Sławomir Jasek with research firm SecuRing is sounding an alarm over the growing number of Bluetooth devices used for keyless entry and mobile point-of-sales systems that are vulnerable to man-in-the-middle attacks. Jasek said the problem is traced back to devices that use the Bluetooth Low Energy (BLE) feature for access control. He said too often companies do not correctly implement the bonding and encryption protections offered in the standard. This shortcoming could allow attackers to clone BLE devices and gain unauthorized access to a physical asset when a smartphone is used as a device controller.
Bluetooth Low Energy, also known as Bluetooth Smart or Bluetooth 4, is designed to be power efficient and has been popular for transporting data between smartphones and IoT devices, smart homes, medical equipment and physical access control devices. Jasek presented his findings last week at Black Hat USA where he also introduced a BLE proxy tool, dubbed GATTacker, for detecting the presence of and exploiting the vulnerability. GATTacker can “see” data transferred between a smartphone used as a controller and a BLE device. It can also either clone the controller or capture and manipulate data transferred between the two BLE devices when certain conditions are met. “The BLE specification assures secure connections through link-layer encryption, device whitelisting and bonding… A surprising number of devices do not (or simply cannot – because of the use scenario) utilize these mechanisms,” said Jasek in a technical description of the vulnerability. He estimates 80 percent of those BLE smart devices are vulnerable to MitM attacks. That data transport layer within BLE is called the Generic Attribute Profile (GATT) layer which defines the way data is transferred. “The security (like authentication) is, in fact, provided on higher ‘application’ (GATT protocol) layer of the data exchanged between the “master” (usually mobile phone) and peripheral device,” Jasek wrote. Using GATTacker running on a Raspberry Pi computer, SecuRing is able to observe the scanning of specific broadcast signals between the “master” (for example a keyless locking system) and the controller (smartphone). The tool can clone the victim’s mobile BLE application. Next, it can forward and tamper exchanged data, acting as an intercepting proxy, Jasek explained. “Using a few simple tricks, we can assure the victim will connect to our impersonator device instead of the original one, and then just proxy the traffic – without consent of the mobile app or device,” Jasek wrote. “Common flaws possible to exploit, including improper authentication, static passwords, not-so-random PRNG, excessive services, bad assumptions – which allow you to take over control of smart locks and disrupt a smart home.” Of course there is encryption to consider when paired devices transmit data. In order to initiate secure pairing between controller and a smart lock, for example, BLE has three methods of initiating the Bluetooth transmission called Just Works, Passkey Entry and Out of Band. According to the BLE specifications the “Just Works and Passkey Entry do not provide any passive eavesdropping protection.” Jasek explains in the case of Just Works the static PIN value used is: 000000. When a Passkey Entry PIN is used, he said, it can be brute-force cracked using the Crackle hacking tool. According to SecuRing a significant amount of devices do not implement the aforementioned security features properly. According to the researchers, 16 out of 20 devices reviewed were misconfigured allowing a hacker to use a tool such as GATTacker to perform a MitM attack. Still other access control devices that did use the BLE unencrypted layer used their own encryption solution to protect data on top of the Just Works and Passkey Entry layer. Those implementations were not common, according to SecuRing research. Jasek said other types of MiTM attacks can vary and are not just limited to breaking physical access controls. Using a cloned device, Jasek said, it would be possible to launch a denial-of-service attack against automated home features. In another scenario, a hacker could earn iBeacon-based customer loyalty points for visiting specific commercial stores without ever leaving their home. In another example, Jesek was able to perform a MitM attack against a point-of-sale system. In that example, even though he was not able to retrieve encrypted credit card data, he was able to spoof messages to the PoS system saying “transaction processed” or “transaction approved.” Jasek was one of several security researchers at this month’s Black Hat and DEF CON hacker conferences to expose flaws within the BLE protocol. At DEF CON, Anthony Rose and Ben Ramsey from Merculite Security also demonstrated how insecurities in BLE could be used to crack open smart locks. At last year’s Black Hat conference researchers demonstrated similar types of hacking tools for spoofing RFID proximity card readers to break physical access controls.