 6-digit value displayed on both devices and confirmed on both sides by user pressing OK OOB - Provides protection All achieves security level 4 - Authenticated LESC pairing with encryption and possible MITM protection

14 Phase 3 Key Distribution With bonding following keys can be distributed: Legacy: LTK EDIV Rand IRK LESC IRK

15 Phases 1 2A Legacy Pairing - Short Term Key (STK) Generation 3 Feature Exchange 2B Key Distributi on LESC Long Term Key (LTK) Generation

16 Common Pitfalls

17 Be aware that Security is optional Encryption!= secure Security requirements must be set on characteristic values Static passkey is not the intended use Header not encrypted = Empty packets are not encrypted Keep something open

18 Application Requirements What kind of security does the application require? What kind of attacks do you want to protect against? Eavesdroppers? MITM attacks? Something else? What kind of security is achieveable? LESC? OOB? IO capabilites? Passkey Entry? Numeric Comparison? Pairing in a safe environment? What about the peers?

19 How good is it? Legacy Just Works and Passkey Entry secure if paired in a safe environment Legacy OOB - secure if the OOB communcation is safe LESC Just Works - secure if paired in a safe environment - protects against eavesdroppers LESC Numeric Comparison, Passkey Entry - secure LESC OOB secure and most convenient

20 Bluetooth low energy security, how good is it? Petter Myhre Bluetooth World, San Jose March 2017

PM0257. BlueNRG-1, BlueNRG-2 BLE stack v2.x programming guidelines. Programming manual. Introduction

PM0257. BlueNRG-1, BlueNRG-2 BLE stack v2.x programming guidelines. Programming manual. Introduction Programming manual BlueNRG-1, BlueNRG-2 BLE stack v2.x programming guidelines Introduction The main purpose of this document is to provide a developer with some reference programming guidelines about how