Bluetooth Low Energy: Security Issues and How to Overcome Them

June 24, 2015

With the rapid growth of the wearable technology market and the Internet of Things, Bluetooth Low Energy (BLE) a.k.a. Bluetooth Smart has become the de-facto standard for all kinds of devices, from smartwatches to beacons and connected cars. The protocol, however, appears to be prone to serious security issues developers need to be aware of when designing new hardware and software solutions.

Potential harm of the data from a wearable device getting in hands of wrong people is quite significant. Although many users would share their workouts and movements publicly in social networks, others are much more privacy-conscious. Celebrities and corporate executives are usually among the latter group, as well as people who just don’t want everyone around to know about their health issues or everyday commuting routes.

Recent research has shown the situation with privacy protection on wearables is not as good as it should be, however even simply being aware of the issues can significantly lower the risks.

Low Energy, Low Privacy

Simply speaking, the main thing we need to know about any BLE-connected wearable devices and beacons is that they are constantly broadcasting an ID together with a MAC address, which is unique for each device. To make tracking a particular gadget more difficult, the broadcast MAC address can change every time, so that only a device that has been previously paired with it would be able to “recognize” the wearable.

In Bluetooth Smart 4.2, the latest version of the protocol, new ways of encryption and other features were added to make things even more secure.

A recent article published by Context IS’s Scott Lester describes in great detail how BLE should work in terms of security and how it works in the real life. Despite the honest effort of Bluetooth SIG, the entity behind the protocol development, device manufacturers don’t seem to be serious enough about how they implement security features.

Using a $50 dongle and a self-written app, Lester and his colleagues were able to track hundreds of broadcasts by different kinds of BLE-enabled devices:

These broadcasts can almost always be attributed to a unique device, contrary to measures taken in the protocol to anonymise devices by randomising the MAC addresses. Depending on the product, some of these broadcasts can also be identified to a particular manufacturer, or the product model, or an individual product.

Scanning for these broadcasts is easy either with cheap hardware or with a smartphone. This allows us to identify and locate particular devices, which for devices such as fitness trackers that are designed to be worn all the time, means that we can identify and locate a person, to within a limited range.

What actually happens is that manufacturers, rushing their products to the market, think little about the loopholes they might be leaving for all kinds of intruders. Some of the devices would broadcast a unique ID that ruins the whole idea of masking the devices, while others change just the last few bytes of their MAC addresses, making them easily recognizable and traceable.

The experiment can be repeated by anyone interested: the Android application used by Lester is readily available through Google Play.

Making Things Right

The hope is that at least mainstream device manufacturers will take a note of the findings and try harder to protect their customers’ privacy.

Meanwhile, those developers concerned about security of their products have all the tools to make sure they’re doing their best. If you’re working on anything that involves BLE-enabled devices, you’re now able to check how they interact with the outside world.

First of all, check if your wearable changes its broadcast MAC address constantly (and in whole), making it unrecognizable for sniffers of all kinds. In addition to that, make sure there’s no unique ID being sent out openly; it’d also be better if there were no possibility for the end user to define such an ID, like “Julia’s FitBit” or “Max’s watch” — this is a case where privacy trumps usability.

Another general recommendation is to take time and read the most recent specification of the BLE standard: new security-related possibilities are being implemented often, and the more you know about them, the better protection you can ensure for your products.