![Page 1: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/1.jpg)
Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks
Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin, and Xinwen Fu
Track 1: Wireless Security
![Page 2: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/2.jpg)
Bluetooth Low Energy (BLE) and IoT
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Low Cost Large Coverage
1/13
Client Server
Client Server
Internet
IoT devices
Attribute Protocol (ATT) Client/Server mode
Bluetooth Low Energy
![Page 3: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/3.jpg)
Bluetooth Low Energy (BLE) and IoT
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Low Cost Large Coverage
1/13
Client Server
Client Server
Internet
IoT devices
Attribute Protocol (ATT) Client/Server mode
Bluetooth Low Energy
TLS/SSL
Pairing
![Page 4: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/4.jpg)
Bluetooth Low Energy (BLE) and IoT
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Low Cost Large Coverage
1/13
Client Server
Client ServerIoT devices
Attribute Protocol (ATT) Client/Server mode
Bluetooth Low Energy
TLS/SSL(Mutual
Authentication)
Pairing
![Page 5: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/5.jpg)
General Workflow of BLE Pairing
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App1.Start pairing
2/13
![Page 6: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/6.jpg)
General Workflow of BLE Pairing
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App
2. Pairing feature exchange
1.Start pairing
2/13
![Page 7: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/7.jpg)
General Workflow of BLE Pairing
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App
2. Pairing feature exchange
3. Authentication and encryption
1.Start pairing
LTKLTK Pairing method1
Pairing method: Just Works, Passkey EntryNumeric Comparison, Out of Band
2/13
![Page 8: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/8.jpg)
General Workflow of BLE Pairing
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App
4. Key distribution (e.g. IRK)
2. Pairing feature exchange
3. Authentication and encryption
1.Start pairing
LTKLTK Pairing method1
Pairing method: Just Works, Passkey EntryNumeric Comparison, Out of Band
2/13
![Page 9: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/9.jpg)
General Workflow of BLE Pairing
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App
4. Key distribution (e.g. IRK)
5. Encrypted communication
2. Pairing feature exchange
3. Authentication and encryption
1.Start pairing
LTKLTK Pairing method1
Pairing method: Just Works, Passkey EntryNumeric Comparison, Out of Band
2/13
![Page 10: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/10.jpg)
Security Levels of BLE Pairing
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Security Levels:
➢ None (Plaintext)
➢ Encrypted (Just Works)
➢ Authenticated (Passkey Entry or Numeric Comparison)
➢ Secure Connections Only (SCO) mode (Enforced Passkey Entry or Numeric Comparison)
3/13
![Page 11: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/11.jpg)
Security Levels of BLE Pairing
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
3/13
Security Levels:
➢ None (Plaintext)
➢ Encrypted (Just Works)
➢ Authenticated (Passkey Entry or Numeric Comparison)
➢ Secure Connections Only (SCO) mode (Enforced Passkey Entry or Numeric Comparison)
![Page 12: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/12.jpg)
Our Observation
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App
2.Pairing feature exchange
1.Start pairing
3. Authentication and encryption
Just Works
4. Disconnect
4/13
![Page 13: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/13.jpg)
Our Observation
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App
2.Pairing feature exchange
1.Start pairing
3. Authentication and encryption
Just Works
4. Disconnect
4/13
![Page 14: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/14.jpg)
Our Observation
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App
2.Pairing feature exchange
1.Start pairing
3. Authentication and encryption
Just Works
4. Disconnect
4/13
![Page 15: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/15.jpg)
Our Observation
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App
2.Pairing feature exchange
1.Start pairing
3. Authentication and encryption
Just Works
4. Disconnect
4. Communication
4/13
![Page 16: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/16.jpg)
Required Four Capabilities at Initiator
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App
5/13
![Page 17: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/17.jpg)
Required Four Capabilities at Initiator - Initiation Stage
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App
1.Start pairing Capability (1) : Specify a secure pairing method
5/13
![Page 18: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/18.jpg)
Required Four Capabilities at Initiator – Status management
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App
4. Key distribution (e.g. IRK)
5. Encrypted communication
2.Pairing feature exchange
3. Authentication and encryption
1.Start pairing
LTKLTK Passkey Entry Passkey Entry
Capability (2) : Enforce the secure pairing method and notify the app
Capability (1) : Specify a secure pairing method
5/13
![Page 19: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/19.jpg)
Required Four Capabilities at Initiator – Errors Handling
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App
4. Key distribution (e.g. IRK)
5. Encrypted communication
2.Pairing feature exchange
3. Authentication and encryption
1.Start pairing
LTKLTK Passkey Entry Passkey Entry
Capability (2) : Enforce the secure pairing method and notify the app
6. Errors may occur
Capability (1) : Specify a secure pairing method
Capability (3) : Allow app handle errors
5/13
![Page 20: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/20.jpg)
Required Four Capabilities at Initiator – Bond Management
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App
4. Key distribution (e.g. IRK)
5. Encrypted communication
2.Pairing feature exchange
3. Authentication and encryption
1.Start pairing
LTKLTK Passkey Entry Passkey Entry
Capability (2) : Enforce the secure pairing method and notify the app
LTKLTK Capability (4) : Remove thebroken LTK so as to start a newsecure pairing process
6. Errors may occur
Capability (1) : Specify a secure pairing method
Capability (3) : Allow app handle errors
5/13
![Page 21: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/21.jpg)
No SCO mode at Initiator is Cause of Downgrade Attacks
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App
4. Key distribution (e.g. IRK)
5. Encrypted communication
2.Pairing feature exchange
3. Authentication and encryption
1.Start pairing
LTKLTK Passkey Entry Passkey Entry
Capability (2) : Enforce the secure pairing method and notify the app
LTKLTK Capability (4) : Remove thebroken LTK so as to start a newsecure pairing process
6. Errors may occur
Capability (1) : Specify a secure pairing method
Capability (3) : Allow app handle errors
5/13
![Page 22: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/22.jpg)
No SCO mode at Initiator is Cause of Downgrade Attacks
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
OS handles pairing events in a compatible way without enforcing secure pairing
Device OS App
4. Key distribution (e.g. IRK)
5. Encrypted communication
2.Pairing feature exchange
3. Authentication and encryption
1.Start pairing
LTKLTK Passkey Entry Passkey Entry
LTKLTK
6. Errors may occur
5/13
Capability (2) : Enforce the secure pairing method and notify the app
Capability (4) : Remove thebroken LTK so as to start a newsecure pairing process
Capability (1) : Specify a secure pairing method
Capability (3) : Allow app handle errors
![Page 23: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/23.jpg)
No SCO mode at Initiator is Cause of Downgrade Attacks
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
OS handles pairing events in a compatible way without enforcing secure pairing
Device OS App
4. Key distribution (e.g. IRK)
5. Encrypted communication
2.Pairing feature exchange
3. Authentication and encryption
1.Start pairing
LTKLTK Passkey Entry Passkey Entry
LTKLTK
6. Errors may occur
Flaw 1
Flaw 2
Flaw 3
Flaw 4 5/13
Capability (2) : Enforce the secure pairing method and notify the app
Capability (4) : Remove thebroken LTK so as to start a newsecure pairing process
Capability (1) : Specify a secure pairing method
Capability (3) : Allow app handle errors
![Page 24: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/24.jpg)
No SCO mode at Initiator is Cause of Downgrade Attacks
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
OS handle pairing events in a compatible way without enforcing secure pairing
Device OS App
4. Key distribution (e.g. IRK)
5. Encrypted communication
2.Pairing feature exchange
3. Authentication and encryption
1.Start pairing
LTKLTK Passkey Entry Passkey Entry
LTKLTK
6. Errors may occur
Flaw 1
Flaw 2
Flaw 3
Flaw 4 5/13
Capability (2) : Enforce the secure pairing method and notify the app
Capability (4) : Remove thebroken LTK so as to start a newsecure pairing process
Capability (1) : Specify a secure pairing method
Capability (3) : Allow app handle errors
![Page 25: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/25.jpg)
Threat model
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device Mobile/OS App
Paired with a secure pairing method (Passkey Entry/Numeric Comparison)
6/13
![Page 26: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/26.jpg)
Downgrade Attacks
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device Mobile/OS App
Paired with a secure pairing method (Passkey Entry/Numeric Comparison)
Fake Device
1.Impersonate the victim device and deploy attacks
against the mobile
6/13
![Page 27: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/27.jpg)
Downgrade Attacks
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device Mobile/OS AppFake Device
1.Impersonate the victim device and deploy attacks
against the mobile
Fake Mobile
2.Use the stolen information (i.e., IRK)
to create a Fake mobile
Paired with a secure pairing method (Passkey Entry/Numeric Comparison)
6/13
![Page 28: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/28.jpg)
Downgrade Attacks
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device Mobile/OS AppFake Device
1.Impersonate the victim device and deploy attacks
against the mobile
Fake Mobile
2.Use the stolen information (i.e., IRK)
to create a Fake mobile3. deploy attacks
against the device
Paired with a secure pairing method (Passkey Entry/Numeric Comparison)
6/13
![Page 29: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/29.jpg)
Downgrade Attacks
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device Mobile/OS AppFake Device
1.Impersonate the victim device and deploy attacks
against the mobile
Fake Mobile
2.Use the stolen information (i.e., IRK)
to create a Fake mobile3. deploy attacks
against the device
Downgraded communication (Just Works, Plaintext)
Paired with a secure pairing method (Passkey Entry/Numeric Comparison)
6/13
![Page 30: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/30.jpg)
Downgrade Attacks
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Attacks against Initiators Attacks against Devices
Fake data injection Passive eavesdropping
Sensitive data stealing Whitelist bypassing
IRK stealing Data manipulation
DoS attack Man-in-the-Middle
7/13
![Page 31: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/31.jpg)
Enabling the SCO mode
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App
4. Key distribution (e.g. IRK)
5. Encrypted communication
2.Pairing feature exchange
3. Authentication and encryption
1.Start pairing
LTKLTK Passkey Entry Passkey Entry
LTKLTK
6. Errors may occur
Flaw 1
Flaw 2
Flaw 3
Flaw 4 8/13
Capability (2) : Enforce the secure pairing method and notify the app
Capability (4) : Remove thebroken LTK so as to start a newsecure pairing process
Capability (1) : Specify a secure pairing method
Capability (3) : Allow app handle errors
![Page 32: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/32.jpg)
Enabling the SCO mode
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App
4. Key distribution (e.g. IRK)
5. Encrypted communication
2.Pairing feature exchange
3. Authentication and encryption
1.Start pairing
LTKLTK Passkey Entry
LTKLTK
6. Errors may occur
Flaw 1
Flaw 2
Flaw 3
Flaw 4
Passkey Entry
8/13
Capability (2) : Enforce the secure pairing method and notify the app
Capability (4) : Remove thebroken LTK so as to start a newsecure pairing process
Capability (1) : Specify a secure pairing method
Capability (3) : Allow app handle errors
![Page 33: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/33.jpg)
Enabling the SCO mode
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App
4. Key distribution (e.g. IRK)
5. Encrypted communication
2.Pairing feature exchange
3. Authentication and encryption
1.Start pairing
LTKLTK Passkey Entry
LTKLTK
6. Errors may occur
Passkey Entry
8/13
Capability (2) : Enforce the secure pairing method and notify the app
Capability (4) : Remove thebroken LTK so as to start a newsecure pairing process
Capability (1) : Specify a secure pairing method
Capability (3) : Allow app handle errors
![Page 34: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/34.jpg)
Enabling the SCO mode
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Device OS App
4. Key distribution (e.g. IRK)
5. Encrypted communication
2.Pairing feature exchange
3. Authentication and encryption
1.Start pairing
LTKLTK Passkey Entry
LTKLTK
6. Errors may occur
Passkey Entry
8/13
Capability (2) : Enforce the secure pairing method and notify the app
Capability (4) : Remove thebroken LTK so as to start a newsecure pairing process
Capability (1) : Specify a secure pairing method
Capability (3) : Allow app handle errors
![Page 35: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/35.jpg)
Attacks against Initiator
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Flaws across OSesTested Android mobiles
9/13
![Page 36: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/36.jpg)
Attacks beyond Initiator
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
The Tested BLE devicesMITM attack against BLE keyboards
10/13
![Page 37: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/37.jpg)
Attacks beyond Initiator (cont’d)
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Maximal attack distance Success rate vs. advertising frequency
11/13
CD
F
![Page 38: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/38.jpg)
Countermeasures
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Android 8.0
12/13
![Page 39: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/39.jpg)
Summary
Introduction SCO Mode Design Flaws Downgrade Attacks Countermeasures Evaluation Summary
Downgrade Attacks
➢ No mutual authentication: SCO mode is not enforcedfor the pairing initiator, e.g., a mobile
➢ Enabling SCO: Four capabilities is required at initiator;➢ Mutual authentication: SCO mode must be mutually
enforced so as to achieve the strongest security
Impact of Downgrade Attacks
➢ Initiators: Android, iOS, macOS, Windows, Linux are subject to our attacks
➢ Devices: We analysed 18 BLE devices; none of them are secure;
13/13
![Page 40: Breaking Secure Pairing of Bluetooth Low Energy …Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Yue Zhang, Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin,](https://reader035.vdocuments.us/reader035/viewer/2022071004/5fc0e96ffee64e00e67c5ba7/html5/thumbnails/40.jpg)
Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks
Yue Zhang [email protected]
Joint work w/ Jian Weng, Rajib Dey , Yier Jin, Zhiqiang Lin, and Xinwen Fu
THANK YOU !