BadBluetooth: Breaking Android Security Mechanisms via Malicious Bluetooth Peripherals

Xu, Fenghao; Diao, Wenrui; Zhou, Li; Chen, Jiongyi; Zhang, Kehuan

doi:10.14722/ndss.2019.23482

Cited by 29 publications

(10 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Due to system complexity and requirements, software and hardware security remain fundamentally difficult, with extensive vulnerabilities reported in each iteration of devices [14,68] and in their wired [69][70][71][72] and wireless [73,74] peripherals. Data extraction tools rely on these vulnerabilities [5,14,64] and have remained successful in practice [14,21,22,31], therefore our analysis focuses squarely on what confidentiality remains when these protections are bypassed.…”

Section: Threat Modelmentioning

confidence: 99%

SoK: Cryptographic Confidentiality of Data on Mobile Devices

Zinkus

Jois

Green

2021

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

Mobile devices have become an indispensable component of modern life. Their high storage capacity gives these devices the capability to store vast amounts of sensitive personal data, which makes them a high-value target: these devices are routinely stolen by criminals for data theft, and are increasingly viewed by law enforcement agencies as a valuable source of forensic data. Over the past several years, providers have deployed a number of advanced cryptographic features intended to protect data on mobile devices, even in the strong setting where an attacker has physical access to a device. Many of these techniques draw from the research literature, but have been adapted to this entirely new problem setting. This involves a number of novel challenges, which are incompletely addressed in the literature. In this work, we outline those challenges, and systematize the known approaches to securing user data against extraction attacks. Our work proposes a methodology that researchers can use to analyze cryptographic data confidentiality for mobile devices. We evaluate the existing literature for securing devices against data extraction adversaries with powerful capabilities including access to devices and to the cloud services they rely on. We then analyze existing mobile device confidentiality measures to identify research areas that have not received proper attention from the community and represent opportunities for future research.

show abstract

Section: Threat Modelmentioning

confidence: 99%

SoK: Cryptographic Confidentiality of Data on Mobile Devices

Zinkus

Jois

Green

2021

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

show abstract

“…(ii) The attacker cannot physically access and unlock the mobile. (iii) Our attacks do not need malicious apps installed on the mobile, one difference to many other attacks which require malicious apps for Bluetooth exploitation [5,14,36,37]. (iv) Before the attack, the Android mobile and its peer device are paired using secure pairing protocols such as the Passkey Entry and Numerical Comparison.…”

Section: Threat Modelmentioning

confidence: 99%

“…We have implemented a prototype on Android 8 through the Android Open Source Project (AOSP) [25]. Please note co-located attacks through malwares are addressed in [5,14,36,37] and are out of the scope of this work.…”

Section: Countermeasuresmentioning

confidence: 99%

“…We address pairing security in this paper. Muhammad Naveed et al [14], Xu et al [5] and Sivakumaran et al [36,37] also addressed Bluetooth security but not on the pairing process. Comparison for BLE devices.…”

Section: Related Workmentioning

confidence: 99%

“…The latest BLE 4.2 [2] and 5.x [3] add the new Secure Connections Only mode for BLE enabled devices to address vulnerabilities found in previous Bluetooth pairing protocols [5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20]. Man-in-the-middle (MITM) attacks in [19,20] work against Bluetooth Secure Simple Pairing (SSP) of Bluetooth Classic 2.1 and 3.0, in which two Bluetooth devices under SSP use only I/O capabilities (such as display and keyboard) to determine the pairing protocol.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

On the (In)security of Bluetooth Low Energy One-Way Secure Connections Only Mode

Zhang¹,

Weng²,

Dey³

et al. 2019

Preprint

View full text Add to dashboard Cite

To defeat security threats such as man-in-the-middle (MITM) attacks, Bluetooth Low Energy (BLE) 4.2 and 5.x introduce the Secure Connections Only mode, under which a BLE device accepts only secure paring protocols including Passkey Entry and Numeric Comparison from an initiator, e.g., an Android mobile. However, the BLE specification does not explicitly require the Secure Connection Only mode of the initiator. Taking the Android's BLE programming framework for example, we found that it cannot enforce secure pairing, invalidating the security protection provided by the Secure Connection Only mode. The same problem applies to Apple iOS too.Specifically, we examine the life cycle of a BLE pairing process in Android and identify four severe design flaws. These design flaws can be exploited by attackers to perform downgrading attacks, forcing the BLE pairing protocols to run in the insecure mode without the users' awareness. To validate our findings, we selected and tested 18 popular BLE commercial products and our experimental results proved that downgrading attacks and MITM attacks were all possible to these products. All 3501 BLE apps from Androzoo are also subject to these attacks. For defense, we have designed and implemented a prototype of the Secure Connection Only mode on Android 8 through the Android Open Source Project (AOSP). We have reported the identified BLE pairing vulnerabilities to Bluetooth Special Interest Group (SIG), Google, Apple, Texas Instruments (TI) and all of them are actively addressing this issue. Google rated the reported security flaw a High Severity.

show abstract