Through the sword of air – Hacking Bluetooth 4.0 BLE Protocol

Jin Yang , Senior Security Researcher , ThreatBook

Bluetooth Low Energy (BLE) protocol has become the most commonly used short-range wireless communication technology for IOT devices and smart hardwares, people are paying more and more attention to its security. It is estimated that there are 8 billion devices using the BLE protocol in the worldwide, which include our most commonly used smart phones, cars, smart watches, smart home appliances, industrial control devices, medical devices and so on. This number is still increasing day by day.

Just when I wrote this abstract, the “BlueBorne” security issue was disclosed. It is not one vulnerability, but eight Bluetooth vulnerabilities, four of them are in high dangerous level. This is showing that BlueBorne is very powerful, and it can attack Apple IOS, Android, Windows and Linux.

The “BlueBorne” issue: https://www.armis.com/blueborne/

The usual attacks are aimed to attacking the personal computers and servers, and if combined with the BLE protocol attack means, its can attack the nearby BLE devices through the Bluetooth chips of captured hosts’. BLE agreement is a perfect air bridge!

If there are no such BlueBorne vulnerabilities, are those devices which use BLE protocol safe? The answer is no. My topic will exemplify how to attack BLE devices even there is no vulnerability.

The first part is the introduction of the foundation of the basic BLE protocol, which includes BLE protocol stack, the frequency hopping communication technology used within BLE protocol, the broadcast mode and the data communication mode.

The second part is the analysis of the frequency hopping in broadcast mode and the data communication mode, and some very important broadcast mode data packets. In this part there is also the presentation of a complete connection and communication process under BLE protocol as well.

The third part is the methods of using phones or special Bluetooth chips to find BLE devices nearby.

The last part is the explanation of the three attacking ways of BLE protocol, and how to use some special equipment to attack. In these attacks we can get the communication data between the devices, Thus, we can disguise as a trusted terminal to connect the BLE devices.

Jin Yang

Jin Yang has working in network security industry for over 10 years. He started to work at the Threatbook in 2015, and had worked for Microsoft, COMODO, Qihoo 360. He forces on the Threat Intelligence, Sandbox for virus automated analysis, IoT Security and Rootkits. Jin has presented at XCon 2011/2012, AVAR 2016 and KCon 2017.