Protecting Privacy of BLE Device Users - Kassem Fawaz, University of Michigan; Kyu-Han Kim, Hewlett Packard Labs; Kang G. Shin, University of ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Protecting Privacy of BLE Device Users Kassem Fawaz, University of Michigan; Kyu-Han Kim, Hewlett Packard Labs; Kang G. Shin, University of Michigan https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/fawaz This paper is included in the Proceedings of the 25th USENIX Security Symposium August 10–12, 2016 • Austin, TX ISBN 978-1-931971-32-4 Open access to the Proceedings of the 25th USENIX Security Symposium is sponsored by USENIX
Protecting Privacy of BLE Device Users Kassem Fawaz∗ Kyu-Han Kim† Kang G. Shin∗ ∗The University of Michigan †Hewlett Packard Labs Abstract objects, track our fitness, control smart appliances and toys provide physical security, etc. The BLE protocol Bluetooth Low Energy (BLE) has emerged as an attrac- owes this proliferation to its low energy and small pro- tive technology to enable Internet of Things (IoTs) to cessing footprint as well as its support by most end-user interact with others in their vicinity. Our study of the devices [20], such as PCs, gateways, smartphones, and behavior of more than 200 types of BLE-equipped de- tablets. vices has led to a surprising discovery: the BLE proto- A BLE-equipped device advertises its presence to let col, despite its privacy provisions, fails to address the interested nearby devices initiate connections and glean most basic threat of all—hiding the device’s presence relevant information. These advertisements, however, from curious adversaries. Revealing the device’s exis- are a double-edged sword. An unauthorized, potentially tence is the stepping stone toward more serious threats malicious, party can use these advertisements to learn that include user profiling/fingerprinting, behavior track- more about the BLE-equipped devices of a certain user ing, inference of sensitive information, and exploitation or in a specific environment [22], generally referred to in of known vulnerabilities on the device. With thousands literature as the inventory attack [42]. Revealing the de- of manufacturers and developers around the world, it is vice’s presence is the stepping stone toward more serious very challenging, if not impossible, to envision the vi- privacy and security attacks with grave consequences in ability of any privacy or security solution that requires the case of medical devices for example, especially for changes to the devices or the BLE protocol. high-value targets [31]. In this paper, we propose a new device-agnostic sys- The BLE specification contains some privacy pro- tem, called BLE-Guardian, that protects the privacy of visions to minimize the effects of inventory attacks the users/environments equipped with BLE devices/IoTs. and ensuing threats, namely address randomization and It enables the users and administrators to control those whitelisting. A BLE device is supposed to randomize who discover, scan and connect to their devices. We have its address to prevent others from tracking it over time. implemented BLE-Guardian using Ubertooth One, an Moreover, only devices with a pre-existing trust rela- off-the-shelf open Bluetooth development platform, fa- tionship (whitelisted devices) are supposed to access the cilitating its broad deployment. Our evaluation with real BLE-equipped device. devices shows that BLE-Guardian effectively protects the users’ privacy while incurring little overhead on the In this paper, we first analyze how existing BLE’s communicating BLE-devices. privacy measures fare in the real-world deployments through our own data-collection campaign. To the best of our knowledge, this is the first study that systemat- 1 Introduction ically analyzes threats to the BLE-equipped devices in the wild. We recruited participants from our institution Bluetooth Low Energy (BLE) [4] has emerged as the and the PhoneLab testbed [27] to collect the BLE adver- de facto communication protocol in the new computing tisements in their vicinity. We have collected and an- paradigm of the Internet of Things (IoTs) [8, 9, 15, 23, alyzed the advertisements from 214 different types of 24, 39]. In 2013, over 1.2 billion BLE products were BLE-equipped devices. Analyzing our dataset has led to shipped [9], with this number expected to hit 2.7 bil- a surprising discovery: BLE advertisements, due to poor lion in 2020 [3]. BLE-equipped products are embedded design and/or implementation, leak an alarming amount and used in every aspect of our lives; they sense nearby of information that allows the tracking, profiling, and 1 USENIX Association 25th USENIX Security Symposium 1205
fingerprinting of the users. Furthermore, some devices tablet, PC, Raspberry PI, Artik-10, etc. The external ra- allow external connections without an existing trust re- dio achieves the physical protection, while the applica- lationship. Unauthorized entities can access unsecured tion, running on the gateway, enables the user to interact data on the BLE-equipped devices that might leak sensi- with BLE-Guardian. tive information and potentially inflict physical harm to BLE-Guardian provides privacy and security protec- the bearer. tion by targeting the root of the threats, namely the ad- Almost all of the existing approaches addressing some vertisements. In particular, BLE-Guardian opportunis- of the above threats rely on mechanisms that necessar- tically invokes reactive jamming to determine the enti- ily include changes to the protocol itself or to the way ties that can observe the device existence through the the BLE-equipped devices function [21, 40]. Changing advertisements (device hiding module), and those that the operation of such devices, post-production, requires can issue connection requests in response to advertise- their patching by securely pushing a firmware update. ments (access control module). In a typical BLE envi- With thousands of manufacturers and developers around ronment, however, achieving BLE-Guardian’s objective the world, it is very challenging, sometimes impossi- is rather challenging. Many BLE-equipped devices, in- ble, to guarantee firmware patches to the millions of al- cluding the ones to be protected, advertise on the same ready deployed devices [11]. Even a security-aware user channel; while at the same time other devices, in re- might lack the ability to update the firmware of a BLE- sponse to advertisements, issue scan and connection re- equipped device. Patch management is, therefore, the quests. The timing is of an essence for BLE-Guardian; leading security challenge in the emerging IoTs [10, 19] it invokes jamming at the right time for the right dura- (including BLE-equipped devices) for many reasons: tion. Therefore, BLE-Guardian does not inadvertently harm other devices, preserves the ability of authorized • Manufacturers might lack the ability to apply OTA entities to connect the BLE-equipped device, and always updates [1] for some deployed BLE-equipped de- hides the BLE-equipped device when needed. vices because they (such as a BLE-equipped preg- nancy test) are neither programmable nor equipped More than one device might be authorized to con- with an Internet connection. nect to the BLE-equipped device. BLE-Guardian dif- ferentiates the scan and connection requests originating • Customers might neither receive news about the up- from authorized devices versus those that are fraudulent. date nor be able to apply an update even if available. This is particularly challenging as the BLE advertise- For example, a month after the 2013 “Foscam” we- ment channel lacks any authentication mechanism for the bcams hacking incident, 40,000 of 46,000 vulnera- advertisements and connections. BLE-Guardian utilizes ble cameras were not updated although a firmware Bluetooth classic as an out-of-band (OOB) channel to update was available [17]. authorize a device after obtaining the user’s permission. • Companies do not have enough financial incentives It uses the OOB channel to instruct the connecting de- or resources to maintain the devices post deploy- vice to issue ordinary connection requests with (varying) ment [34]. For example, Samsung discontinued two special parameters that other unauthorized devices can’t lines of smart refrigerators after 2012 so that cus- predict. It also alerts the user when unauthorized parties tomers can’t receive updates for their purchased re- attempt connection to the user’s BLE devices. frigerators [6]. BLE-Guardian achieves its objectives with mini- There is, therefore, a need for a new class of practical ap- mum requirements from the external radio. Effectively, proaches to mitigate the privacy threats to BLE-equipped BLE-Guardian operates with a radio that offers only the devices. In this paper, we seek to answer the following basic capabilities of reception and transmission on the related question: can we effectively fend off the threats BLE channels. As a result, BLE-Guardian avoids em- to BLE-equipped devices: (1) in a device-agnostic man- ploying sophisticated and customized (thus impractical) ner, (2) using COTS (Commercial-Off-The-Shelf) hard- radios and signal processing approaches. ware only, and (3) with as little user intervention as pos- We implement BLE-Guardian using the commer- sible? cially available Ubertooth One1 USB dongle so that We present BLE-Guardian as an answer to the BLE-Guardian can be easily installed on any BLE gate- above question. It is a practical system that protects way. We also implement accompanying apps for differ- the user’s BLE-equipped devices so that only user- ent BLE gateways, such as Android and Raspberry PI. authorized entities can discover, scan, or connect to We evaluate BLE-Guardian using several BLE devices them. BLE-Guardian relies on an external and off-the- for different real-world scenarios, where we assess its shelf Bluetooth radio as well as an accompanying appli- effectiveness in combating privacy threats, its low over- cation. Therefore, a user can easily install (and control) BLE-Guardian to any BLE gateway, be it a smartphone, 1 https://greatscottgadgets.com/ubertoothone/ 2 1206 25th USENIX Security Symposium USENIX Association
head on the channel and devices, and little disruption to nel condition in a dynamic mobile indoor environment the operation of legitimate BLE devices. In particular, as well as a full duplex radio. BLE-Guardian consti- BLE-Guardian is able to protect up to 10 class-2 target tutes a reference design that can function with any radio BLE-equipped devices within a 5m range with less than that has reception and transmission capabilities on the 16% energy overhead on the gateway. 2.4 GHz band. BLE-Guardian, also, considers far less The rest paper is organized as follows. Section 2 dis- restrictive scenarios than Shield. It does not have to be cusses the related work. Section 3 provides the nec- within centimeters of the device-to-be-protected as the essary BLE background. Section 4 states the privacy case with Shield. Moreover, BLE-Guardian’s practical threats arising from BLE advertisements through our design allows scaling up protection for multiple devices data-collection campaign. Section 5 details the design (multiple connectors and protected devices) simultane- of BLE-Guardian. Section 6 presents the implemen- ously, which is not the case for Shield that considers a tation of BLE-Guardian and evaluates its effectiveness. two-device scenario only [36]. Finally, the paper concludes with Section 7. Finally, researchers have explored ways to reduce in- formation leaks from sensors in a smart home environ- ment [30, 37]. Srinivasan et al. [37], Park et al. [30], and 2 Related Work Schurgot et al. [35] propose a set of privacy enhance- There have been limited efforts related to BLE devices ments that include perturbing the timing of broadcasted that target the security and privacy threats resulting from sensory data along with padding the real sensory data the devices revealing their presence. The only excep- with fake data to confuse the adversary. These protocols tion is the work by Wang [40], where a privacy enhance- fail to address the threats resulting from BLE advertise- ment is proposed for BLE advertisements to ensure con- ments and have the shortcoming of requiring changes to fidentiality and prevent replay attacks as well as tracking. the sensors as well. This enhancement is based on providing an additional 3- way handshake between the peripheral and the gateway. 3 BLE Primer Unarguably, this enhancement changes both the protocol and the peripheral which is highly impractical as we ar- The BLE (Bluetooth 4.0 and newer) protocol has been gued before. developed by the Bluetooth SIG to support low power Another related field of research includes wearable devices such as sensors, fitness trackers, health monitors, and body-area networks. The work by Leonard [21] uses etc. Currently, more than 75,000 devices in the market a honeypot to lure in adversaries that attempt to attack support this protocol along with most of more capable the user’s wearable devices. The honeypot uses a set of devices such as smartphones, tablet, PCs, and recently helper nodes to expose fake services with known weak- access points [2]. nesses so that the attacker connects to them. This work, however, doesn’t handle the privacy threat arising from BLE advertisements. A determined attacker will be able 3.1 BLE States to distinguish fake traffic from legitimate one based on RF signatures from the devices and issue connections to A BLE device assumes either a central or peripheral role. the user’s real devices. A peripheral device is typically the one with lower capa- Other relevant work includes approaches to protecting bilities and with the information to advertise. The central medical devices. Mare et al. [25] propose a mechanism device, typically an AP, PC, or smartphone, scans for ad- that protects health sensors when communicating with a vertisements and initiates connections. gateway. The proposed system, albeit relevant, doesn’t The BLE specification places a higher burden on the apply for the BLE ecosystem. It also mandates chang- central device. It is responsible for initiating the con- ing the medical devices. Gollakota et al. [12] propose an nection and thus has to keep scanning until it receives external device, called Shield, that the user wears to con- an advertisement. Conversely, the peripheral (prior to its trol access to his/her embedded medical device. Shield connection) sleeps for most of the time and only wakes implements friendly jamming so that only an authorized up to advertise, which helps save its limited energy. programmer can communicate with the medical device. BLE-Guardian takes an entirely different approach 3.2 Advertisements by targeting the control plane of the BLE protocol in- stead of the data plane. BLE-Guardian does not need BLE advertisements are instrumental to the operation of to continually protect an ongoing authorized connection the protocol, and constitute the only means by which a and more importantly need not invoke jamming signal device can be discovered. The specification defines 4 ad- cancellation that requires accurate estimation of chan- vertisement message types as shown in Table 1, and 3 3 USENIX Association 25th USENIX Security Symposium 1207
type, source address, along with some of the services Table 1: The four types of BLE advertisements. offered by the device and their respective values. The Type Advertising Interval specification defines a set of services that have unique ADV IND 20ms − 10.24s UUIDs, such as device name. The message is limited in ADV DIRECT IND 3.75ms length, and hence, to get more information about the de- ADV NONCONN IND 100ms − 10.24s vice, an interested device can either issue a scan request ADV SCAN IND 100ms − 10.24s to which the advertising device responds with a scan re- sponse or connect to the advertising device. Advertising interval Random delay 3.3 Connections Not all BLE devices accept connections; devices that use ch.1 ch. 2 ch. 3 ADV NONCONN IND advertisement messages run in tw tw tw transmit mode only and they don’t accept any scan or connection requests such as iBeacons. Advertising session Also, devices advertising with ADV SCAN IND mes- sages don’t accept connections but accept scan requests. Figure 1: The advertisement pattern in BLE. Particularly, when the device broadcasts an advertise- ment message on some channel, it listens on the same channel for some time (less than 10ms) before switching advertisement channels: 37 (2402MHz), 38 (2426MHz), to the next channel. It waits for scan requests from clients and 39 (2480MHz). wanting to learn more information to which it responds ADV DIRECT IND (introduced in Bluetooth 4.2) is with a scan response. a special advertisement; it enables fast reconnection be- Devices that advertise using ADV IND messages are tween the central and the peripheral devices. The periph- scannable and connectable; they respond to scan mes- eral, when turned on, will broadcast advertisements at a sages and connection requests. After sending an adver- fast rate (once every 3.75ms, for 1.28 seconds) that are tisement message, the device listens for connection re- directed to the client (with a pre-existing trust relation- quests. The connection request contains the source and ship) before assuming the central role. The advertise- destination addresses along with other connection pa- ment message only contains the message type, source, rameters. These parameters contain the connection in- and destination addresses. terval, the timeout, and the slave interval. When con- The other three advertisements are similar to each nected, the device starts frequency hopping according to other in that they are periodic. The advertisement in- a schedule negotiated with the central. If the device (now terval determines the frequency with which each device peripheral) doesn’t receive any communication from the advertises. This interval has to be chosen, at configu- central over the period defined by the “timeout interval”, ration time, between 20ms and 10.24 seconds (at incre- it drops the connection. ments of 0.625ms) for the ADV IND advertisement and While connected, the device must not broadcast con- between 300ms and 10.24 seconds for the other two ad- nectable advertisement messages (the first two types of vertisements. To prevent advertisements of different de- Table 1). It can, however, still broadcast non-connectable vices from colliding with each other, each device waits advertising messages to share information (the last two for a random amount of time between 0 and 10ms (in ad- types of Table 1) with other clients in its transmission dition to the advertisement interval) before it advertises range which still leaks information about the device’s (Fig. 1). name, type, and address. The advertisement session constitutes the period when the device is actually advertising. During each adver- 3.4 Privacy and Security Provisions tisement session, the device advertises on the three ad- vertisement channels given a pre-configured channel se- The BLE specification borrows some security provisions quence. Before switching to the next channel, the device from classical Bluetooth to establish trust relationships has to wait for a preset period of time (less than 10ms) between devices, a process known as pairing. When for scan and connection requests (tw in Fig. 1). We will the device boots for the first time, it will advertise using henceforth refer to the advertisement interval, the chan- ADV IND with its public Bluetooth address. The user nel sequence, and the waiting time as the advertisement can then pair a smartphone (or other BLE-equipped de- pattern. vice) so that the two devices exchange a secret key that Each advertisement message contains the message will enable future secure communication. 4 1208 25th USENIX Security Symposium USENIX Association
Once a BLE-equipped device is paired with another Table 2: A sample of devices with revealing names. device, it can invoke more privacy and security provi- sions. The first provision is whitelisting, and the device Name Type will only accept connections from devices it has been LG LAS751M(27:5D) music streaming paired with before, i.e., those that are whitelisted. Also, JS00002074 digital pen ihere key finder the device might accept connections from any client but spacestation battery/storage extension might require higher security levels for some of the ser- Jabra PULSE Smart smartbulb vices it exposes so that only authorized users access sen- DEXCOMRX Glucose monitor Clover Printer 0467 printer sitive content. Frances’s Band ea:9d LE smartband Finally, the BLE specification defines a privacy pro- Gear Fit (60ED) activity tracker vision based on address randomization to prevent device Lyve Home-00228 photo storage tracking. When two devices are paired, they exchange an Matthias-FUSE headset Richelle’s Band b2:6a LE smartband additional key called the Identity Resolution Key (IRK). vivosmart #3891203273 activity tracker The device uses this key to generate a random address ac- KFDNX key fob cording to a timer value set by the manufacturer, which OTbeat heart rate monitor it will use to advertise. This random address will be re- Thermos-4653 Smart Thermos POWERDRIVER-L10C3 smart power inverter solved by the paired device using the same key. As this random address is supposed to change regularly, curious parties shouldn’t be able to track a BLE-equipped device. Table 3: A sample of devices with consistent addresses Devices that don’t utilize address randomization can re- for more than a day. sort to direct advertising (ADV DIRECT IND) to enable Name Type Days observed fast and private reconnections. One activity tracker 37 These privacy provisions are akin to those proposed Flex activity tracker 37 earlier in the context of WiFi networks. Researchers have Zip activity tracker 37 long identified privacy leaks from the consistent identi- Surge activity tracker 36 fiers broadcasted by wireless devices. They proposed pri- Charge activity tracker 36 Forerunner 920 smartwatch 36 vacy enhancements that include randomizing or frequent Basis Peak sleep tracker 25 disposing of MAC addresses [14, 18] and hiding them MB Chronowing smartwatch 15 through encrypting the entire WiFi packets [13]. These dotti pixel light 7 enhancements require introducing changes for the client UP MOVE fitness tracker 2 GKChain laptop security 2 devices. Gear S2 (0412) smartwatch 2 Crazyflie quadropter 1 Dropcam camera 1 4 Threats from BLE Devices While, in theory, BLE’s privacy provisions might be ef- 1. Two advertisement types (ADV NONCONN IND fective to thwart threats to the user’s privacy, whether or and ADV SCAN IND) require a fixed address not various manufacturers and developers properly im- which would enable tracking of a mobile target. plement them is an entirely different story. In what fol- 2. Devices that are bonded to the users advertise us- lows, we investigate how the BLE privacy provisions fare ing ADV IND messages instead of the more private in the wild using a dataset collected in our institution and ADV DIRECT IND. using the PhoneLab testbed [27] of SUNY Buffalo. 3. Some devices, albeit not expected to do so, use their We developed an Android app that collects the content public Bluetooth addresses in advertisements. This of the advertisement messages. We recruited users from also enables tracking as well as identifying of the our institution and from the PhoneLab testbed. We didn’t device manufacturer. collect any personal information about the users and thus obtained non-regulated status from the IRB of our insti- 4. Other devices implement poor address randomiza- tution. One could view this study as crowdsourcing the tion by flipping some bits of the address render- analysis of BLE devices; instead of purchasing a limited ing them ineffective against tracking. This has also set of devices and analyzing them, we monitored the be- been identified in other studies of BLE devices [22]. havior of a broad range of devices in the wild. Analyzing 5. A large number of devices advertise their names the advertisements we collected from 214 different types (Table 2), revealing sensitive information about of devices (sample of these devices shown in Tables 2 them, the user, and the environment. Also, some and 3), we observed: of the device names contain personal information 5 USENIX Association 25th USENIX Security Symposium 1209
or unique identifiers that may enable user tracking. Authorized client 6. Some devices use a consistent Bluetooth address BLE-Guardian for long periods of time which renders address ran- domization ineffective (Table 3). Examples include BLE-Guardian attacker various types of wristbands (Fitbit Flex, Forerunner 920, etc.), headsets, smartwatches (Apple Watch or attacker Samsung Gear), etc. This has also been identified BLE device by Das et al. [7], where they analyzed the adver- tisements of BLE-equipped fitness trackers. Das et Authorized client BLE device al. found the fitness trackers constantly advertising with consistent (non-private) BLE addresses. In our (a) Mobile (b) Vehicle experiments, we observed that Flex and One kept the same address for 37 days, so did One and Charge Figure 2: Example deployments of BLE-Guardian. for 30 days. 7. Some devices accept connections from non-bonded 5 BLE-Guardian devices. This allows access to the services on the device including the unique manufacturer ID, for in- BLE-Guardian addresses the aforementioned privacy stance, which allows for user tracking regardless of threats by allowing only authorized clients to dis- the device’s address. For example, we were able cover, scan, and connect to the user’s BLE-equipped to connect to various devices and access data from device. Before delving into the inner workings of them without any existing trust relationship, such BLE-Guardian, we first describe the system and threat as various Fitbit devices (One, Zip Flex, Charge), models. Garmin Vivosmart, digital pens, etc. It is worth not- ing that we connected to these devices under con- 5.1 System and Threat Models trolled experimental settings, not in the wild. As a result, an external access control mechanism is nec- 5.1.1 System Model essary to protect such devices. A typical BLE scenario involves two interacting entities: the client and the BLE-equipped device. The BLE device The above observations indicate that the address ran- broadcasts advertisements to make other nearby clients domization, part of the BLE specifications, fails to pro- aware of its presence along with the services/information vide the promised privacy protection. Various develop- it is offering. A client can then connect to the device ers and manufacturers do not implement it properly; they to access more services/information and control some of rely on public Bluetooth addresses, apply weak random- its attributes, in which case it will be the BLE-device’s ization, or keep a consistent address for a long time. On gateway to the outside world. the other hand, even if address randomization is properly The user’s mobile device (e.g., smartphone or tablet) implemented, other information in the advertisement or acts a gateway where BLE devices are wearable (e.g., in the device might contain unique information (device fitness trackers), or mHealth devices (e.g., Glucose mon- name or id) that allows for its tracking. itor) (Fig. 2a). In a home environment, the user’s ac- Moreover, data accessed from an advertisement or the cess point, PC, or even mobile device, serves as a gate- device (once connected) might reveal sensitive informa- way for BLE devices that include smart appliances, we- tion about the user or the environment. Through our data bcams, physical security systems, etc. Last but not least, collection campaign, we were able to detect different a smart vehicle or the driver’s mobile device operate as types of glucose monitors, wristbands, smart watches, gateways (Fig. 2b) for the different BLE-equipped sen- fitness trackers, sleep monitors, laptops, smartphones, sors in the vehicle, such as tire pressure.2 An interested laptop security locks, security cameras, key trackers, reader could consult the work of Rouf et al. [32] for a headsets, etc. Knowing which type of glucose moni- discussion on the security and privacy risks of a wireless tor the user is carrying or the type of physical security tire pressure sensor. system s/he has installed could lead to serious harm to BLE-Guardian leverages the existence of gateways the user. Finally, an adversary might use such advertise- near the BLE-equipped devices to fend off unauthorized ment data as side information to infer more about the clients scanning and connecting to them. It comprises user’s behavior. For example, a temperature sensor con- both hardware and software components. The hardware stantly reading 60 ◦ F in winter would indicate a vacant property [41] which may invite in a thief. 2 https://my-fobo.com/Product/FOBOTIRE 6 1210 25th USENIX Security Symposium USENIX Association
component is an external Bluetooth radio that connects market, such as the Texas Instruments CC2540 chip. The physically to the gateway, while the software component adversary might possess further capabilities by employ- is an accompanying application that runs on the gate- ing MIMO receiver that could recover the original signal way. BLE-Guardian requires another software compo- from the jammed signal [38], especially in stationary sce- nent to run on the clients willing to discover and con- narios. We refer to this adversary as the strong passive nect to the user’s BLE devices. The user, be it an owner attacker. of the BLE-equipped device or a client, interacts with Furthermore, the adversary is capable of injecting traf- BLE-Guardian through its software components. fic into any Bluetooth channel at any given point of time, but will “play” within the bounds of the BLE specifi- 5.1.2 Threat Model cations when attempting communication with the BLE device. This is a reasonable assumption, as the device BLE-Guardian only trusts the gateway on which won’t otherwise respond to any communication. We it is running. Otherwise, the entire operation of refer to such an adversary as the active attacker. On BLE-Guardian will be compromised and will fail to pro- the other hand, the attacker might be able to transmit vide the promised privacy provisions. BLE-Guardian with higher power than allowed by regulatory bodies, in achieves privacy protection at the device level, so that if it which case we refer to as the strong active attacker. authorizes a client to access the BLE device, all applica- Thus, we have four classes of attackers referring to the tions running on that device will have same access priv- combinations of their passive and active capabilities as ileges. This security/privacy dimension is orthogonal to shown in the first column of Table 4. BLE-Guardian and has been addressed elsewhere [28]. Attacks, including jamming the channel completely, It also requires the user’s BLE device — the one to be masquerading as fake devices to trick the users to con- protected — to comply with the BLE specifications. nect to them, or attacking the bonding process are orthog- BLE-Guardian protects a target BLE-equipped de- onal to our work. Such attacks have been addressed by vice against an adversary or an unauthorized/unwanted O’Connor and Reeves [29] and Ryan [33]. Finally, once device that sniffs the device’s advertisements, issues scan BLE-Guardian enables the authorized client to connect requests and attempts to connect to the device. The ad- to the BLE device, it won’t have any control over what versary aims to achieve three objectives based on the follows later. BLE devices that the user is deploying: 1. Profiling: The adversary aims to obtain an inven- 5.2 High-Level Overview tory of the user’s devices. Based on this inventory, BLE-Guardian is a system the user can use out of the the adversary might learn the user’s health condi- box; it only requires installing a hardware component tion, preferences, habits, etc. (an external Bluetooth radio) to the gateway and running 2. Tracking: The adversary aims to monitor the user’s an app on the gateway to control and interface with the devices to track him/her over time, especially by Bluetooth radio. Conceptually, BLE-Guardian consists exploiting the consistent identifiers that the devices of device hiding and access control modules. The device leak as we observed in Section 4. hiding module ensures that the BLE device is invisible to scanners in the area, while the access control module en- 3. Harming: The adversary aims to access the user’s sures that only authorized clients are allowed to discover, BLE device to learn more sensitive information or scan, and connect to the BLE device. even to control it. Both will have severe conse- Fig. 3 shows the high-level operation of quences for the user, especially if a certain device BLE-Guardian from the moment a user designates is known to have some vulnerabilities that allow re- a BLE device to be protected all the way to enabling mote unauthorized access [26]. authorized client connection to the protected device. The high-level operation of BLE-Guardian takes the This adversary can have varying passive and active ca- following sequence: pabilities, from curious individuals scanning nearby de- vices (e.g., using a mobile app), to those with moder- 1. The user installs the hardware component along ate technical knowledge employing commercial sniffers, with the accompanying app on the gateway. all the way to sophisticated adversaries with software- defined radios. 2. The user runs the app, which scans for BLE devices A passive attacker is capable of sniffing all the com- nearby. The user can then choose a device to hide. munications over advertisement channels including those 3. The device hiding module of BLE-Guardian starts that fail the CRC check. This includes all commercial by learning the advertisement pattern of the target Bluetooth devices and existing Bluetooth sniffers in the BLE device along with that of the other devices in 7 USENIX Association 25th USENIX Security Symposium 1211
BLE-Guardian Owner chooses Devi ce 37,38,39 39,37,38 running BLE device Hiding User Alert 39 short 37 short to be hidden Module Keep all 39 long 37,39,38 sequences with 37 37,38 followed by 38 38,39,37 New client Authenticated Attacker 37 short appears client appears detected 38 short 38,37,39 Acces s denied Keep all 39 short sequences 39,38,37 Acces s Control Module with 37 39 long 38 long 38,37 Client Acces s Whitelist Connection 37 long 39,37 Authentication granted Client Enabling 37 short 39 long 39,37 Eliminate all 37 sequences with 37 38,39 39 short 39,38 Figure 3: The modules of BLE-Guardian and their un- 38 long 39 long 39 38 derlying interactions. Eliminate all sequences with 38 the area. The device hiding module then applies re- Figure 4: The learning algorithm followed by active jamming to hide the device. BLE-Guardian. The blue boxes refer to monitoring each channel either for a short period of time (less than 10ms) 4. When a new client enters the area and wants to dis- or for a longer period of 10.24 seconds. Depending cover the user’s devices, it communicates with the on whether an advertisement is detected on the channel access control module so that the user can either some sequences are eliminated till a sequence is decided grant or reject authorization. on (gray boxes). 5. If the user authorizes the client, the access control module advertises privately on behalf of the BLE device to let the authorized client scan and connect to it. latter two parameters are deterministic and can be ob- served directly, which is not the case for the advertising 6. BLE-Guardian monitors if other unauthorized en- interval. The BLE specification leaves it to the device tities are attempting to connect to the BLE device; to determine the advertising pattern, so that there are 15 in such a case, it blocks the connection and alerts possible permutations of the channel sequence. the user. As shown in Fig. 4, BLE-Guardian follows a pro- 5.3 Device Hiding cess of elimination to identify the advertising sequence of the BLE device using a single antenna. In the worst The hiding module is responsible for rendering the case, it will take three advertising intervals to learn the BLE device invisible to other scanning devices. The entire advertising sequence of a BLE-equipped device. hiding module jams the device’s advertisement ses- This corresponds to the longest path of Fig. 4, where sion to achieve this invisibility. In particular, it BLE-Guardian monitors each channel for the maximum targets three types of advertisements, ADV IND, advertising interval of 10.24 seconds. At the same time, ADV NONCONN IND, and ADV SCAN IND of Ta- it would have identified the time the BLE device spends ble 1, which are periodic and leak more information listening on each channel before switching to the next about the user as we indicated earlier. channel. Hiding the BLE device is, however, challenging for two reasons. The hiding module must jam the BLE de- While observing the advertising sequence of the BLE vice precisely at the moment it is advertising. Also, it device, the hiding module keeps track of the interval must not disrupt the operation of other devices advertis- separating the consecutive advertisements sessions. The ing in the same area. hiding module observes a set of inter-advertisement in- tervals, ti = adv + p, where adv is the actual adver- tisement interval as set by the device and p is a ran- 5.3.1 Learning dom variable representing the random delay such that The hiding module first learns the target BLE device’s p ∈ uni f (0, 10 ms). Also, BLE-Guardian will perform advertising pattern before jamming to hide its presence. the same process for all advertising devices in the same The device’s advertisement pattern comprises the adver- area at the same time to learn their advertising parame- tising interval, advertising channel sequence, and the ters as well. Learning other devices’ advertising at the time to listen on the individual channels. Fortunately, the same time will be useful as evident below. 8 1212 25th USENIX Security Symposium USENIX Association
5.3.2 Actuation 20 0 Device Advertisement Device Advertisement After identifying the advertising pattern, the hiding mod- 0 Monitoring Interval -20 ule needs to just detect the start of the advertisement ses- -20 RSSI (dBm) RSSI (dBm) sion. Then, it jams the advertising channels according to -40 -40 their advertisement sequence. There is a caveat, though; -60 -60 the hiding module needs to detect the advertisement be- -80 fore it can be decoded. Otherwise, the rest of the jam- -80 ming will not be effective. -100 -100 From monitoring earlier advertisements, the hiding 0 5 10 1.16 1.18 1.2 module obtains a set of ti ’s of different devices’ adver- Time (sec) Time (sec) tisements, including the BLE device to be hidden. The (a) Over 10 seconds. (b) Single adv. interval. advertisement interval will be adv = ti − p for each ob- served inter-advertisement interval. Each observed ad- Figure 5: RSSI at channel 37 when a device is advertis- vertisement will be used to improve the estimation of ing at a distance of 1m at the interval of 960ms. the advertisement interval. For N observed intervals, we have: the device hiding module will sample the RSSI of the channel very frequently (every 25µs). When the re- 1 N 1 N 1 N adv = ∑ N i=1 (ti − p) = ∑ ti − ∑ p. N i=1 N i=1 (1) ceived RSSI is −90dBm or higher (the peaks of Fig. 5a), BLE-Guardian determines that there is a transmission Let P = N1 ∑Ni=1 p, the random variable P is drawn from currently starting to take place. The device hiding mod- ule moves immediately to jam the channel on which it is the distribution N1 p ∗ N1 p ∗ N1 p . . . N1 p. Since the single listening. Since the transmission of a typical advertise- random delays p are i.i.d., the mean of P will be equal ment message takes 380µs to finish [16], jamming the to 5 (mean of the original distribution of p) and the stan- channel will prevent the message from being decoded by dard deviation of ∑Ni=1 σ p = √5 . The hiding module other receivers. N (3) estimates adv as: At this point, two situations might arise; (1) the target BLE device is the only device expected to be advertising 1 N at this time instant, or (2) some other device is expected adv = E(adv) = ∑ ti − 5. N i=1 (2) to be advertising in the same interval. In the first situ- ation, the target BLE device is most probably responsi- The standard deviation of P will get lower as N in- ble for this transmission as part of its advertisement ses- creases; it defines the error in the estimate of adv as sion. The device hiding module repeats the same process defined by Eq. (1). Given previous N observed adver- (sample RSSI and jam) over the rest of the channels to tisements from the BLE device, the hiding module can confirm that transmissions follow the device’s advertis- predict the next advertisement to happen at advnext ∈ ing pattern. Fig. 5b shows an example interval where [advlow , advhigh ] such that: there is only one device advertising. In the second situation, the device hiding module can’t advlow = TN + adv − e (3) readily ascertain whether the transmission belongs to the target BLE device or not. This will take place when the advhigh = TN + adv + e + 10, (4) observed transmission sequence matches the advertising sequence of the target BLE device and some other de- where TN is the time of the last advertisement and e vice that is expected to advertise at the same interval. To is the 90th percentile value of P (symmetric around resolve this uncertainty, immediately after jamming the the mean) which approaches 0 as N increases (so that advertising message (400µs after commencing jamming advhigh − advlow approaches 10ms). on the channel), the device hiding module lifts jamming Starting from the last observed TN of the target and sends scan requests for devices other than the tar- BLE device, the advertisement hiding module computes get device. The device hiding module then listens on the advlow and advhigh . Also, it enumerates the list of channel to observe if a scan response is received. De- other devices expected to advertise within the interval spite its advertisement being jammed, any device will [advlow , advhigh ]. still be listening on and will respond to scan requests. The device hiding module always listens on the first Depending on whether a scan response is received or not, channel of the advertising sequence of the BLE device BLE-Guardian can associate the transmission with the to be hidden. During the interval [advlow , advhigh ], correct device, be it the target BLE device or some other 9 USENIX Association 25th USENIX Security Symposium 1213
device. The device hiding module then adjusts the next mon- itoring interval according to the observed transmissions Client BLE- Target BLE Attacker Guardian Device in the current intervals as follows: bt_addr, UUID Authorization attempt connection connection request advlow = min(TN ) + adv − e (5) Client authorized by user send pairing request advhigh = max(tN ) + adv + e + 10, (6) users complete pairing connection parameters Connection Enabling where TN represents the instants of the transmissions reduced-info Ad connection request possibly matching the advertisement of the target BLE Legitimate connection established data device in the current monitoring interval. data Note that we don’t utilize the power level per se, or any Connection dropped physical-layer indicator, to indicate whether the same de- connection request Detection Attack Unauthorized vice is transmitting or not, as it is sensitive to the envi- missed advertisements --> alert user connection established ronment and the distance between BLE-Guardian and the target BLE device. To actually perform the jamming, the device hiding module continuously transmits at the Figure 6: The sequence diagram of the access con- maximum power for the specified interval. trol module. Thin green lines from the target device BLE-Guardian may jam the advertisements of non- designate the advertisements. Thick green lines from target devices which might disrupt their operation, which BLE-Guardian designate the jamming signal. we referred to as the second situation above. Neverthe- less, because of the random delay introduced by the de- vice before each advertisement, the aforementioned “col- Bluetooth-equipped end-user device will be able to com- lision” events become unlikely. In Appendix A, we use municate simultaneously over Bluetooth classic and BLE renewal theory to show that the expected number of an- so that it can communicate with both BLE-Guardian and other device’s advertisements within the expected adver- the target BLE device. tising interval of the target BLE-equipped device will al- Fig. 6 depicts the interactions between BLE-Guardian ways be less than 1. This applies when BLE-Guardian and a client device when they connect for the first time. protects a single BLE-equipped device. Our evaluation BLE-Guardian will be listening on the gateway over in Section 6 confirms this observation. a secure RFCOMM channel with a specified UUID. The gateway, however, won’t be running in discoverable 5.4 Access control mode so as to prevent others from tracking the user. It is up to the party interested in authenticating itself to obtain So far, BLE-Guardian has hidden the target BLE device, the Bluetooth address of the user’s gateway as well as the so neither authorized nor unauthorized entities have ac- UUID of the authentication service. cess to the device. It is the access control module that Once the client end-user device obtains the Blue- authorizes client devices and enables their access to the tooth address and UUID, it can initiate a secure con- target BLE device. nection to the gateway. This will trigger a pairing pro- cess to take place if both devices are not already paired. 5.4.1 Device Authorization BLE-Guardian relies on Bluetooth pairing process to se- cure the connections between the gateway and the client BLE-Guardian utilizes Bluetooth classic (BR/EDR) as device. For future sessions, an already paired client de- an out-of-band (OOB) channel to authorize end-user de- vice can connect to BLE-Guardian without the need for vices intending to scan and access the target BLE de- any user involvement. The owner can also revoke the vice. BLE-Guardian runs in server mode on the gate- privileges of any client device by simply un-pairing it. way waiting for incoming connections, while the “au- thenticating” device will have BLE-Guardian running in 5.4.2 Connection Enabling client mode to initiate connections and ask for authoriza- tion. The choice of Bluetooth Classic as an OOB channel The device hiding module of BLE-Guardian jams the is natural; most end-user devices (such as smartphones) entire advertising sequence of the target BLE device, in- are dual-mode, supporting both BLE and Bluetooth clas- cluding the period it listens for incoming scan or connec- sic. Moreover, Bluetooth classic already contains pairing tion requests so that it cannot decode them. Therefore, and authentication procedures, eliminating the need for a both unauthorized and authorized clients cannot access dedicated authentication protocol. Last but not least, a the target BLE device (the case of an adversary using 10 1214 25th USENIX Security Symposium USENIX Association
high transmission power will be discussed later). Fig. 6 Table 4: The protections offered by BLE-Guardian. shows the procedure that BLE-Guardian follows to en- able only the authorized clients access to the target BLE Profiling Tracking Access User Adversary Protect. Protect. Control Alert device. Passive & Active Immediately after the last advertisement of a single ad- Strong Passive & vertisement session, when the target device is the only Active – one expected to be advertising, the access control mod- Passive & Strong – ule lifts the jamming. This ensures that the BLE device Active Strong Passive & will not be advertising until the next adverting session, Strong Active – – and it is currently listening for scan and connection re- quests. Then, BLE-Guardian advertises on behalf of the target BLE device on the same channel. The advertise- ment message contains only the headers and the address of the previously hidden device. It is stripped of explicit imate ones. Legitimate connection requests contain the identifiers, hence leaking only limited information about set of “secret” connection parameters communicated ear- the BLE device for a brief period. lier to the client. At the same time, BLE-Guardian will communicate The probability of the attacker matching a particular to the authenticated client app the address of the BLE set of connection parameters is very low. According to device and a secret set of connection parameters over the specification, there are more than 3 million possi- the OOB channel. BLE-Guardian’s app running on the ble combinations of values for the connection, slave, and client device will use the address and the parameters to timeout intervals. If the connection is established based initiate a connection to the BLE device. The connection on a fraudulent connection request, then BLE-Guardian initiation procedure is handled by the Bluetooth radio of prevents the connection from taking place. The connec- the client device, which scans for the advertisement with tion request already contains the hopping sequence ini- the provided address. After receiving such an advertise- tiation. BLE-Guardian hops to the next channel and ment, it sends a connection request after which both de- jams it so as to prevent the BLE device from receiving vices will be connected. any message from the connected unauthorized device. The above procedure will not break the way BLE The BLE device drops the connection since it receives scans and connections take place. It doesn’t matter from no message on the channel. which radio the actual advertisement was coming. From the perspective of the BLE device, it will receive a scan An attacker might abuse this connection process by or connection request while waiting for one. On the constantly attempting to connect to the BLE device, thus other hand, the client device will receive an advertise- depriving the authorized client of access. This will al- ment message while also expecting one. ways be possible, even when BLE-Guardian is not de- ployed. BLE-Guardian observes such a situation from a high frequency of fraudulent connection requests and 5.5 Security and Privacy Features alerts the user of this threat. As it will be evident BLE-Guardian addresses the tracking and profiling in Section 6, an active attacker injecting messages to threats discussed in Section 5.1.2. It hides the adver- the advertising channel can’t affect the operations of tisements, which are used as the main means to track BLE-Guardian. users. It only exposes the advertisement for a very short A strong active adversary, however, can override period when enabling others to connect. Furthermore, BLE-Guardian’s jamming and issue connection requests BLE-Guardian greatly reduces the profiling threat by that the BLE-equipped device will decode. While jam- hiding the contents of the advertisement which leak the ming, BLE-Guardian runs in transmit mode and can device name, type, and other attributes. not monitor the channel for incoming requests. Nev- A strong passive attacker [38] can still detect the “hid- ertheless, it detects that the BLE device is missing its den” peripheral by recovering the real advertisement, so advertising intervals, signifying that it was connected that it can connect to the BLE-equipped device. Dis- without BLE-Guardian’s approval. In such a case, tinguishing legitimate connection requests based on the BLE-Guardian alerts the user of the existence of a Bluetooth address of the initiator is not effective; an at- strong adversary nearby. tacker could easily spoof its Bluetooth address to imper- sonate the authorized client. Therefore, BLE-Guardian Finally, Table 4 summarizes BLE-Guardian’s capa- uses the connection parameters of the connection request bilities when faced with the various adversaries de- to distinguish fraudulent connection requests from legit- scribed in Section 5.1.2. 11 USENIX Association 25th USENIX Security Symposium 1215
TI CC2540 Galaxy S5 2 2 clear clear 1.5 covered 1.5 covered cutoff (m) 1 1 0.5 0.5 0 0 0 0.5 1 1.5 2 2.5 3 0 0.5 1 1.5 2 2.5 3 Distance (m) Distance (m) Figure 8: The cutoff distance as a function of the distance between BLE-Guardian and the target device. Figure 7: The deployment scenario for BLE-Guardian for a mobile user (left) and the main UI (right). Maintaining BLE-Guardian is easy; it only requires updating the application running on the gateway which usually takes place without the user’s intervention (e.g., 6 Implementation and Evaluation mobile app updates). This application interacts with the hardware component and applies updates, if necessary, We now present a prototype of BLE-Guardian along through pushing firmware updates, a process which is with its evaluation. also transparent to the users. 6.1 Implementation 6.2 Evaluation We implement BLE-Guardian using Ubertooth One ra- To evaluate BLE-Guardian, we utilize Broadcom dio which is an open platform for Bluetooth research BCM20702A0 and Nordic nRF51822 chips as the tar- and development. It can connect to any host that sup- get BLE devices (both transmitting at 4dBm) and the TI ports USB such as Raspberry Pi, Samsung’s Artik-10, CC2540 dongle as the sniffer node. CC2540 is able to PC, smartphone (Fig. 7 (left)), etc. Since communica- decode the messages on the three advertisement chan- tion over USB incurs latency in the order of a few mil- nels, even on those that fail the CRC check. We evalu- liseconds, we implement most of BLE-Guardian’s func- ate using Nordic and Broadcom chips instead of actual tionalities inside Ubertooth One’s firmware to maintain BLE products, because these products (such as Fitbits) real-time operation. are mostly powered by the same (Nordic and Broadcom) We also implement the software component of BLE chips. BLE-Guardian on Linux and Android. Fig. 7 (right) shows a screenshot of the BLE-Guardian app while run- 6.2.1 Impact of Distance ning on Android in server mode where the user can choose the device to protect and control its authorized Due to transmission power limitations (battery or regula- client list. The app communicates the Bluetooth address tory bodies’ constraints), there would always be a small of the chosen device to the Ubertooth One radio. area around the target BLE device where BLE-Guardian BLE-Guardian requires running in privileged mode won’t be able to enact the privacy protection. The trans- on the client device in order to be able to connect with mission from the target BLE device covers the jamming modified connection parameters. This is easily achiev- signal of BLE-Guardian. Nevertheless, as the sniffer able on Linux-based clients, but might not be the case for moves farther away from the target BLE device (in any mobile devices. In other words, BLE-Guardian, while direction), the jamming signal will cover the advertise- running in client mode on Android, requires root access ments, provided that the BLE device and BLE-Guardian to be able to issue connection requests with a set of spec- are not very far apart. So, there is a cutoff distance be- ified connection requests. Also, BLE-Guardian (if run- yond which the adversary can’t scan, and connect to the ning in privileged mode on the client device) can mod- target BLE device. ify content of the advertisement message from the BLE We study the cutoff distance of a target BLE device scanner to the user-level application to reconstruct the (advertising at 20ms) at different distances separating it original hidden advertisement. As such, user-level ap- from BLE-Guardian (between 0 and 3m). At each po- plications (on the trusted client) will receive the original sition, we move the sniffer node (either a CC2540 don- advertisement, which does not break their functionality. gle or Samsung Galaxy S5) around the BLE device, and 12 1216 25th USENIX Security Symposium USENIX Association
record the farthest distance at which it received any ad- Adv=20ms Adv=960ms Jammed Ads 1 1 vertisement from the BLE device as to study the hidden terminal effect. Furthermore, we repeat each experiment 0.5 0.5 twice, the first with BLE-Guardian clear of any obsta- cles and the second with it inside a backpack. 0 0 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 It is evident from Fig. 8 that the cutoff distance in- # Advertisers # Advertisers creases as BLE-Guardian and the BLE device become farther apart. In all of the cases, however, the cutoff dis- Adv=5000ms Adv=10240ms Jammed Ads 1 1 tance is less than 1m, even when BLE-Guardian and the BLE device are 3m apart. This also applies when 0.5 0.5 BLE-Guardian is inside the backpack which should re- duce the effectiveness of its jamming. Sniffing with 0 0 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 a smartphone has a shorter cutoff distance because the # Advertisers # Advertisers smartphone’s BLE chip filters out advertisements failing the CRC check so that they are not reported to the OS. Figure 9: Portion of jammed advertisements of an in- The cutoff distance is enough to thwart tracking and nocuous BLE device when BLE-Guardian is running profiling in several scenarios, especially when the user and protecting up to 10 advertisers. is moving (walking, jogging, biking or driving). In these scenarios, BLE-Guardian is not farther than 1m from the target BLE device. An adversary has to get very close to would indicate the number of target devices (i.e. those to the user, even if BLE-Guardian is covered in a coat or be protected). bag, to be able to scan or connect to the BLE device. In other cases, the user has to keep his BLE devices 6.2.3 Advertisement Hiding (to be protected) close to BLE-Guardian in order to get the best privacy protection possible. Our experi- Impact on Other Devices: We first evaluate the num- ments showed that BLE-Guardian and the target BLE ber of advertisements, not belonging to the target BLE device must be separated by a maximum distance of 5m device(s), BLE-Guardian will jam (Fig. 9). While ac- so that an attacker beyond the cutoff distance won’t be cidentally jamming other devices doesn’t affect the pri- able to decode the advertisements. If BLE-Guardian vacy properties of BLE-Guardian, it hinders the services and target BLE device are farther apart than this, then they offer to other users. In particular, we study four BLE-Guardian’s jamming won’t be able to cover the en- scenarios with an innocuous (not the target) BLE device tire transmission area of the BLE device. In all circum- advertising at 20ms, 960ms, 5s, and 10.24s, and a vary- stances, however, BLE-Guardian detects unauthorized ing number (between 1 and 10) of target devices, which connections and alerts the user accordingly. BLE-Guardian protects. Each subset of target devices of size N (≤ 10) contains the top N advertising intervals from the list of Section 6.2.2. 6.2.2 Evaluation Setup There are two takeaways from Fig. 9. First, Beyond the cutoff distance, BLE-Guardian is capable of BLE-Guardian has little effect on other devices when it hiding the advertisements and controlling access to any protects a relatively low number of devices, or when the target BLE device regardless of its advertising frequency. advertising interval of the target BLE device(s) is larger This protection, however, comes at a cost. In what fol- than 500ms; in these cases, BLE-Guardian will be less lows, we evaluate BLE-Guardian’s impact on other in- active (bars corresponding to less than 6 target devices nocuous devices, the advertising channel, and the gate- in the four plots of Fig. 9). Second, BLE-Guardian has way. In the evaluation scenarios, we deploy the target a higher effect on the innocuous device with higher ad- BLE devices at distance of 1.5m from BLE-Guardian, vertising frequencies as observed from top-left plot of and the sniffer between BLE-Guardian and the BLE de- Fig. 9, especially when protecting a large number of de- vices (at a distance of 0.5m from BLE-Guardian). We vices (including those with 20 ms advertising interval). evaluate BLE-Guardian when protecting up to 10 target In the latter case, BLE-Guardian is active for at least devices with the following advertising intervals: 10.24 half of the time, representing the worst-case scenario of sec (highest possible), 5 sec, 2.5 sec, 1.25 sec, 960ms, BLE-Guardian’s overhead where up to 50% of other de- 625ms, 312.5ms, 100ms, 40ms, and 20ms (lowest possi- vices’ advertisements are jammed. However, since the ble). Note that evaluating with 10 target devices con- advertisement frequency is high, even with a relatively stitutes an extreme scenario; according to our dataset, high rate of jammed advertisements, the user’s experi- the average user is bonded to less than 4 devices, which ence won’t be drastically affected. On the other hand, 13 USENIX Association 25th USENIX Security Symposium 1217
You can also read