Guide to improve the security posture of Bluetooth Low Energy-enabled applications

Published in

CSG @ GovTech

5 min readMay 5, 2021

What is Bluetooth Low Energy (BLE)

BLE — also known as Bluetooth Smart — is a variant of Bluetooth Classic technology and is widely used by the Internet-of-Things (IoT) devices, smart home appliances and mobile phones (henceforth referred to as BLE devices in the article). Notably, the use cases for BLE and Classic are very different — while BLE is used for applications that do not need to exchange a large amount of data, Bluetooth Classic handles large data exchanges and suffers from high battery life consumption.[1] With the high numbers of battery-powered consumer devices, BLE has been gaining popularity due to its minimal power consumption, thus making it an appealing target for malicious users to exploit the protocol.

This article will provide a guide on some common BLE attacks and how the BLE technology can be secured, focusing on how developers can prevent attacks from targeting the connection and advertising modes used for its communication.

Introduction to advertising and connection mode

To communicate with other devices, BLE offers two modes: Advertising mode and Connection mode.

Advertising mode is used by BLE device to broadcast their existence to other nearby devices.
Connection mode is a one-to-one connection between two devices. To correctly identify the intended device, this mode relies on the information broadcasted from the advertising packet. Developers can then configure the device to communicate in a secure channel after pairing is successful.

In short, the advertising and connection modes play a crucial role in communication between BLE devices. Attackers seeking to gain access to personal data would target data packets sent between devices using the two modes.

Figure 2 — Orange: Advertising packets at channel 37, 38, and 39. Blue: data packets at 0–36 channels

Common BLE attacks

The following BLE attacks are adopted by attackers to scan for nearby BLE devices to track the victim (identity tracking), eavesdrop on the data sent between BLE devices (sniffing attacks) or trick the victim into sending confidential information to the attacker (spoofing attack). These BLE attacks exploit either the connection or advertising mode:

Identity tracking — only affects advertising mode
Sniffing attack — only affects connection mode
Spoofing attack — only affects connection mode

Identity tracking

What is it?

Identity tracking is an attack that allows an attacker to leverage broadcasted BLE advertising packets to track the victim. When BLE devices are in the advertising mode, they constantly broadcast information (e.g. the Bluetooth name, MAC address) over the air to a connected device from an authorised user.

What does it affect?

Identity tracking affects vulnerable wearable devices and mobile phones that contain Bluetooth beacon devices. A group of malicious actors can purchase several Bluetooth beacon devices and plant them in various places. These devices can identify the location of the user by tracking the signal strength of the BLE advertising emitting from the user’s wearable device or mobile phone.[2]

Figure 3 — Sample of a Bluetooth beacon device for proximity

2. Sniffing attack

What is it?

A sniffing attack is performed by eavesdropping on the data transmitted between two communicating devices to obtain information in transit.

What does it affect?

Sniffing attack affects BLE devices communicating in connection mode. A typical example is when an attacker sniffs the keystroke of a target sending data to the computer while using a BLE keyboard.[3] Sniffing attacks often lead to the disclosure of sensitive information and, in some cases, allow attackers to spoof packets to other user devices using the information obtained.

3. Spoofing attack

What is it?

In a spoofing attack, the attacker impersonates the victim to extract information or perform unauthorised actions on the connected device. The attacker can also modify the source contents of the packet, disguising it as originating from the victim and tricking the other device to think that the user is carrying out an action.

What does it affect?

Spoofing attack affects BLE devices communicating in connection mode. The attacker will first have to trick the unsuspecting user to connect to it. Once the user is connected, the attacker forwards the victim’s request to the legitimate device (i.e. the device that the victim intends to connect to).

An example is when an attacker intercepts a blood glucose monitoring system and modifies the display value of the measurement as a man-in-the-middle. This allows the malicious actor to trick the wearer with a false reading, which could cause unnecessary panic.[4]

Reader is encouraged to explore the footnotes for greater details on the different types of attacks. It is worth noting that developers should look at the design of the application use case to decide which method to use to secure BLE.

The recommendations provided below are unique to the use cases provided.

Mitigation measures for common BLE attacks

1. Recommendation to protect advertising mode against identity tracking

What you should do?

Developers should use/enable the privacy feature provided by BLE to prevent users from exposing their device information during advertising mode.

How does it secure BLE devices?

This function allows the MAC address within the advertising packets to be changed to a random value in a predetermined time interval. As a result, an attacker will not be able to track a user by his/her MAC address.[5]

2. Recommendation to protect connection mode against sniffing and spoofing attack

What you should do?

The way to prevent sniffing and spoofing attack is to enforce connection using LE Secured with any of the following pairing methods: Passkey Entry, Out of Band, and Numeric Comparison.

How does it secure BLE devices?

This method will require the BLE device to have a user interface or separate technology such as NFC, as well as the user’s interaction during the pairing process. Depending on the design of the application, certain approaches may not be applicable. The matrix table below outlines the prevention techniques associated with the various pairing methods and the pre-requisites required.

In the event where a connection is not possible during setup, or to mitigate sniffing threats for LE Legacy connections, developers should consider enforcing application layer security like encryption.

Conclusion

There is no universal way of securing BLE-enabled applications; security is dependent on the design and the use case of the application. Developers need to ensure that security is prioritised early in the product design specification phase and determine if additional controls are required to secure the data or application. Securing a BLE-enabled application requires an understanding of what the application offers and the security method that best fit the requirements.