Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
156 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

BlueSWAT: A Lightweight State-Aware Security Framework for Bluetooth Low Energy (2405.17987v1)

Published 28 May 2024 in cs.CR

Abstract: Bluetooth Low Energy (BLE) is a short-range wireless communication technology for resource-constrained IoT devices. Unfortunately, BLE is vulnerable to session-based attacks, where previous packets construct exploitable conditions for subsequent packets to compromise connections. Defending against session-based attacks is challenging because each step in the attack sequence is legitimate when inspected individually. In this paper, we present BlueSWAT, a lightweight state-aware security framework for protecting BLE devices. To perform inspection on the session level rather than individual packets, BlueSWAT leverages a finite state machine (FSM) to monitor sequential actions of connections at runtime. Patterns of session-based attacks are modeled as malicious transition paths in the FSM. To overcome the heterogeneous IoT environment, we develop a lightweight eBPF framework to facilitate universal patch distribution across different BLE architectures and stacks, without requiring device reboot. We implement BlueSWAT on 5 real-world devices with different chips and stacks to demonstrate its cross-device adaptability. On our dataset with 101 real-world BLE vulnerabilities, BlueSWAT can mitigate 76.1% of session-based attacks, outperforming other defense frameworks. In our end-to-end application evaluation, BlueSWAT patches introduce an average of 0.073% memory overhead and negligible latency.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (91)
  1. 2019a. CVE-2019-19192. https://nvd.nist.gov/vuln/detail/CVE-2019-19192. (2019).
  2. 2019b. CVE-2019-19194. https://nvd.nist.gov/vuln/detail/CVE-2019-19194. (2019).
  3. 2020a. CVE-2020-10065. https://nvd.nist.gov/vuln/detail/CVE-2020-10065. (2020).
  4. 2020b. CVE-2020-10066. https://nvd.nist.gov/vuln/detail/CVE-2020-10066. (2020).
  5. 2020c. CVE-2020-10069. https://nvd.nist.gov/vuln/detail/CVE-2020-10069. (2020).
  6. 2020. CVE-2020-13595. https://nvd.nist.gov/vuln/detail/CVE-2020-13595. (2020).
  7. 2020. CVE-2020-17520. https://nvd.nist.gov/vuln/detail/CVE-2020-17520. (2020).
  8. 2021a. CVE-2021-3432. https://nvd.nist.gov/vuln/detail/CVE-2021-3432. (2021).
  9. 2021b. CVE-2021-3433. https://nvd.nist.gov/vuln/detail/CVE-2021-3433. (2021).
  10. 2021. Newlib: C library intended for use on embedded systems. https://sourceware.org/newlib/. (2021).
  11. 2022. WebAssembly. https://webassembly.org/. (2022).
  12. 2023. Apache MynewtOS. https://mynewt.apache.org. (2023).
  13. 2023. Bouffalo Lab. https://en.bouffalolab.com. (2023).
  14. 2023. Commercial products using ZephyrOS. https://www.zephyrproject.org/products-running-zephyr/. (2023).
  15. 2023. CVE Database. https://cve.mitre.org. (2023).
  16. 2023a. ESP-IDF. https://github.com/espressif/esp-idf. (2023).
  17. 2023b. Espressif. https://www.espressif.com. (2023).
  18. 2023. MicroPython: Python for microcontrollers. https://micropython.org/. (2023).
  19. 2023. Mynewt Nimble. https://mynewt.apache.org/latest/network/. (2023).
  20. 2023. Riot.js: Simple and elegant component-based UI library. https://riot.js.org/. (2023).
  21. 2023. Texas Instrument. https://www.ti.com. (2023).
  22. 2023. Texas Instrument BLE Stack. https://www.ti.com/tool/BLE-STACK. (2023).
  23. 2023. Userspace eBPF VM. https://github.com/iovisor/ubpf. (2023).
  24. The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR. In USENIX Security Symposium.
  25. BLURtooth: Exploiting Cross-Transport Key Derivation in Bluetooth Classic and Bluetooth Low Energy. Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security (2020).
  26. Key Negotiation Downgrade Attacks on Bluetooth and Bluetooth Low Energy. ACM Transactions on Privacy and Security (TOPS) 23 (2020), 1 – 28.
  27. The Linux Kernel Archives. 2023. Linux BlueZ stack. http://www.bluez.org/. (2023).
  28. Tracking Anonymized Bluetooth Devices. Proceedings on Privacy Enhancing Technologies 2019 (2019), 50 – 65.
  29. Eli Biham and Lior Neumann. 2019. Breaking the Bluetooth Pairing – The Fixed Coordinate Invalid Curve Attack. In Selected Areas in Cryptography – SAC 2019: 26th International Conference, Waterloo, ON, Canada, August 12–16, 2019, Revised Selected Papers. 250–273.
  30. InjectaBLE: Injecting malicious traffic into established Bluetooth Low Energy connections. 2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) (2021), 388–399.
  31. ChargerLab. 2021. PowerZ KT002. https://www.chargerlab.com/category/power-z/power-z-kt002/. (2021).
  32. InstaGuard: Instantly Deployable Hot-patches for Vulnerable System Programs on Android. In Network and Distributed System Security Symposium.
  33. PFirewall: Semantics-Aware Customizable Data Flow Control for Smart Home Privacy Protection. ArXiv abs/2101.10522 (2021).
  34. Tristan Claverie and José Lopes-Esteves. 2021. BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols. 2021 IEEE Security and Privacy Workshops (SPW) (2021), 339–351.
  35. sysfilter: Automated System Call Filtering for Commodity Software. In International Symposium on Recent Advances in Intrusion Detection.
  36. Danny Dolev and Andrew Chi-Chih Yao. 1983. On the security of public key protocols. 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981) (1983).
  37. BPFContain: Fixing the Soft Underbelly of Container Security. ArXiv abs/2102.06972 (2021).
  38. bpfbox: Simple Precise Process Confinement with eBPF. Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop (2020).
  39. The Linux Foundation. 2022. Dynamically program the kernel for efficient networking, observability, tracing, and security. https://ebpf.io/. (2022).
  40. SweynTooth: Unleashing Mayhem over Bluetooth Low Energy. In USENIX Annual Technical Conference.
  41. Temporal System Call Specialization for Attack Surface Reduction. In USENIX Security Symposium.
  42. Evaluating Physical-Layer BLE Location Tracking Attacks on Mobile Devices. In 2022 IEEE Symposium on Security and Privacy (SP).
  43. Sasha Goldshtein. 2016. The Next Linux Superpower: eBPF Primer. USENIX Association, Dublin.
  44. Brendan Gregg. 2017. Performance Superpowers with Enhanced BPF. USENIX Association, Santa Clara, CA.
  45. Brendan Gregg. 2019. BPF Performance Tools. https://www.brendangregg.com/bpf-performance-tools-book.html. (2019).
  46. Keijo Haataja and Pekka Toivanen. 2010. Two practical man-in-the-middle attacks on Bluetooth secure simple pairing and countermeasures. IEEE Transactions on Wireless Communications 9 (2010).
  47. Cross Container Attacks: The Bewildered eBPF on Clouds. In 32nd USENIX Security Symposium (USENIX Security 23).
  48. RapidPatch: Firmware Hotpatching for Real-Time Embedded Devices. In 31st USENIX Security Symposium (USENIX Security 22). 2225–2242.
  49. Extrapolating Formal Analysis to Uncover Attacks in Bluetooth Passkey Entry Pairing. In Proceedings 2023 Network and Distributed System Security Symposium.
  50. Harnessing the Ambient Radio Frequency Noise for Wearable Device Pairing. Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (2020).
  51. BLEDiff : Scalable and Property-Agnostic Noncompliance Checking for BLE Implementations. In 2023 2023 IEEE Symposium on Security and Privacy (SP) (SP).
  52. Sultan Khan. 2022. Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to Relay Attacks. https://research.nccgroup.com/2022/05/15/technical-advisory-tesla-ble-phone-as-a-key-passive-entry-vulnerable-to-relay-attacks/. (2022).
  53. Taesoo Kim and Nickolai Zeldovich. 2013. Practical and Effective Sandboxing for Non-root Users. In 2013 USENIX Annual Technical Conference (USENIX ATC 13). USENIX Association, 139–144.
  54. Femto-Containers: Lightweight Virtualization and Fault Isolation for Small Software Functions on Low-Power IoT Microcontrollers. In Proceedings of the 23rd ACM/IFIP International Middleware Conference. 161–173.
  55. BLAP: Bluetooth Link Key Extraction and Page Blocking Attacks. 2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) (2022), 227–238.
  56. Armis Lab. 2018. BLEEDINGBIT vulnerabilities. https://www.armis.com/research/bleedingbit/. (2018).
  57. T2Pair: Secure and Usable Pairing for Heterogeneous IoT Devices. Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (2020).
  58. Linux Command Library. 2023. L2ping man. https://linuxcommandlibrary.com/man/l2ping. (2023).
  59. Linking Bluetooth LE & Classic and Implications for Privacy-Preserving Bluetooth-Based Protocols. In 2021 IEEE Symposium on Security and Privacy (SP).
  60. Tal Melamed. 2017. BLE Application Hacking. https://owasp.org/www-pdf-archive/OWASP2017_HackingBLEApplications_TalMelamed.pdf. (2017).
  61. Zephyr Project members and individual contributors. 2023a. Zephyr Bluetooth. https://docs.zephyrproject.org/latest/connectivity/bluetooth/index.html. (2023).
  62. Zephyr Project members and individual contributors. 2023b. Zephyr Project. https://www.zephyrproject.org. (2023).
  63. Specification and verification in the field: Applying formal methods to BPF just-in-time compilers in the Linux kernel. In USENIX Symposium on Operating Systems Design and Implementation.
  64. Trung Nguyen and Jean Leneutre. 2014. Formal Analysis of Secure Device Pairing Protocols. 2014 IEEE 13th International Symposium on Network Computing and Applications (2014), 291–295.
  65. Haram Park and Carlos Kayembe Nkuba. 2022. L2Fuzz: Discovering Bluetooth L2CAP Vulnerabilities Using Stateful Fuzz Testing. In 2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).
  66. renata. 2024. CR2032.MFR Battery. https://www.renata.com/en-us/products/lithium-batteries/cr2032.mfr-/. (2024).
  67. PUC RIO. 2024. Lua The Programming Language. https://www.lua.org/. (2024).
  68. Frankenstein: Advanced Wireless Fuzzing to Exploit New Bluetooth Escalation Targets. ArXiv (2020).
  69. Nordic Semiconductor. 2023a. nRF Connect for Desktop. https://www.nordicsemi.com/Products/Development-tools/nrf-connect-for-desktop. (2023).
  70. Nordic Semiconductor. 2023b. nRF52840 DK. https://www.nordicsemi.com/Products/Development-hardware/nrf52840-dk. (2023).
  71. Formal Analysis and Patching of BLE-SC Pairing. In USENIX Security Symposium.
  72. Bluetooth SIG. 2023. 2023 Bluetooth Market Update. https://www.bluetooth.com/2023-market-update/. (2023).
  73. Bluetooth SIG. 2023a. Bluetooth Core Specification 4.0. https://www.bluetooth.com/specifications/specs/core-specification-4-0/. (2023).
  74. Bluetooth SIG. 2023b. Bluetooth Core Specification v5.4. https://www.bluetooth.com/specifications/specs/core-specification-5-4/. (2023).
  75. Pallavi Sivakumaran and Jorge Blasco. 2018. A Study of the Feasibility of Co-located App Attacks against BLE and a Large-Scale Analysis of the Current Application-Layer Security Landscape. In USENIX Security Symposium.
  76. Exploiting and Protecting Dynamic Code Generation. In Network and Distributed System Security Symposium.
  77. Disrupting Continuity of Apple’s Wireless Ecosystem Security: New Tracking, DoS, and MitM Attacks on iOS and macOS Through Bluetooth Low Energy, AWDL, and Wi-Fi. In USENIX Security Symposium.
  78. A Billion Open Interfaces for Eve and Mallory: MitM, DoS, and Tracking Attacks on iOS and macOS Through Apple Wireless Direct Link. In USENIX Security Symposium.
  79. LBM: A Security Framework for Peripherals within the Linux Kernel. 2019 IEEE Symposium on Security and Privacy (SP) (2019), 967–984.
  80. Michael Troncoso and Britta Hale. 2021. The Bluetooth CYBORG: Analysis of the Full Human-Machine Passkey Entry AKE Protocol. In Proceedings 2021 Network and Distributed System Security Symposium.
  81. Method Confusion Attack on Bluetooth Pairing. 2021 IEEE Symposium on Security and Privacy (SP) (2021), 1332–1347.
  82. SwenyTooth BLE Vulnerabilities. 2020. CVE-2020-10061. https://nvd.nist.gov/vuln/detail/CVE-2020-10061. (2020).
  83. ProFactory: Improving IoT Security via Formalized Protocol Customization. In USENIX Security Symposium.
  84. SoK: The Long Journey of Exploiting and Defending the Legacy of King Harald Bluetooth. In 2024 IEEE Symposium on Security and Privacy (SP). 23–23.
  85. BLESA: Spoofing Attacks against Reconnections in Bluetooth Low Energy. In WOOT @ USENIX Security Symposium.
  86. BlueShield: Detecting Spoofing Attacks in Bluetooth Low Energy Networks. In International Symposium on Recent Advances in Intrusion Detection.
  87. LIGHTBLUE: Automatic Profile-Aware Debloating of Bluetooth Stacks. In USENIX Security Symposium.
  88. Formal Model-Driven Discovery of Bluetooth Protocol Design Vulnerabilities. 2022 IEEE Symposium on Security and Privacy (SP) (2022), 2285–2303.
  89. Access Your Tesla without Your Awareness: Compromising Keyless Entry System of Model 3. Proceedings 2023 Network and Distributed System Security Symposium (2023). https://api.semanticscholar.org/CorpusID:257502883
  90. Yue Zhang and Zhiqiang Lin. 2022. When Good Becomes Evil: Tracking Bluetooth Low Energy Devices via Allowlist-Based Side Channel and Its Countermeasure. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 3181–3194.
  91. Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks. In USENIX Security Symposium.
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets