Researchers in [32] have conducted a detailed literature review investigation into some of the existing countermeasures and the deficiencies that still affect their viability. They identified four separate reasons around user experience, processing power, battery drain, and imperfect security, which prevent their implementations.
Table 1 provides a linkage of every countermeasure with the reason why it cannot be currently implemented. [32]
Table 1. MITM attacks on Bluetooth and the limitations to their countermeasures. [32]
Countermeasure: Limitation: Additional notes:
Disabling Bluetooth
when not in use User
experience More interaction by the user reduces ease of use Deactivating
unused User
experience More interaction by the user reduces ease of use
3.4 OVERVIEW OF BLUETOOTH SECURITY
Bluetooth [29] is a low-power, short-range technology that allows communication and data transfer between electronic devices wirelessly at 2.4 GHz frequency in the free Industrial, Scientific, and Medical (ISM) band.
The popularity of Bluetooth technology is rapidly increasing and it is considered as the leading wireless technology in terms of sales. When Bluetooth was introduced, it had a data transfer limit of 1 Mbps [30], which has increased to transferring currently at 24 Mbps [31–32]. According to [33], over 3 billion Bluetooth enabled devices were sold in 2014 alone. Bluetooth is a short range technology (up to 100m) and it is mostly used to transfer personal data and other sensitive information, such as contact cards. Therefore, security of Bluetooth networks is very important, as there are various threats emerging to exploit the vulnerabilities of the technology and gain access to these private information [30–
33].
According to researchers in [32], Bluetooth users are considered as the first layer of security, because they decide on the connectivity modes, which can be one of these four: silent, private, public, and LE (Low Energy) Privacy [34]. The pairing operation is relied upon for the level of security related to the secured configurations. Pairing is simply the connection of two devices to each other, through exchange of a shared secret key produced through a protocol or series of protocols all aimed at maximizing the security of the process [32].
Up to Bluetooth 2.0+EDR (Enhanced Data Rate), the pairing process is secured only through the exchange of a secret key [31], which employs the use of a four digit code. This leads to questions about the security of the technology, as it is generally known that these codes can be easily guessed by various methods, which may eventually make attacks possible, thereby jeopardizing the security of the devices.
There was a significant improvement with the introduction of the Secure Simple Pairing (SSP) feature in Bluetooth 2.1+EDR and the LE Privacy in Bluetooth 4.0 (i.e., the first version of Bluetooth LE). LE Privacy uses Advertisement, which is a method to utilize a Bluetooth device to deliver messages to other Bluetooth devices in connectionless mode [32, 35]. SSP is currently the standard pairing method used by most Bluetooth devices in the market.
3.5 VULNERABILITY OF BLUETOOTH SECURITY MECHANISM
Numerous researches has been carried out already on Bluetooth vulnerabilities,
As mentioned earlier, in Bluetooth versions up to 2.0+EDR (Enhanced Data Rate), the pairing process is secured only through the exchange of a secret key [31], which typically employs the use of a four digit code. However, there was a significant improvement with the introduction of the SSP feature in Bluetooth 2.1+EDR and the LE Privacy in Bluetooth 4.0, which aims to enhance the security of pairing process by adding shield of protection against MITM attacks as well as passive eavesdropping [32, 36]. SSP applies Elliptic Curve Diffie-Hellman (ECDH) public-key cryptography: for creating the link key, devices use public-private key pairs, Bluetooth addresses, and nonces. To strengthen the entire pairing process against MITM attacks, SSP requests users to compare two 6-digit numbers or utilizes Out-Of-Band (OOB) channel. Four distinct association models are used by SSP: Just Works (JW), Passkey Entry (PE), Numeric Comparison (NC), and Out-Of-Band (OOB). Unfortunately, research work in [9–10, 37–38] confirmed that these association models are vulnerable to MITM attack and several other attacks as reported in [6-10].
It is obvious that the security of Bluetooth pairing process is not adequately addressed by these current methods, as previous researches have proven that it is possible for attackers to intercept these messages during key exchange and later retransmit the messages, by sending his own public key to replace the requested one. In Publication III, we introduced a steganography technique into the pairing process of Bluetooth during data transfer and we believe this technique will be robust against MITM attacks.
3.6 EXISTING COUNTERMEASURES AND THEIR LIMITATIONS
Researchers in [32] have conducted a detailed literature review investigation into some of the existing countermeasures and the deficiencies that still affect their viability. They identified four separate reasons around user experience, processing power, battery drain, and imperfect security, which prevent their implementations.
Table 1 provides a linkage of every countermeasure with the reason why it cannot be currently implemented. [32]
Table 1. MITM attacks on Bluetooth and the limitations to their countermeasures. [32]
Countermeasure: Limitation: Additional notes:
Disabling Bluetooth
when not in use User
experience More interaction by the user reduces ease of use
Deactivating User More interaction by the
Switching to user reduces ease of use
Using Security mode 4 exclusively
User experience / imperfect
security
More interaction by the user reduces ease of use and Security mode 4 is not 100% safe
Avoiding Just Works (JW) association with
important data User experience Involves a change in user behavior, therefore reducing ease and
More interaction by the user reduces ease of use and an MITM attacker can in fact impersonate a legitimate device and try to
find out its PIN code Systematic refusal of
files and messages from untrusted
devices
User experience Requires more attention from the user
Never pairing with an untrusted device
User experience Requires more attention from the user
Frequently updating PINs
User experience More interaction by the user reduces ease of use
Adding another window at pairing user interface level
User experience More interaction by the user reduces ease of use
Adapting OOB as the mandatory
association model User experience
This is impractical, because it makes Bluetooth pairing dependent on
The capability can be implemented, but it still requires more research work to be
done Addresses (BD_ADDRs) can help the
attacker bypass this countermeasure
PSM/RFCOMM channels
security SSP’s vulnerability to MITM
Filtering out traffic
An attacker can carry out an attack through traffic that fits Bluetooth specifications
Testing for possible
This can only protect from current and known MITM attacks, leaving the door open to individual hacking and new
intrusion methods Offering two-factor
authentication User experience More interaction by the user reduces ease of use
This method still cannot detect all types of jamming and is still subject to fooling by the attacker. It also increases the required processing power to run a pairing process.
This mode still contains weaknesses that can be exploited by a hacker. [14]
By analyzing Table 1, we can conclude that some of these countermeasures looks promising and adequate to provide security and prevent MITM attacks, but unfortunately, while trying to prevent intrusion, other areas, such as ease of use and practicality, suffer [32]. Some of the countermeasures affect user experience and thus makes the Bluetooth pairing process less practical. Some countermeasures consume too much power, which a lot of small devices do not possess. Lastly, imperfect security that does not surpass the current level and lack of necessary security requirements make it difficult to provide viable implementations that would significantly enhance the situation [32].
Switching to user reduces ease of use
Using Security mode 4 exclusively
User experience / imperfect
security
More interaction by the user reduces ease of use and Security mode 4 is not 100% safe
Avoiding Just Works (JW) association with
important data User experience Involves a change in user behavior, therefore reducing ease and
More interaction by the user reduces ease of use and an MITM attacker can in fact impersonate a legitimate device and try to
find out its PIN code Systematic refusal of
files and messages from untrusted
devices
User experience Requires more attention from the user
Never pairing with an untrusted device
User experience Requires more attention from the user
Frequently updating PINs
User experience More interaction by the user reduces ease of use
Adding another window at pairing user interface level
User experience More interaction by the user reduces ease of use
Adapting OOB as the mandatory
association model User experience
This is impractical, because it makes Bluetooth pairing dependent on
The capability can be implemented, but it still requires more research work to be
done Addresses (BD_ADDRs) can help the
attacker bypass this countermeasure
PSM/RFCOMM channels
security SSP’s vulnerability to MITM
Filtering out traffic
An attacker can carry out an attack through traffic that fits Bluetooth specifications
Testing for possible
This can only protect from current and known MITM attacks, leaving the door open to individual hacking and new
intrusion methods Offering two-factor
authentication User experience More interaction by the user reduces ease of use
This method still cannot detect all types of jamming and is still subject to fooling by the attacker. It also increases the required processing power to run a pairing process.
This mode still contains weaknesses that can be exploited by a hacker. [14]
By analyzing Table 1, we can conclude that some of these countermeasures looks promising and adequate to provide security and prevent MITM attacks, but unfortunately, while trying to prevent intrusion, other areas, such as ease of use and practicality, suffer [32]. Some of the countermeasures affect user experience and thus makes the Bluetooth pairing process less practical. Some countermeasures consume too much power, which a lot of small devices do not possess. Lastly, imperfect security that does not surpass the current level and lack of necessary security requirements make it difficult to provide viable implementations that would significantly enhance the situation [32].
4 PRACTICAL EXPERIMENTS AND OUR NOVEL SOLUTIONS
4.1 INTRODUCTION
Security of smart homes depends greatly on the security of the wireless interfaces used in their implementation. In this chapter, we summarize our practical attack scenarios and our novel solutions, which we believe will enhance the security of data transmitted in smart homes. Much work had already been done by Haataja et al. [6–10] on Bluetooth security, so we only studied critically these previous papers and moved on to investigate the security vulnerabilities in ZigBee network. Moreover, we also designed and experimented novel methods, which we believe will solve the problems discovered.