30 DESIGN WORLD — EE NETWORK 4 • 2020 eeworldonline.com | designworldonline.com
Despite built-in safe-guards, Bluetooth
Low Energy IoT devices are vulnerable to
hacks when they communicate over the
air. Here are the basics of the problem.If you eyeball internet-of-things
itemsranging from smart ac plugs to motion
sensors you typically fi nd connectivity via
the Bluetooth Low Energy (BLE) standard.
A lot of IoT devices use BLE because theprotocol is well suited for transferring small
amounts of data while consuming little
power. But though BLE incorporates severalsecurity measures, vulnerabilities in the
protocol have emerged over time.For example, BLE communications can
be hacked via man-in-the-middle (MITM)
attacks where an attacker secretly alters
messages between parties who think they
are communicating with each other. BLE
credentials can also be sniffed using a
sniffi ng device that examines data sent on
the advertising channels used to let BLE
devices fi nd each other. In BLE spoofi ng,
an attacker mimics the MAC address of a
BLE device as a means of impersonation.
Denial-of-service attacks are also possible
because peripheral BLE IoT devices are
usually designed to connect with only
one master at a time. Bombarding the
BLE device with connection requests in
response to advertising packets can prevent
legitimate users from connecting. In addition,
unauthorized co-located apps can also hijack
the connection between legitimate mobile
apps and BLE devices.Many vulnerabilities pertain to the
process of pairing devices, verifying and
authenticating the identity of BLE nodes
wishing to connect up. Part of the problem
is that there are several ways of pairing
devices, and not all of them have a high level
of security. Ditto for BLE traffi c encryption.
Data encryption is used to prevent MITM
eavesdropping attacks on BLE links by
making data unintelligible to all but the BLE
master and slave devices forming the link.
Earlier versions of BLE had communication
modes that didn’t incorporate a public
key exchange for encryption/decryption,
probably because more computing power
(and a faster battery drain) was involved in
running encryption/decryption algorithms.
Recent versions of the BLE standard
incorporate modes where users must enter
credentials to connect with IoT devices.
Unfortunately, researchers have found that
many BLE IoT devices don’t implement app-
level authentication properly.
In particular, numerous BLE IoT devices
use “Just Works” for pairing (no invocation of
app-device bonding at all), which allows any
nearby attackers to arbitrarily connect and
possibly do something devious.
To understand the problem with Just
Works pairing, consider that there are four
different pairing methods, but they all take
place in three phases. In phase one, the two
devices let each other know what pairing
method is going to be used and what the
BLE devices can do and expect. In phase
two, a Short Term Key (STK) gets generatedINTERNET OF THINGS HANDBOOK
Leland Teschler, Executive Editor