Bluetooth Low Energy (BLE) is a fast-growing wireless technology with a large
number of potential use cases, particularly in the IoT domain. Increasingly,
these use cases require the storage of sensitive user data or critical device
controls on the BLE device, as well as the access of this data by an
augmentative mobile application. Uncontrolled access to such data could violate
user privacy, cause a device to malfunction, or even endanger lives. The BLE
standard provides security mechanisms such as pairing and bonding to protect
sensitive data such that only authenticated devices can access it. In this
paper we show how unauthorized co-located Android applications can access
pairing-protected BLE data, without the user's knowledge. We discuss mitigation
strategies in terms of the various stakeholders involved in this ecosystem, and
argue that at present, the only possible option for securing BLE data is for
BLE developers to implement remedial measures in the form of application-layer
security between the BLE device and the Android application. We introduce
BLECryptracer, a tool for identifying the presence of such application-layer
security, and present the results of a large-scale static analysis over 18,900+
BLE-enabled Android applications. Our findings indicate that over 45% of these
applications do not implement measures to protect BLE data, and that
cryptography is sometimes applied incorrectly in those that do. This implies
that a potentially large number of corresponding BLE peripheral devices are
vulnerable to unauthorized data access.Comment: The % Downloads line graph (Fig-7) in v2 of this paper is inaccurate,
as we do not have install counts per version of an application. It has been
removed in this version [v3] of the pape