Bluetooth Smart (in)security: how to fight firmware attacks


When it comes to protecting users from data sniffing, Bluetooth Smart Secure Connections just doesn’t cut it.

Your firmware updates are just as vulnerable.

Firmware attacks have been around for almost two decades, and it’s well-documented  that Bluetooth Low Energy (BLE, also known as Bluetooth Smart and Bluetooth 4.x) enabled devices are not airtight.

While it’s true that the majority of interactions transmitted via BLE are innocuous, Smart devices frequently transmit discreet information and firmware updates that attackers can sniff easily.

BLE Secure Connections uses either Just Works or 6 digit pin (or, less frequently, Out Of Band) to encrypt information sent over the air, but these are easily breached by sniffers who obtain encryption keys while observing the initial connection between two devices. Malicious parties can also use brute force attacks to decipher pin codes. Sniffers siphoning communications during over-the-air firmware updates can recover the code and rework it into a copycat device.

ramble

 

Bluetooth Low Energy security is just not good enough.

Just take a look at this Google User’s review of Context Information Security’s “Ramble” app, which lets you map broadcasting BLE devices:

Found hundreds of Bluetooth devices all nicely mapped with GPS
coordinates…. Wondered how many, if any, utilize strong encryption. Then wondered if anyone could watch my Fitbit leave home then loot the place of devices and valuables of which they made a checklist. Wrapped myself in tin foil. (Five stars.)

I know what you mean, User. It’s a scary world out there. We can only hope that no one is that interested in our step counts or when we decide to turn on the AC. Or worse yet for developers – in copying our firmware.

But developers can fight against weak security.

 

lockTo prevent data sniffing and brute force attacks on firmware updates, developers must build on or circumvent standard BLE security. One solution is preloading devices with encryption keys so they never have to travel the airwaves. This method fully bypasses all built-in BLE security measures and places firmware safety in the developer’s hands. Assuming the developer is not among the malicious parties, this is an effective solution in terms of firmware updating.

There are limited options for secure bootloaders, but they empower developers to evade firmware thieves. Rigado’s RigDFU software,

for example, allows users to make secure changes to existing firmware on their devices using 128-bit AES end-to-end encryption with a user-made key. All devices incorporating Rigado’s BMD-200 BLE system-on-module have free access to RigDFU.

As we await the expansion of Bluetooth 4.2-enabled devices with improved security features, there’s little we can do for active BLE-powered communication but be wary of what we share. Meanwhile, no need to give up hope. At least developers are able to securely update their firmware. You can still be the master of your firmware’s destiny.