publication . Preprint . 2018

A Study of the Feasibility of Co-located App Attacks against BLE and a Large-Scale Analysis of the Current Application-Layer Security Landscape

Sivakumaran, Pallavi; Blasco, Jorge;
Open Access English
  • Published: 11 Aug 2018
Abstract
Bluetooth Low Energy (BLE) is a fast-growing wireless technology with a large number of potential use cases, particularly in the IoT domain. Increasingly, these use cases require the storage of sensitive user data or critical device controls on the BLE device, as well as the access of this data by an augmentative mobile application. Uncontrolled access to such data could violate user privacy, cause a device to malfunction, or even endanger lives. The BLE standard provides security mechanisms such as pairing and bonding to protect sensitive data such that only authenticated devices can access it. In this paper we show how unauthorized co-located Android applicati...
Subjects
free text keywords: Computer Science - Cryptography and Security
Download from
25 references, page 1 of 2

[1] M. Ryan, “Bluetooth: With low energy comes low security,” in 7th USENIX Workshop on Offensive Technologies, WOOT '13, Washington, D.C., USA, August 13, 2013, 2013.

[2] M. Elkhodr, S. Shahrestani, and H. Cheung, “Emerging wireless technologies in the Internet of Things: A comparative study,” International Journal of Wireless & Mobile Networks (IJWMN), vol. 8, no. 5, pp. 67-82, Oct 2016.

[3] C. Gomez, J. Oller, and J. Paradells, “Overview and evaluation of Bluetooth Low Energy: An emerging low-power wireless technology,” Sensors (Basel, Switzerland), vol. 12, no. 9, pp. 11 734-11 753, 2012.

[4] I. Bisio, A. Sciarrone, and S. Zappatore, “A new asset tracking architecture integrating RFID, Bluetooth Low Energy tags and ad hoc smartphone applications,” Pervasive and Mobile Computing, vol. 31, pp. 79-93, 2016. [OpenAIRE]

[5] W. Bronzi, R. Frank, G. Castignani, and T. Engel, “Bluetooth Low Energy performance and robustness analysis for inter-vehicular communications,” Ad Hoc Netw., vol. 37, no. P1, pp. 76-86, Feb 2016.

[6] R. Karani, S. Dhote, N. Khanduri, A. Srinivasan, R. Sawant, G. Gore, and J. Joshi, “Implementation and Design Issues for Using Bluetooth Low Energy in Passive Keyless Entry Systems,” in India Conference (INDICON), 2016 IEEE Annual. IEEE, 2016, pp. 1-6.

[7] M. Naveed, X. Zhou, S. Demetriou, X. Wang, and C. A. Gunter, “Inside job: Understanding and mitigating the threat of external device mis-binding on Android,” in 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, February 23-26, 2014, 2014.

[8] “Bluetooth core specification,” Bluetooth Special Interest Group, Dec 2016, ver 5.

[9] “Bluetooth low energy overview,” Android, Apr 2018, [Online]. Available: https://developer.android.com/guide/topics/connectivity/bluetooth-le. [Accessed: 18 July 2018].

[10] “ScanFilter,” Android, June 2018, [Online]. Available: https://developer.android.com/reference/android/bluetooth/le/ScanFilter. [Accessed: 18 July 2018].

[11] A. P. Felt, E. Ha, S. Egelman, A. Haney, E. Chin, and D. Wagner, “Android permissions: User attention, comprehension, and behavior,” in Proceedings of the eighth symposium on usable privacy and security. ACM, 2012, p. 3. [OpenAIRE]

[12] A. K. Das, P. H. Pathak, C.-N. Chuah, and P. Mohapatra, “Uncovering privacy leakage in BLE network traffic of wearable fitness trackers,” in Proceedings of the 17th International Workshop on Mobile Computing Systems and Applications. ACM, 2016, pp. 99-104. [OpenAIRE]

[13] K. Fawaz, K.-H. Kim, and K. G. Shin, “Protecting privacy of BLE device users,” in USENIX Security Symposium, 2016, pp. 1205-1221. [OpenAIRE]

[14] A. Korolova and V. Sharma, “Cross-app tracking via nearby Bluetooth Low Energy devices,” in PrivacyCon 2017. Federal Trade Commission, 2017.

[15] B. Cyr, W. Horn, D. Miao, and M. Specter, “Security analysis of wearable fitness devices (Fitbit),” Massachusetts Institute of Technology, p. 1, 2014.

25 references, page 1 of 2
Abstract
Bluetooth Low Energy (BLE) is a fast-growing wireless technology with a large number of potential use cases, particularly in the IoT domain. Increasingly, these use cases require the storage of sensitive user data or critical device controls on the BLE device, as well as the access of this data by an augmentative mobile application. Uncontrolled access to such data could violate user privacy, cause a device to malfunction, or even endanger lives. The BLE standard provides security mechanisms such as pairing and bonding to protect sensitive data such that only authenticated devices can access it. In this paper we show how unauthorized co-located Android applicati...
Subjects
free text keywords: Computer Science - Cryptography and Security
Download from
25 references, page 1 of 2

[1] M. Ryan, “Bluetooth: With low energy comes low security,” in 7th USENIX Workshop on Offensive Technologies, WOOT '13, Washington, D.C., USA, August 13, 2013, 2013.

[2] M. Elkhodr, S. Shahrestani, and H. Cheung, “Emerging wireless technologies in the Internet of Things: A comparative study,” International Journal of Wireless & Mobile Networks (IJWMN), vol. 8, no. 5, pp. 67-82, Oct 2016.

[3] C. Gomez, J. Oller, and J. Paradells, “Overview and evaluation of Bluetooth Low Energy: An emerging low-power wireless technology,” Sensors (Basel, Switzerland), vol. 12, no. 9, pp. 11 734-11 753, 2012.

[4] I. Bisio, A. Sciarrone, and S. Zappatore, “A new asset tracking architecture integrating RFID, Bluetooth Low Energy tags and ad hoc smartphone applications,” Pervasive and Mobile Computing, vol. 31, pp. 79-93, 2016. [OpenAIRE]

[5] W. Bronzi, R. Frank, G. Castignani, and T. Engel, “Bluetooth Low Energy performance and robustness analysis for inter-vehicular communications,” Ad Hoc Netw., vol. 37, no. P1, pp. 76-86, Feb 2016.

[6] R. Karani, S. Dhote, N. Khanduri, A. Srinivasan, R. Sawant, G. Gore, and J. Joshi, “Implementation and Design Issues for Using Bluetooth Low Energy in Passive Keyless Entry Systems,” in India Conference (INDICON), 2016 IEEE Annual. IEEE, 2016, pp. 1-6.

[7] M. Naveed, X. Zhou, S. Demetriou, X. Wang, and C. A. Gunter, “Inside job: Understanding and mitigating the threat of external device mis-binding on Android,” in 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, February 23-26, 2014, 2014.

[8] “Bluetooth core specification,” Bluetooth Special Interest Group, Dec 2016, ver 5.

[9] “Bluetooth low energy overview,” Android, Apr 2018, [Online]. Available: https://developer.android.com/guide/topics/connectivity/bluetooth-le. [Accessed: 18 July 2018].

[10] “ScanFilter,” Android, June 2018, [Online]. Available: https://developer.android.com/reference/android/bluetooth/le/ScanFilter. [Accessed: 18 July 2018].

[11] A. P. Felt, E. Ha, S. Egelman, A. Haney, E. Chin, and D. Wagner, “Android permissions: User attention, comprehension, and behavior,” in Proceedings of the eighth symposium on usable privacy and security. ACM, 2012, p. 3. [OpenAIRE]

[12] A. K. Das, P. H. Pathak, C.-N. Chuah, and P. Mohapatra, “Uncovering privacy leakage in BLE network traffic of wearable fitness trackers,” in Proceedings of the 17th International Workshop on Mobile Computing Systems and Applications. ACM, 2016, pp. 99-104. [OpenAIRE]

[13] K. Fawaz, K.-H. Kim, and K. G. Shin, “Protecting privacy of BLE device users,” in USENIX Security Symposium, 2016, pp. 1205-1221. [OpenAIRE]

[14] A. Korolova and V. Sharma, “Cross-app tracking via nearby Bluetooth Low Energy devices,” in PrivacyCon 2017. Federal Trade Commission, 2017.

[15] B. Cyr, W. Horn, D. Miao, and M. Specter, “Security analysis of wearable fitness devices (Fitbit),” Massachusetts Institute of Technology, p. 1, 2014.

25 references, page 1 of 2
Powered by OpenAIRE Research Graph
Any information missing or wrong?Report an Issue