83 research outputs found
DEMO: Attaching InternalBlue to the Proprietary macOS IOBluetooth Framework
In this demo, we provide an overview of the macOS Bluetooth stack internals
and gain access to undocumented low-level interfaces. We leverage this
knowledge to add macOS support to the InternalBlue firmware modification and
wireless experimentation framework.Comment: 13th ACM Conference on Security and Privacy in Wireless and Mobile
Network
Inside Job: Diagnosing Bluetooth Lower Layers Using Off-the-Shelf Devices
Bluetooth is among the dominant standards for wireless short-range
communication with multi-billion Bluetooth devices shipped each year. Basic
Bluetooth analysis inside consumer hardware such as smartphones can be
accomplished observing the Host Controller Interface (HCI) between the
operating system's driver and the Bluetooth chip. However, the HCI does not
provide insights to tasks running inside a Bluetooth chip or Link Layer (LL)
packets exchanged over the air. As of today, consumer hardware internal
behavior can only be observed with external, and often expensive tools, that
need to be present during initial device pairing. In this paper, we leverage
standard smartphones for on-device Bluetooth analysis and reverse engineer a
diagnostic protocol that resides inside Broadcom chips. Diagnostic features
include sniffing lower layers such as LL for Classic Bluetooth and Bluetooth
Low Energy (BLE), transmission and reception statistics, test mode, and memory
peek and poke
Acoustic Integrity Codes: Secure Device Pairing Using Short-Range Acoustic Communication
Secure Device Pairing (SDP) relies on an out-of-band channel to authenticate
devices. This requires a common hardware interface, which limits the use of
existing SDP systems. We propose to use short-range acoustic communication for
the initial pairing. Audio hardware is commonly available on existing
off-the-shelf devices and can be accessed from user space without requiring
firmware or hardware modifications. We improve upon previous approaches by
designing Acoustic Integrity Codes (AICs): a modulation scheme that provides
message authentication on the acoustic physical layer. We analyze their
security and demonstrate that we can defend against signal cancellation attacks
by designing signals with low autocorrelation. Our system can detect
overshadowing attacks using a ternary decision function with a threshold. In
our evaluation of this SDP scheme's security and robustness, we achieve a bit
error ratio below 0.1% for a net bit rate of 100 bps with a signal-to-noise
ratio (SNR) of 14 dB. Using our open-source proof-of-concept implementation on
Android smartphones, we demonstrate pairing between different smartphone
models.Comment: 11 pages, 11 figures. Published at ACM WiSec 2020 (13th ACM
Conference on Security and Privacy in Wireless and Mobile Networks). Updated
reference
MagicPairing: Apple's Take on Securing Bluetooth Peripherals
Device pairing in large Internet of Things (IoT) deployments is a challenge
for device manufacturers and users. Bluetooth offers a comparably smooth trust
on first use pairing experience. Bluetooth, though, is well-known for security
flaws in the pairing process. In this paper, we analyze how Apple improves the
security of Bluetooth pairing while still maintaining its usability and
specification compliance. The proprietary protocol that resides on top of
Bluetooth is called MagicPairing. It enables the user to pair a device once
with Apple's ecosystem and then seamlessly use it with all their other Apple
devices. We analyze both, the security properties provided by this protocol, as
well as its implementations. In general, MagicPairing could be adapted by other
IoT vendors to improve Bluetooth security. Even though the overall protocol is
well-designed, we identified multiple vulnerabilities within Apple's
implementations with over-the-air and in-process fuzzing
Lost and Found: Stopping Bluetooth Finders from Leaking Private Information
A Bluetooth finder is a small battery-powered device that can be attached to
important items such as bags, keychains, or bikes. The finder maintains a
Bluetooth connection with the user's phone, and the user is notified
immediately on connection loss. We provide the first comprehensive security and
privacy analysis of current commercial Bluetooth finders. Our analysis reveals
several significant security vulnerabilities in those products concerning
mobile applications and the corresponding backend services in the cloud. We
also show that all analyzed cloud-based products leak more private data than
required for their respective cloud services.
Overall, there is a big market for Bluetooth finders, but none of the
existing products is privacy-friendly. We close this gap by designing and
implementing PrivateFind, which ensures locations of the user are never leaked
to third parties. It is designed to run on similar hardware as existing
finders, allowing vendors to update their systems using PrivateFind.Comment: WiSec '2
DEMO: BTLEmap: Nmap for Bluetooth Low Energy
The market for Bluetooth Low Energy devices is booming and, at the same time,
has become an attractive target for adversaries. To improve BLE security at
large, we present BTLEmap, an auditing application for BLE environments.
BTLEmap is inspired by network discovery and security auditing tools such as
Nmap for IP-based networks. It allows for device enumeration, GATT service
discovery, and device fingerprinting. It goes even further by integrating a BLE
advertisement dissector, data exporter, and a user-friendly UI, including a
proximity view. BTLEmap currently runs on iOS and macOS using Apple's
CoreBluetooth API but also accepts alternative data inputs such as a Raspberry
Pi to overcome the restricted vendor API. The open-source project is under
active development and will provide more advanced capabilities such as
long-term device tracking (in spite of MAC address randomization) in the
future.Comment: 13th ACM Conference on Security and Privacy in Wireless and Mobile
Network
ChirpOTLE: A Framework for Practical LoRaWAN Security Evaluation
Low-power wide-area networks (LPWANs) are becoming an integral part of the
Internet of Things. As a consequence, businesses, administration, and,
subsequently, society itself depend on the reliability and availability of
these communication networks. Released in 2015, LoRaWAN gained popularity and
attracted the focus of security research, revealing a number of
vulnerabilities. This lead to the revised LoRaWAN 1.1 specification in late
2017. Most of previous work focused on simulation and theoretical approaches.
Interoperability and the variety of implementations complicate the risk
assessment for a specific LoRaWAN network. In this paper, we address these
issues by introducing ChirpOTLE, a LoRa and LoRaWAN security evaluation
framework suitable for rapid iteration and testing of attacks in testbeds and
assessing the security of real-world networks.We demonstrate the potential of
our framework by verifying the applicability of a novel denial-of-service
attack targeting the adaptive data rate mechanism in a testbed using common
off-the-shelf hardware. Furthermore, we show the feasibility of the Class B
beacon spoofing attack, which has not been demonstrated in practice before.Comment: 11 pages, 14 figures, accepted at ACM WiSec 2020 (13th ACM Conference
on Security and Privacy in Wireless and Mobile Networks
IoT Sentinel: Automated Device-Type Identification for Security Enforcement in IoT
With the rapid growth of the Internet-of-Things (IoT), concerns about the
security of IoT devices have become prominent. Several vendors are producing
IP-connected devices for home and small office networks that often suffer from
flawed security designs and implementations. They also tend to lack mechanisms
for firmware updates or patches that can help eliminate security
vulnerabilities. Securing networks where the presence of such vulnerable
devices is given, requires a brownfield approach: applying necessary protection
measures within the network so that potentially vulnerable devices can coexist
without endangering the security of other devices in the same network. In this
paper, we present IOT SENTINEL, a system capable of automatically identifying
the types of devices being connected to an IoT network and enabling enforcement
of rules for constraining the communications of vulnerable devices so as to
minimize damage resulting from their compromise. We show that IOT SENTINEL is
effective in identifying device types and has minimal performance overhead
InternalBlue - Bluetooth Binary Patching and Experimentation Framework
Bluetooth is one of the most established technologies for short range digital
wireless data transmission. With the advent of wearables and the Internet of
Things (IoT), Bluetooth has again gained importance, which makes security
research and protocol optimizations imperative. Surprisingly, there is a lack
of openly available tools and experimental platforms to scrutinize Bluetooth.
In particular, system aspects and close to hardware protocol layers are mostly
uncovered.
We reverse engineer multiple Broadcom Bluetooth chipsets that are widespread
in off-the-shelf devices. Thus, we offer deep insights into the internal
architecture of a popular commercial family of Bluetooth controllers used in
smartphones, wearables, and IoT platforms. Reverse engineered functions can
then be altered with our InternalBlue Python framework---outperforming
evaluation kits, which are limited to documented and vendor-defined functions.
The modified Bluetooth stack remains fully functional and high-performance.
Hence, it provides a portable low-cost research platform.
InternalBlue is a versatile framework and we demonstrate its abilities by
implementing tests and demos for known Bluetooth vulnerabilities. Moreover, we
discover a novel critical security issue affecting a large selection of
Broadcom chipsets that allows executing code within the attacked Bluetooth
firmware. We further show how to use our framework to fix bugs in chipsets out
of vendor support and how to add new security features to Bluetooth firmware
Conducting a Large-scale Field Test of a Smartphone-based Communication Network for Emergency Response
Smartphone-based communication networks form a basis for services in
emergency response scenarios, where communication infrastructure is impaired or
overloaded. Still, their design and evaluation are largely based on simulations
that rely on generic mobility models and weak assumptions regarding user
behavior. For a realistic assessment, scenario-specific models are essential.
To this end, we conducted a large-scale field test of a set of emergency
services that relied solely on ad hoc communication. Over the course of one
day, we gathered data from smartphones distributed to 125 participants in a
scripted disaster event. In this paper, we present the scenario, measurement
methodology, and a first analysis of the data. Our work provides the first
trace combining user interaction, mobility, and additional sensor readings of a
large-scale emergency response scenario, facilitating future research
- …