Monthly Archives: July 2014

Bluetooth Low Energy a Market Catalyst with a Major Security Flaw

By: Jonah McLeod, Dir. of Corp. Mkt. Comm. at Kilopass Technology Inc.

The surge in interest of the wearable device has put a spotlight on Bluetooth Low Energy (LE) as it is the communications mechanism that enables these devices to connect to the user’s mobile phone. The “LE” suffix is important because these devices can operate a week or more on a single battery charge. As a result, a surge in mobile phone linked devices is beginning to flood the market. This has been precipitated by the component chain that has sprung up around Bluetooth LE: semiconductor chips, development boards, and software stacks. Thus, it is possible for a product developer to write a software application such as heart rate monitoring, create a package to hold the device, and start marketing and selling the product. However, in the wild west of Bluetooth LE, security is the one element in the chain everyone seems to be ignoring.

At the origin of this chain are the semiconductor chips. Dave Bursky provided a list of the more recent offerings in his Chip Design Magazine article Wearable Technologies Meet Bluetooth Low Energy. “At the recent Bluetooth World Conference held in San Jose, Calif.,” Bursky wrote, “Broadcom, CSR, Dialog Semiconductor, EM Microelectronic, Nordic Semiconductor and Texas Instruments all highlighted their BT Smart (low-energy) solutions. One of the newest solutions, the DA14580 from Dialog, is a highly integrated Bluetooth chip that incorporates an ARM® Cortex®-M0 32-bit processor core to handle both control operations as well as executing the Bluetooth software stack, thus eliminating the need for a second microcontroller.”

With this complete chip solution the OEM writes the software for the end product: fitness monitor, heart and respiratory rate checker, continuous glucose monitor, among others. Even this can be outsourced to companies such as Elektrobit Corp. The company provides rapid prototypes for market validation and turnkey engineering services from early engineering to after-market services. The company has developed several wearable product concepts and/or prototypes ranging from wrist worn devices to head mounted products.

Before getting the product to market the more difficult task is stopping hackers from stealing the software code to create a clone of a particularly successful product or preventing hackers from altering the product for a malicious purpose. And, Bluetooth LE is very vulnerable to being hacked. Mike Ryan, an analyst with iSEC Partners detailed at the CanSecWest conference on Mar 14, 2014 how easy it was to (1) sniff a Bluetooth LE connection, (2) connect to it, (3) dump HCI (Host Controller Interface (HCI) commands), (4) disassemble the code and (5) clone the device.

To find a vulnerable connection, hackers can use the Ubertooth sniffer, an open source Bluetooth test tool developed by Michael Ossmann. The hardware and software can be purchased for less than $200. The sniffer detects a Bluetooth LE transmission and enables the user to determine its frequency-hopping sequence. Then, Ryan says, the “crackle” tool breaks the Bluetooth LE encryption by exploiting a flaw in the pairing mechanism that leaves all communications vulnerable to decryption by passive eavesdroppers.

Other easily accessible tools to enable the hacking of a Bluetooth LE device that Ryan featured in his CanSecWest 2014 presentation included “gatttool” a simple Linux tool used to manipulate the Bluetooth LE Generic Attribute (GATT) protocol. A third tool, Ryan mentions is the hcidump utility, available at Ubuntu packages. It enables monitoring of Bluetooth activity and can disassemble the Bluetooth traffic. It can also display packets from higher-level protocols such as Radio frequency communication (RFCOMM), service discovery protocol (SDP) and Bluetooth network encapsulation protocol (BNEP).

In his CanSecWest 2014 presentation, Ryan detailed the three levels of Bluetooth LE encryption: (1) just works, (2) 6-digit person identification number, and (3) the more secure out-of-band encryption. The first two are easily circumvented. The third requires more sophisticated methods to break but all are within the realm of possibility using the crackle tool. Though Ryan has made this Bluetooth LE vulnerability public, the problem has yet to be addressed.

The OEM developing the next hot wearable device faces the twin problems of having his design cloned as soon as it ships and having its software hacked to perform functions it wasn’t meant to do. The prime example of the latter is detailed in the paper “Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses.” It details the ease of which implantable medical devices can be monitored and their function altered. To address both problems, higher levels of encryption are needed. Getting the Bluetooth standards organization motivated to up the level of encryption will require concerted pressure from OEMs participating in the group.

In addition, one-time programmable (OTP) antifuse memory such as supplied by Kilopass has provided a secure storage mechanism for encryption keys used by most major set top box (STB) manufacturers. Applying to Bluetooth LE a similar encryption scheme to that used in STBs and storing the key in tamper-proof OTP memory could greatly improve Bluetooth LE security.