Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks
Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin, and Xinwen Fu
Track 1: Wireless Security
Bluetooth Low Energy (BLE) and IoT
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Low Cost Large Coverage
1/13
Client Server
Client Server
Internet
IoT devices
Attribute Protocol (ATT) Client/Server mode
Bluetooth Low Energy
Bluetooth Low Energy (BLE) and IoT
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Low Cost Large Coverage
1/13
Client Server
Client Server
Internet
IoT devices
Attribute Protocol (ATT) Client/Server mode
Bluetooth Low Energy
TLS/SSL
Pairing
Bluetooth Low Energy (BLE) and IoT
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Low Cost Large Coverage
1/13
Client Server
Client ServerIoT devices
Attribute Protocol (ATT) Client/Server mode
Bluetooth Low Energy
TLS/SSL(Mutual
Authentication)
Pairing
General Workflow of BLE Pairing
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App1.Start pairing
2/13
General Workflow of BLE Pairing
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App
2. Pairing feature exchange
1.Start pairing
2/13
General Workflow of BLE Pairing
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App
2. Pairing feature exchange
3. Authentication and encryption
1.Start pairing
LTKLTK Pairing method1
Pairing method: Just Works, Passkey EntryNumeric Comparison, Out of Band
2/13
General Workflow of BLE Pairing
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App
4. Key distribution (e.g. IRK)
2. Pairing feature exchange
3. Authentication and encryption
1.Start pairing
LTKLTK Pairing method1
Pairing method: Just Works, Passkey EntryNumeric Comparison, Out of Band
2/13
General Workflow of BLE Pairing
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App
4. Key distribution (e.g. IRK)
5. Encrypted communication
2. Pairing feature exchange
3. Authentication and encryption
1.Start pairing
LTKLTK Pairing method1
Pairing method: Just Works, Passkey EntryNumeric Comparison, Out of Band
2/13
Security Levels of BLE Pairing
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Security Levels:
➢ None (Plaintext)
➢ Encrypted (Just Works)
➢ Authenticated (Passkey Entry or Numeric Comparison)
➢ Secure Connections Only (SCO) mode (Enforced Passkey Entry or Numeric Comparison)
3/13
Security Levels of BLE Pairing
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
3/13
Security Levels:
➢ None (Plaintext)
➢ Encrypted (Just Works)
➢ Authenticated (Passkey Entry or Numeric Comparison)
➢ Secure Connections Only (SCO) mode (Enforced Passkey Entry or Numeric Comparison)
Our Observation
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App
2.Pairing feature exchange
1.Start pairing
3. Authentication and encryption
Just Works
4. Disconnect
4/13
Our Observation
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App
2.Pairing feature exchange
1.Start pairing
3. Authentication and encryption
Just Works
4. Disconnect
4/13
Our Observation
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App
2.Pairing feature exchange
1.Start pairing
3. Authentication and encryption
Just Works
4. Disconnect
4/13
Our Observation
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App
2.Pairing feature exchange
1.Start pairing
3. Authentication and encryption
Just Works
4. Disconnect
4. Communication
4/13
Required Four Capabilities at Initiator
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App
5/13
Required Four Capabilities at Initiator - Initiation Stage
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App
1.Start pairing Capability (1) : Specify a secure pairing method
5/13
Required Four Capabilities at Initiator – Status management
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App
4. Key distribution (e.g. IRK)
5. Encrypted communication
2.Pairing feature exchange
3. Authentication and encryption
1.Start pairing
LTKLTK Passkey Entry Passkey Entry
Capability (2) : Enforce the secure pairing method and notify the app
Capability (1) : Specify a secure pairing method
5/13
Required Four Capabilities at Initiator – Errors Handling
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App
4. Key distribution (e.g. IRK)
5. Encrypted communication
2.Pairing feature exchange
3. Authentication and encryption
1.Start pairing
LTKLTK Passkey Entry Passkey Entry
Capability (2) : Enforce the secure pairing method and notify the app
6. Errors may occur
Capability (1) : Specify a secure pairing method
Capability (3) : Allow app handle errors
5/13
Required Four Capabilities at Initiator – Bond Management
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App
4. Key distribution (e.g. IRK)
5. Encrypted communication
2.Pairing feature exchange
3. Authentication and encryption
1.Start pairing
LTKLTK Passkey Entry Passkey Entry
Capability (2) : Enforce the secure pairing method and notify the app
LTKLTK Capability (4) : Remove thebroken LTK so as to start a newsecure pairing process
6. Errors may occur
Capability (1) : Specify a secure pairing method
Capability (3) : Allow app handle errors
5/13
No SCO mode at Initiator is Cause of Downgrade Attacks
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App
4. Key distribution (e.g. IRK)
5. Encrypted communication
2.Pairing feature exchange
3. Authentication and encryption
1.Start pairing
LTKLTK Passkey Entry Passkey Entry
Capability (2) : Enforce the secure pairing method and notify the app
LTKLTK Capability (4) : Remove thebroken LTK so as to start a newsecure pairing process
6. Errors may occur
Capability (1) : Specify a secure pairing method
Capability (3) : Allow app handle errors
5/13
No SCO mode at Initiator is Cause of Downgrade Attacks
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
OS handles pairing events in a compatible way without enforcing secure pairing
Device OS App
4. Key distribution (e.g. IRK)
5. Encrypted communication
2.Pairing feature exchange
3. Authentication and encryption
1.Start pairing
LTKLTK Passkey Entry Passkey Entry
LTKLTK
6. Errors may occur
5/13
Capability (2) : Enforce the secure pairing method and notify the app
Capability (4) : Remove thebroken LTK so as to start a newsecure pairing process
Capability (1) : Specify a secure pairing method
Capability (3) : Allow app handle errors
No SCO mode at Initiator is Cause of Downgrade Attacks
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
OS handles pairing events in a compatible way without enforcing secure pairing
Device OS App
4. Key distribution (e.g. IRK)
5. Encrypted communication
2.Pairing feature exchange
3. Authentication and encryption
1.Start pairing
LTKLTK Passkey Entry Passkey Entry
LTKLTK
6. Errors may occur
Flaw 1
Flaw 2
Flaw 3
Flaw 4 5/13
Capability (2) : Enforce the secure pairing method and notify the app
Capability (4) : Remove thebroken LTK so as to start a newsecure pairing process
Capability (1) : Specify a secure pairing method
Capability (3) : Allow app handle errors
No SCO mode at Initiator is Cause of Downgrade Attacks
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
OS handle pairing events in a compatible way without enforcing secure pairing
Device OS App
4. Key distribution (e.g. IRK)
5. Encrypted communication
2.Pairing feature exchange
3. Authentication and encryption
1.Start pairing
LTKLTK Passkey Entry Passkey Entry
LTKLTK
6. Errors may occur
Flaw 1
Flaw 2
Flaw 3
Flaw 4 5/13
Capability (2) : Enforce the secure pairing method and notify the app
Capability (4) : Remove thebroken LTK so as to start a newsecure pairing process
Capability (1) : Specify a secure pairing method
Capability (3) : Allow app handle errors
Threat model
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device Mobile/OS App
Paired with a secure pairing method (Passkey Entry/Numeric Comparison)
6/13
Downgrade Attacks
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device Mobile/OS App
Paired with a secure pairing method (Passkey Entry/Numeric Comparison)
Fake Device
1.Impersonate the victim device and deploy attacks
against the mobile
6/13
Downgrade Attacks
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device Mobile/OS AppFake Device
1.Impersonate the victim device and deploy attacks
against the mobile
Fake Mobile
2.Use the stolen information (i.e., IRK)
to create a Fake mobile
Paired with a secure pairing method (Passkey Entry/Numeric Comparison)
6/13
Downgrade Attacks
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device Mobile/OS AppFake Device
1.Impersonate the victim device and deploy attacks
against the mobile
Fake Mobile
2.Use the stolen information (i.e., IRK)
to create a Fake mobile3. deploy attacks
against the device
Paired with a secure pairing method (Passkey Entry/Numeric Comparison)
6/13
Downgrade Attacks
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device Mobile/OS AppFake Device
1.Impersonate the victim device and deploy attacks
against the mobile
Fake Mobile
2.Use the stolen information (i.e., IRK)
to create a Fake mobile3. deploy attacks
against the device
Downgraded communication (Just Works, Plaintext)
Paired with a secure pairing method (Passkey Entry/Numeric Comparison)
6/13
Downgrade Attacks
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Attacks against Initiators Attacks against Devices
Fake data injection Passive eavesdropping
Sensitive data stealing Whitelist bypassing
IRK stealing Data manipulation
DoS attack Man-in-the-Middle
7/13
Enabling the SCO mode
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App
4. Key distribution (e.g. IRK)
5. Encrypted communication
2.Pairing feature exchange
3. Authentication and encryption
1.Start pairing
LTKLTK Passkey Entry Passkey Entry
LTKLTK
6. Errors may occur
Flaw 1
Flaw 2
Flaw 3
Flaw 4 8/13
Capability (2) : Enforce the secure pairing method and notify the app
Capability (4) : Remove thebroken LTK so as to start a newsecure pairing process
Capability (1) : Specify a secure pairing method
Capability (3) : Allow app handle errors
Enabling the SCO mode
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App
4. Key distribution (e.g. IRK)
5. Encrypted communication
2.Pairing feature exchange
3. Authentication and encryption
1.Start pairing
LTKLTK Passkey Entry
LTKLTK
6. Errors may occur
Flaw 1
Flaw 2
Flaw 3
Flaw 4
Passkey Entry
8/13
Capability (2) : Enforce the secure pairing method and notify the app
Capability (4) : Remove thebroken LTK so as to start a newsecure pairing process
Capability (1) : Specify a secure pairing method
Capability (3) : Allow app handle errors
Enabling the SCO mode
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App
4. Key distribution (e.g. IRK)
5. Encrypted communication
2.Pairing feature exchange
3. Authentication and encryption
1.Start pairing
LTKLTK Passkey Entry
LTKLTK
6. Errors may occur
Passkey Entry
8/13
Capability (2) : Enforce the secure pairing method and notify the app
Capability (4) : Remove thebroken LTK so as to start a newsecure pairing process
Capability (1) : Specify a secure pairing method
Capability (3) : Allow app handle errors
Enabling the SCO mode
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App
4. Key distribution (e.g. IRK)
5. Encrypted communication
2.Pairing feature exchange
3. Authentication and encryption
1.Start pairing
LTKLTK Passkey Entry
LTKLTK
6. Errors may occur
Passkey Entry
8/13
Capability (2) : Enforce the secure pairing method and notify the app
Capability (4) : Remove thebroken LTK so as to start a newsecure pairing process
Capability (1) : Specify a secure pairing method
Capability (3) : Allow app handle errors
Attacks against Initiator
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Flaws across OSesTested Android mobiles
9/13
Attacks beyond Initiator
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
The Tested BLE devicesMITM attack against BLE keyboards
10/13
Attacks beyond Initiator (cont’d)
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Maximal attack distance Success rate vs. advertising frequency
11/13
CD
F
Countermeasures
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Android 8.0
12/13
Summary
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Downgrade Attacks
➢ No mutual authentication: SCO mode is not enforcedfor the pairing initiator, e.g., a mobile
➢ Enabling SCO: Four capabilities is required at initiator;➢ Mutual authentication: SCO mode must be mutually
enforced so as to achieve the strongest security
Impact of Downgrade Attacks
➢ Initiators: Android, iOS, macOS, Windows, Linux are subject to our attacks
➢ Devices: We analysed 18 BLE devices; none of them are secure;
13/13
Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks
Yue Zhang [email protected]
Joint work w/ Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin, and Xinwen Fu
THANK YOU !