With the increasing need of Bluetooth Low Energy (BLE) IoT security, comes the part of vulnerability management in these networks. Unlike the IP security, BLE security framework is not yet mature. The newer version of BLE have enhanced the security of BLE devices but vulnerabilities are still present because of the lack of attention by both manufacturers and customers on security.
These vulnerabilities have to be detected and reported to the user so that he can take appropriate actions to resolve these vulnerabilities. The most important event in every BLE IoT network is advertising. There can be various types of vulnerabilities present in advertising in BLE IoT networks, these are mentioned below.
( Read More: Free Resources For Kickstarting Your IT-GRC Program )
Types and Mitigation of Vulnerabilities
There are four types of addresses that can be used by a BLE device which are public addresses, random static addresses, private resolvable addresses and private unresolvable addresses. These can be described as:
1. Public address: These addresses are assigned by manufacturers and remain persistent for the life of the device.
2. Random static address: These are random addresses and can change on every power cycle of the device.
3. Private resolvable address: These are random address but a key is used to generate these addresses and the master having the key can only resolve these addresses. These addresses change after a fixed interval of time.
4. Private unresolvable address: These are random address but they don't use a key. Master can't resolve these addresses and they also change after a fixed interval of time.
The address of a BLE peripheral can be spoofed by the hacker to connect to master and act as a peripheral. That way master won't connect to the right device. Also, a hacker can spoof the address of a master to connect to the peripheral. Most of the peripheral have limitations of connecting to only one master, thus a peripheral connected to a spoofed master won't be able to connect the right master. So, address spoofing an easy task for hackers to interrupt network.
On a vulnerability scale, public address is most vulnerable because it is persistent. Private unresolvable addresses are least vulnerable because these addresses keep changing and can't be tracked by the hacker. But there are very fewer use cases where private unresolvable addresses can be used because even the master can't track the device.
Advertisement Channel Vulnerability
There are three advertisement channels in BLE. Channel 37, 38 and 39. Most of the devices advertise on channel 37. Hackers can advertise heavily on this channel and can create the interference in the channel, thus making it impossible for the master to detect the advertisements.
To mitigate this kind of vulnerability, the advertisements should be transmitted evenly on all channels, channel 37, 38 and 39.
Advertising Interval Vulnerability
The advertisement interval means what will be the time gap between two consecutive advertisements. Hackers use small advertisement intervals so that their spoofed device can connect to a master before the actual one. But this can also be a criteria for detecting hackers in the network. If a device is advertising very fast, then it can be concluded that it is a spoofed device. If some actual devices are advertising very fast then it becomes difficult for the master or vulnerability detectors to identify the spoofed device.
This vulnerability can be mitigated by setting the advertisement interval of devices to some reasonable amount of time.
( Read More: CISO Platform Top IT Security Influencers (Part 1) )
Advertisement Type Vulnerability
There are mainly two types of advertising:
1. ADV_IND: Connectable undirected advertising
2. ADV_NONCONN_IND: Nonconnectable undirected advertising. Used by devices that want to broadcast and don't want to be connected to or scannable.
If a hacker connects to a peripheral by spoofing the master, the peripheral will stop advertising and won't be able to connect anything else. Thus, a device can be totally eliminated by a hacker from the network.
So, if the data is going only one way from peripheral to the master and amount of data is small, non-connectable undirected advertisements should be used. If the data is in a small amount and is confidential, then it can be transmitted by encrypting the data and using non-connectable advertisements without making a connection.
Unencrypted Advertisement Vulnerability
Unencrypted advertisement payload is also a major vulnerability in BLE networks. Some peripherals send data to the master through non-connectable advertisements i.e. they don't connect to the master to send data. Link-layer security can only be enabled to send data packets to the master after a connection is made.Thus, the advertisement data can be analyzed by any hacker present in the network which is also a vulnerability.
So, instead of advertising data in plain text using the standard data types of Bluetooth specification, that data should be encrypted and added as manufacturer specific data in the advertisement payload. Onboard encryption cores are present in most of the BLE microcontrollers which do not create much overhead while encrypting.
Disclaimer: The vulnerabilities explained in this blog are resolved by Wispero Networks Inc. software which can be used through a web console. Wispero Patrol, application present on playstore, can be used to detect these vulnerabilities.
Author: Amit Chahar
Organization: Wispero Networks Inc. (http://wispero.com/)