Bluetooth Security
#######################
RSSI
==========================================================
RSSI: received signal strength indication 信号强度
data rate
==========================================================
BR: basic rate
EDR: Enhance data rate
AMP: Alternate MAC/PHYs, 即HS高速连接
LE: Low Energy
device mode
==========================================================
discoverable mode: 设备周期性的监测是否有inquiry
connectable mode: 设备周期性的扫瞄是否有可用连接
inquiry
paging
advertising
Device Architecture
==========================================================
Host: GAP, SMP, ATT/GATT, SDP, L2CAP...
LE Controller: Link Manager/Controller (LLP)
BR/EDR Controller: Link Controller (LCP), Link Manager(LMP)
L2CAP: Logical Link Control and Adaptation Protocol
SDP: Service Discovery Protocol
topo
==========================================================
BR/EDR: 7 active slave devices, 255 inactive slave devices
LE: unlimited number of slaves ——扯。。。
security
==========================================================
主要考察:pairing, link key generation, authentication, confidentiality 信息
注意,蓝牙支持是设备层认证,而非用户层认证
设备双方pairing成功后,存储相关的shared secret keys,后续进入Bonding模式,复用这些keys,无需重复pairing。
BR/EDR/HS的安全指标:FIPS alg, MITM protection,user interaction during pairing, encryption
如果要求Device满足FIPS要求,则除Service Discovery场景之外,设备应在Secure Connections Only模式。
pairing & link key generation
==========================================================
pairing的核心是经过authentication,设备双方获得对称密钥(即LK/LTK)
LE: Long Term Key (LTK)
BR/EDR: Link Key (LK)
PIN/legacy Pairing
----------------------------------------------------
Legacy low energy pairing: 协商生成TK,基于TK+random生成 STK (Short Term Key),使用STK distribute Slave/Master LTK,也就是key transport
PIN Pairing: 基于PIN码派生Link Key——与secure connection不同。
Low Energy Pairing: 没有ECDH,无法防eavesdropping;能抓包就能破(除了OOB)。
secure simple pairing
----------------------------------------------------
Low Energy secure connection: ECDH协商生成LTK,key agreement;可以抵御eavesdropping
4种连接模式:
- Numeric Comparision(仅secure connection支持此模式):用户查看两个互联的设备显示的6位digit是否一致;注意,digit仅参与认证,不参与密钥派生,digit无需保密——可以抵御eavesdropping;可以抵御MITM(用户确认)
- Passkey Entry: 用户查看一个设备显示的digit,在另一个设备输入6位digit;注意,digit仅参与认证,不参与密钥派生,digit无需保密——可以抵御eavesdropping;可以抵御MITM(用户输入)
- Just Works: 两个互联设备无显示、无输入,直接连接;底层处理与Numeric Comparision类似——无法抵御MITM
- Out of Band (OOB): 通过NFC之类的外围设备,交换连接信息——可抵御MITM、eavesdropping
AMP Link Key
----------------------------------------------------
AMP LK从Bluetooth Link Key派生,HMAC-SHA256
device authentication
==========================================================
challenge-response模式,基于link key的机密性保证,challenge由verifier随机生成,由claimant提供证明
legacy authentication
----------------------------------------------------
e1 alg,基于link key, bd\_addr, rand计算出SRES(32 bit), ACO(06 bit)
SRES用于校验
ACO用于后续派生加密key
seucure authentication
----------------------------------------------------
基于双向bd\_addr, rand,结合link key计算SRES
注意两个方向的SRES不同
Master ACO用于后续派生加密key
confidentiality
==========================================================
mode 1: no encryption
mode 2: individual link keys 加密配对数据;广播数据不加密
mode 3: 所有数据用master link key加密
加密key记为K\_c,注意协商key size要有漏洞的
E0 Encryption alg
----------------------------------------------------
基于link key,结合COF值派生K\_c
COF:
- Master Link Key的场景,取`Addr_M || Addr_S`
- Individual Link Key的场景,取ACO
AES-CCM encryption alg
----------------------------------------------------
link key, `BD_ADDR`, btak(固定字串),ACO 派生AES KEY
fips alg
==========================================================
BR/EDR : P-256, HMAC-SHA256
LE: P-256, AES-CMAC
AES-CCM
LK & LTK
==========================================================
BR/EDR的 link key 可以与 LE的Long Term Key 相互派生,
结合设备双方的addr & random做派生,h6 aes-cmac-128
IRK ( Identity Resolving Key )
==========================================================
LE隐私feature支持,IRK用于map Resolvable Private Address (RPA) to an Identity Address
Identity Address: 随机固定地址,或者公共地址
开启RPA更新,即,周期性更换基于IRK+随机hash处理的地址
CSRK
==========================================================
没加密的数据流,可以用CSRK做一下MAC校验
LE legacy pairing: LTK/IRK/CSRK key transport
LE Secure Connection: LTK key agreement, IRK/CSRK key transport
Vulnerabilities
==========================================================
MITM protection (Just Work)
ECDH KEY太弱
passkey的随机性
降级攻击
蓝牙地址关联到个人
Link Key安全存储
Device Discoverable
Mitigation
==========================================================
security vs cost, performance, operational
security equipment, inconvenience, maintenance, operation
defense-in-depth
user authorize
application-level authentication/encryption
PKI, two-factor
不要太经常pairing
doc
==========================================================
- `NIST SP 800-121 Guide to BluetoothSecurity `_
- `Dialog SDK 5.0.x/6.0.x Tutorial Pairing, Bonding and Security `_
- `Understanding Bluetooth Security By Mark Loveless `_
- `Bluetooth security `_
- `Security Considerations For Bluetooth Smart Devices `_
- `Bluetooth's Complexity Has Become a Security Risk `_
- `Breaking BLE — Vulnerabilities in pairing protocols leave Bluetooth devices open for attack `_
- `ble-spec `_
- `Evaluation of Out-of-Band Channels for IoT Security `_
- `BLE Pairing and Bonding `_
- `Cryptographic Analysis of the Bluetooth Secure Connection Protocol Suite `_
- `Protecting Privacy of BLE Device Users `_
- `Bluetooth Low Energy - privacy enhancement for advertisement `_
- `Automatic Fingerprinting Of Vulnerable BLE IoT DevicesWith Static UUIDs From Mobile Apps `_
- `Bluetooth Security `_
- `Introduction to Bluetooth Low Energy `_
- `Finding Traceability Attacks in the Bluetooth Low Energy Specification and Its Implementations `_
- `The Long Journey of Exploiting and Defending the Legacy of King Haral `_