Bluetooth low energy security, how good is it? Petter Myhre Bluetooth World, San Jose March 2017
Common Types of Attack Man-In-The-Middle Passive Eavesdropping Man-in-the-Middle (MITM) attack Active eavesdropping Attacker monitors and injects packets Acts as a relay between the two peers Passive Eavesdropping Sniffing packets sent between two peers
Basics Pairing is authenticating another device establishing temporary shared secret keys which can be used to encrypt a link Bonding is pairing followed by distribution of keys which can be used to encrypt the link in
Security Modes and Levels
Security Mode 1 Level 1 No security. No authentication and no encryption Level 2 Unauthenticated pairing with encryption, but no MITM protection Level 3 Authenticated pairing with encryption and MITM protection Level 4 Authenticated LE Secure Connections (LESC) pairing with encryption and possible MITM protection
Security Mode 2 (Not covered) Level 1 Unauthenticated pairing with data signing Level 2 Authenticated pairing with data signing
Authentication and Encryption Procedures Each time 2 devices connect - connection operate in security level 1 no security. Higher level of security achieved by performing: Authentication procedure Unauthenticated pairing results security level 2 Authenticated pairing results in security level 3 or 4 Encryption procedure Connection encrypted with encryption keys already available Typically if keys were shared and stored after previously bonding Original pairing determines achieved security level
Phases Pairing - two phase process, bonding includes a 3rd phase: 2A 1 Legacy Pairing - Short Term Key (STK) Generation 3 Feature Exchange 2B Key Distributi on LESC Long Term Key (LTK) Generation
Phase 1 Feature Exchange Determines: How Phase 2 should be performed If Phase 3 should be performed Features: LESC support Authenticated MITM protection IO Capabilites Out of Band (OOB) authentication data availability Bonding
Phase 2A Legacy Pairing STK Generation Just Works Encryption secure if no attack performed during pairing Security Level 2 Unauthenticated pairing with encryption, but no MITM protection Passkey Entry 6 numeric digits shared between devices using their IO capabilities Provides protection against MITM attacks, very limited protection against eavesdropping during pairing Security Level 3 Authenticated pairing with encryption and MITM protection
Phase 2A Legacy Pairing STK Generation Out-of-Band (OOB) Encryption keys based on data transferred by other means, for example NFC Provides protection, assuming that OOB communication is secure Security Level 3 Authenticated pairing with encryption and MITM protection
LE Secure Connections Added in the Bluetooth Core Specification version 4.2 Provides protection against eavesdropping Provides better protection against MITM attacks FIPS-approved algorithms Uses Elliptic Curve Diffie-Hellman (ECDH) key agreement Allows two peers, each having public-private key pair, to establish shared secret key over insecure channel Secret key used in derivation of encryption keys
Phase 2B LESC LTK Generation Just Works No protection against MITM attacks during pairing Passkey Entry Provides protection Numeric Comparison Provides protection A 6-digit value displayed on both devices and confirmed on both sides by user pressing OK OOB - Provides protection All achieves security level 4 - Authenticated LESC pairing with encryption and possible MITM protection
Phase 3 Key Distribution With bonding following keys can be distributed: Legacy: LTK EDIV Rand IRK LESC IRK
Phases 1 2A Legacy Pairing - Short Term Key (STK) Generation 3 Feature Exchange 2B Key Distributi on LESC Long Term Key (LTK) Generation
Common Pitfalls
Be aware that Security is optional Encryption!= secure Security requirements must be set on characteristic values Static passkey is not the intended use Header not encrypted = Empty packets are not encrypted Keep something open
Application Requirements What kind of security does the application require? What kind of attacks do you want to protect against? Eavesdroppers? MITM attacks? Something else? What kind of security is achieveable? LESC? OOB? IO capabilites? Passkey Entry? Numeric Comparison? Pairing in a safe environment? What about the peers?
How good is it? Legacy Just Works and Passkey Entry secure if paired in a safe environment Legacy OOB - secure if the OOB communcation is safe LESC Just Works - secure if paired in a safe environment - protects against eavesdroppers LESC Numeric Comparison, Passkey Entry - secure LESC OOB secure and most convenient
Bluetooth low energy security, how good is it? Petter Myhre Bluetooth World, San Jose March 2017