engineered from mobile apps. Obfuscation and encryption can only
make it more difficult for attackers to retrieve UUIDs because the
app will work with plain-text UUID somewhere along the line. Storing
UUIDs outside the mobile app can prevent the UUIDs from being
statically reverse engineered, but attackers can still obtain the plain-
text UUIDs at run-time.
Researchers additionally advocate the piecing out of UUIDs as they
get transmitted in the BLE RF channel. In this way, attackers can only
see segments of UUIDs instead of continuous signals, The downside is
that this approach probably entails use of additional hardware.
Another fundamental countermeasure would be to construct
one-time dynamic UUIDs. The OSU researchers claim this scheme only
requires an update of both the app and device firmware. Because
multiple users can access one BLE device, they suggest using the
cloud help synchronize the UUIDs among users. Then once an app has
successfully connected with an IoT device for the first time, it negotiates
a dynamic UUID for future communication. To prove this scheme
actually works, the OSU team says they implemented a prototype
using a real BLE chip in a software development board which providesprogramming interfaces to configure UUIDs for advertisement packets,
services, characteristics, and descriptors.
Clearly it would take a determined hacker willing to spend time
parsing through disassembled app code to exploit some of the
vulnerabilities the OSU researchers uncovered. That’s probably beyond
the capabilities of casual mischief makers, but not out of the question
for state-sponsored hackers and criminals.References
Automatic Fingerprinting of Vulnerable BLE IoT
Devices with Static UUIDs from Mobile Apps,
https://dl.acm.org/doi/10.1145/3319535.3354240Bluetooth SIG Inc., https://www.bluetooth.com/
specifications/protocol-specifications/Top 10 most vulnerable BLE devices in the OSU field test
UUID00001910-0000-1000-8000-00805f9b34fb
00001814-0000-1000-8000-00805f9b34fb
00001804-0000-1000-8000-00805f9b34fb
0000fef1-0000-1000-8000-00805f9b34fb
0000f000-0000-1000-8000-00805f9b34fb
00001820-0000-1000-8000-00805f9b34fb
bc2f4cc6-aaef-4351-9034-d66268e328f0
0000ffd0-0000-1000-8000-00805f9b34fb
000018f0-0000-1000-8000-00805f9b34fb
0000ec00-0000-1000-8000-00805f9b34fb6 6 5 5 4 4 4 4 4
Car dongle
Key finder
Smart lamp
Key finder
Smart toy
Smart VFD
Air condition sensor
Smart toy
Accessibility device7 Digital thermometer# Device Device descriptionOSU researchers surveyed a
1.28-sq-mile area and discovered a
number of BLE devices vulnerable
to attack through compromised
UUIDs. Here is their top ten list.BLE SECURITY
- Maximum height of 0.45 mm ... 30% lower than competition
- 23 inductance values available ... from 1.2 to 56 nH
- Excellent Q Factors ... up to 84 at 2.4 GHz
- Very high SRF ... as high as 27.5 GHz
Full Specs & Free Samples @ coilcraft.com
0402CT Series
Low-profile Ceramic Chip Inductors