Chaoshun Zuo
ABSTRACT
Being an easy-to-deploy and cost-effective low power wireless solution, Bluetooth Low Energy (BLE) has been widely used by Internet-of-Things (IoT) devices. In a typical IoT scenario, an IoT device first needs to be connected with its companion mobile app which serves as a gateway for its Internet access. To establish a connection, a device first broadcasts advertisement packets with UUIDs to nearby smartphone apps. Leveraging these UUIDs, a companion app is able to identify the device, pairs and bonds with it, and allows further data communication. However, we show that there is a fundamental flaw in the current design and implementation of the communication protocols between a BLE device and its companion mobile app, which allows an attacker to precisely fingerprint a BLE device with static UUIDs from the apps. Meanwhile, we also discover that many BLE IoT devices adopt "just works" pairing, allowing attackers to actively connect with these devices if there is no app-level authentication. Even worse, this vulnerability can also be directly uncovered from mobile apps. Furthermore, we also identify that there is an alarming number of vulnerable app-level authentication apps, which means the devices connected by these apps can be directly controlled by attackers. To raise the public awareness of IoT device fingerprinting and also uncover these vulnerable BLE IoT devices before attackers, we develop an automated mobile app analysis tool BLESCOPE and evaluate it with all of the free BLE IoT apps in Google Play store. Our tool has identified 1,757 vulnerable mobile apps in total. We also performed a field test in a 1.28 square miles region, and identified 5,822 real BLE devices, among them 5,509 (94.6%) are fingerprintable by attackers, and 431 (7.4%) are vulnerable to unauthorized access. We have made responsible disclosures to the corresponding app developers, and also reported the fingerprinting issues to the Bluetooth Special Interest Group.
Supplemental Material
- Omar Alrawi, Chaoshun Zuo, Ruian Duan, Ranjita Kasturi, Zhiqiang Lin, and Brendan Saltaformaggio. 2019. The Betrayal At Cloud City: An Empirical Analysis Of Cloud-Based Mobile Backends. In 28th USENIX Security Symposium (USENIX Security 19).Google Scholar
- Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI '14). ACM, New York, NY, USA, 259--269. https://doi.org/10.1145/2594291.2594299Google ScholarDigital Library
- Gogul Balakrishnan and Thomas Reps. 2004. Analyzing memory accesses in x86 executables. In International conference on compiler construction. Springer, 5--23.Google ScholarCross Ref
- BlueBorne. 2019. The Attack Vector "BlueBorne" Exposes Almost Every Connected Device. https://armis.com/blueborne/.Google Scholar
- Redjem Bouhenguel, Imad Mahgoub, and Mohammad Ilyas. 2008. Bluetooth security in wearable computing applications. In 2008 international symposium on high capacity optical networks and enabling technologies. IEEE, 182--186.Google ScholarCross Ref
- Jiongyi Chen, Wenrui Diao, Qingchuan Zhao, Chaoshun Zuo, Zhiqiang Lin, XiaoFeng Wang, Wing Cheong Lau, Menghan Sun, Ronghai Yang, and Kehuan Zhang. 2018. IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing.. In NDSS.Google Scholar
- Brian Cusack, Bryce Antony, Gerard Ward, and Shaunak Mody. 2017. Assessment of security vulnerabilities in wearable devices. (2017).Google Scholar
- Britt Cyr, Webb Horn, Daniela Miao, and Michael Specter. 2014. Security analysis of wearable fitness devices (fitbit). Massachusets Institute of Technology (2014), 1.Google Scholar
- Aveek K Das, Parth H Pathak, Chen-Nee Chuah, and Prasant Mohapatra. 2016. Uncovering privacy leakage in ble network traffic of wearable fitness trackers. In Proceedings of the 17th International Workshop on Mobile Computing Systems and Applications. ACM, 99--104.Google ScholarDigital Library
- Charalampos Doukas, Ilias Maglogiannis, Vassiliki Koufi, Flora Malamateniou, and George Vassilacopoulos. 2012. Enabling data protection through PKI encryption in IoT m-Health devices. In 2012 IEEE 12th International Conference on Bioinformatics & Bioengineering (BIBE). IEEE, 25--29.Google ScholarDigital Library
- Kassem Fawaz, Kyu-Han Kim, and Kang G Shin. 2016. Protecting Privacy of BLE Device Users. In 25th USENIX Security Symposium (USENIX Security 16). 1205--1221.Google Scholar
- Earlence Fernandes, Jaeyeon Jung, and Atul Prakash. 2016a. Security analysis of emerging smart home applications. In 2016 IEEE symposium on security and privacy (SP). IEEE, 636--654.Google ScholarCross Ref
- Earlence Fernandes, Justin Paupore, Amir Rahmati, Daniel Simionato, Mauro Conti, and Atul Prakash. 2016b. Flowfence: Practical data protection for emerging iot application frameworks. In 25th USENIX Security Symposium (USENIX Security 16). 531--548.Google Scholar
- Grant Ho, Derek Leung, Pratyush Mishra, Ashkan Hosseini, Dawn Song, and David Wagner. 2016. Smart locks: Lessons for securing commodity internet of things devices. In Proceedings of the 11th ACM on Asia conference on computer and communications security. ACM, 461--472.Google ScholarDigital Library
- Sławomir Jasek. 2016. Gattacking Bluetooth smart devices. In Black Hat USA Conference.Google Scholar
- Arun Cyril Jose and Reza Malekian. 2015. Smart home automation security. SmartCR, Vol. 5, 4 (2015), 269--285.Google Scholar
- Raghavan Komondoor and Susan Horwitz. 2001. Using slicing to identify duplication in source code. In International static analysis symposium. Springer, 40--56.Google Scholar
- TAL MELAMED. 2018. An Active Man-in-the-middle Attack On Bluetooth Smart Devices. Safety and Security Studies (2018), 15.Google Scholar
- Abner Mendoza and Guofei Gu. 2018. Mobile Application Web API Reconnaissance: Web-to-Mobile Inconsistencies and Vulnerabilities. In Proceedings of the 39th IEEE Symposium on Security and Privacy (SP'18).Google ScholarCross Ref
- William Oliff, Avgoustinos Filippoupolitis, and George Loukas. 2017. Evaluating the impact of malicious spoofing attacks on Bluetooth low energy based occupancy detection systems. In Software Engineering Research, Management and Applications (SERA), 2017 IEEE 15th International Conference on. IEEE, 379--385.Google Scholar
- Mike Ryan. 2013. Bluetooth: With Low Energy Comes Low Security. In Proceedings of the 7th USENIX Conference on Offensive Technologies (WOOT'13). USENIX Association, Berkeley, CA, USA, 4--4. http://dl.acm.org/citation.cfm?id=2534748.2534754Google Scholar
- Pallavi Sivakumaran and Jorge Blasco. 2018. A Study of the Feasibility of Co-located App Attacks against BLE and a Large-Scale Analysis of the Current Application-Layer Security Landscape.Google Scholar
- Pallavi Sivakumaran and Jorge Blasco Alis. 2018. A Low Energy Profile: Analysing Characteristic Security on BLE Peripherals. In Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy. ACM, 152--154.Google ScholarDigital Library
- Da-Zhi Sun, Yi Mu, and Willy Susilo. 2018. Man-in-the-middle attacks on Secure Simple Pairing in Bluetooth standard V5. 0 and its countermeasure. Personal and Ubiquitous Computing, Vol. 22, 1 (2018), 55--67.Google ScholarDigital Library
- Yuan Tian, Nan Zhang, Yueh-Hsun Lin, XiaoFeng Wang, Blase Ur, Xianzheng Guo, and Patrick Tague. 2017. Smartauth: User-centered authorization for the internet of things. In 26th USENIX Security Symposium (USENIX Security 17). 361--378.Google Scholar
- Pei Wang, Qinkun Bao, Li Wang, Shuai Wang, Zhaofeng Chen, Tao Wei, and Dinghao Wu. 2018. Software protection on the go: A large-scale empirical study on mobile app obfuscation. In Proceedings of the 40th International Conference on Software Engineering. ACM, 26--36.Google ScholarDigital Library
- Xueqiang Wang, Yuqiong Sun, Susanta Nanda, and XiaoFeng Wang. 2019. Looking from the Mirror: Evaluating IoT Device Security through Mobile Companion Apps. In 28th USENIX Security Symposium (USENIX Security 19). 1151--1167.Google Scholar
- Fengguo Wei, Sankardas Roy, Xinming Ou, et almbox. 2014. Amandroid: A precise and general inter-component data flow analysis framework for security vetting of android apps. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1329--1341.Google ScholarDigital Library
- Mark Weiser. 1981. Program slicing. In Proceedings of the 5th international conference on Software engineering. IEEE Press, 439--449.Google ScholarDigital Library
- Tae-Hun Woo, Hwa-Ju Jo, Yong-Hwan Lee, and Sung-Young Kim. 2017. Infant Body Temperature Monitoring System using Temperature Change Detection Algorithm. In Proceedings of the 2017 International Conference on Computer Science and Artificial Intelligence. ACM, 270--274.Google ScholarDigital Library
- Bin Yu, Lisheng Xu, and Yongxu Li. 2012. Bluetooth Low Energy (BLE) based mobile electrocardiogram monitoring system. In 2012 IEEE International Conference on Information and Automation. IEEE, 763--767.Google ScholarCross Ref
- Wondimu K Zegeye. 2015. Exploiting Bluetooth low energy pairing vulnerability in telemedicine. In International Telemetering Conference Proceedings. International Foundation for Telemetering.Google Scholar
- Qiaoyang Zhang and Zhiyao Liang. 2017. Security analysis of bluetooth low energy based smart wristbands. In Frontiers of Sensors Technologies (ICFST), 2017 2nd International Conference on. IEEE, 421--425.Google ScholarCross Ref
- Chaoshun Zuo, Zhiqiang Lin, and Yinqian Zhang. 2019. Why Does Your Data Leak? Uncovering the Data Leakage in Cloud From Mobile Apps. In Proceedings of the 2019 IEEE Symposium on Security and Privacy. San Francisco, CA.Google ScholarCross Ref
- Chaoshun Zuo, Wubing Wang, Rui Wang, and Zhiqiang Lin. 2016. Automatic Forgery of Cryptographically Consistent Messages to Identify Security Vulnerabilities in Mobile Services. In Proceedings of the 23rd Annual Network and Distributed System Security Symposium (NDSS'16). San Diego, CA.Google ScholarCross Ref
- Chaoshun Zuo, Qingchuan Zhao, and Zhiqiang Lin. 2017. AuthScope: Towards Automatic Discovery of Vulnerable Authorizations in Online Services. In Proceedings of the 24th ACM Conference on Computer and Communications Security (CCS'17). Dallas, TX.Google ScholarDigital Library
Index Terms
- Automatic Fingerprinting of Vulnerable BLE IoT Devices with Static UUIDs from Mobile Apps
Recommendations
PeriScope: Comprehensive Vulnerability Analysis of Mobile App-defined Bluetooth Peripherals
ASIA CCS '22: Proceedings of the 2022 ACM on Asia Conference on Computer and Communications SecurityMany IoT devices today talk to each other via Bluetooth Low Energy (BLE), a wireless communication technology often used to exchange data between a paired central and peripheral. These peripheral devices include not only firmware-defined bare-metal ...
Uncovering Vulnerabilities of Bluetooth Low Energy IoT from Companion Mobile Apps with Ble-Guuide
ASIA CCS '23: Proceedings of the 2023 ACM Asia Conference on Computer and Communications SecurityIncreasingly, with embedded intelligence and control, IoT devices are being adopted faster than ever. However, the IoT landscape and its security implications are not yet fully understood. This paper seeks to shed light on this by focusing on a ...
A Markov adversary model to detect vulnerable iOS devices and vulnerabilities in iOS apps
Adversary model to detect vulnerable iOS devices and vulnerabilities in iOS apps.Security and privacy of mobile device and app users.Markov process for modelling (in)security state of iOS device or apps.iOS device and app vulnerabilities. With the ...
Comments