Application of Deep Learning Method in Bluetooth Security

(1)

University of Eastern Finland School of Computing

Master’s Thesis

Application of Deep Learning Method in Bluetooth Security

Seyi Sunkanmi Oyinlola

April 2021

(2)

ii

UNIVERSITY OF EASTERN FINLAND, Faculty of Science and Forestry, Kuopio.

School of Computing Computer Science

Seyi Sunkanmi Oyinlola: Application of Deep Learning Method in Bluetooth Security.

Master’s Thesis, 38 p., 1 appendix (2 p.)

Supervisors of the Master’s Thesis: Prof. Pekka Toivanen, D.Sc. (Tech.) and Dr. Keijo Haataja, Ph.D.

May 2021

Abstract: At the center of the 4^th industrial revolution or industry 4.0 is Internet-of- Things (IoT) and artificial intelligence, among others. IoT has been adopted in all areas of life, including in health care systems that power assisted living. It refers to the network of devices, software, sensors, and other technology that communicate and share data. Bluetooth technology is one of the wireless technologies of choice in IoT. There- fore, it is essential to continuously research and develop better way to make it more secure. Moreover, advances in artificial intelligence has made Deep learning, a subset of machine learning, an important tool in training systems to learn and recognize patterns. In this thesis, we propose the use of a deep learning method in improving Blue- tooth security. A feedforward neural network was set up using backpropagation algorithm to train and store Bluetooth authentication link key as a network parameter (weight matrix), thus making it more secure and tedious to crack by hackers. We demonstrate this using MATLAB neural network toolkit.

Keywords: Artificial Neural Network, Backpropagation, Bluetooth security, Deep Learning, Feedforward Neural Network.

CR categories (ACM Computing Classification System, 2012 version)

• Computing methodologies→ Machine learning→ Machine learning approaches→

Neural networks

(3)

Foreword.

This Master’s thesis was done at the School of Computing, University of Eastern Fin- land during the spring 2021. The aim of the thesis was to present an application of deep learning method using backpropagation algorithm in artificial neural network to improve Bluetooth security. I would like to express my gratitude to my supervisors, Prof. Pekka Toivanen and Dr. Keijo Haataja for their guidance and mentorship. This will not have been possible without their support.

My deepest appreciation goes to my lovely wife, Blessing Abimbola Oyinlola and my wonderful daughter, Omolola Helmi Oyinlola for their understanding, unconditional support, and motivation throughout my studies. I give glory and adoration to God for the grace to accomplish this.

(4)

iv

List of Abbreviations.

ACL Asynchronous Connection-Less ACM Association for Computing Machinery AI Artificial Intelligent

ANN Artificial Neural Network ATT Attribute Protocol

AVCTP Audio/Video Control Transport Protocol AVDTP Audio/Video Data Transport Protocol BNEP Bluetooth Network Encapsulation Protocol BR Basic Rate

DL Deep Learning EDR Enhanced Data Rate HCI Host Controller Interface

ISM Industrial, Scientific, and Medical

L2CAP Logical Link Control and Adaptation Protocol LE Low Energy

LELL Low Energy Link Layer LMP Link Manager Protocol LTU Linear Threshold Unit MAC Media Access Control ML Machine Learning MLP Multilayer Perceptron

RFCOMM Radio Frequency Communication SCO Synchronous Connection-Oriented

(5)

SDP Service Discovery Protocol SMP Security Manager Protocol TCS Telephony Control Specification WLAN Wireless Local Area Network

(6)

vi

1 INTRODUCTION

In the past few years, digitalisation has gone beyond digital transformation of the society and econ- omy. It has become a way of life to include the adoption of wellness technology in health care and assisted living technologies which are crucial to life. The massive growth in digital innovation relies on the interconnection of devices, mainly done through wireless networks, Bluetooth and Wireless Local Area Network (WLAN) being the most popular due to their easy and fast mode of exchanging information. Bluetooth and WLAN utilize Radio Frequency waves capable of penetrating obstacles, thus making pairing possible without direct line-of-sight, a clear advantage over infrared communication.

Bluetooth Technology is a short-range wireless communication technology which uses radio waves to transmit data. It was first used in 1998 and since then its usage has surged: shipments of Bluetooth- enabled devices continue to increase with 4.2 billion and 6.2 billion device shipments projected in 2020 and 2024, respectively. The wide adoption of Bluetooth technology has encouraged snoop- ers/crackers to copy data from devices or render them useless. Bluetooth technology is convenient for productivity and comfort. However, there are major security risks associated with it: the improvement in the technology from time to time solve most of known vulnerabilities, but some still remain and new vulnerabilities emerge now and then.

The attempt and approach to ensure the security of connected devices and systems is called cybersecurity. Adopting Artificial Intelligence (AI) methods in cybersecurity is essential as the industry evolves and more sophisticated attacks are encountered. Artificial Intelligent methods are complex algorithms, like a real human decision mechanism model: it has various subdomains, with deep learning (DL) and machine learning (ML) being the tools to achieve AI in real life. Machine learning is a subdomain of AI: it provides intelligence to machines with the ability to automatically learn through training and experiences without being explicitly programmed. The focus of this thesis is to contribute to the adoption of deep learning approach in improving authentication in Bluetooth-enabled devices.

Authentication is critical in Bluetooth security: it identifies authorized users through PIN and Pass- words. Using the MATLAB Neural Network Toolkit, we employ deep learning method, a method based on backpropagation algorithm, to train the identification parameters. Neural network can be

(9)

used to model nonlinear statistical data: it is capable of modelling complex relationships between inputs and outputs. The approach is aimed to enhance authentication in Bluetooth-enabled devices.

The research questions are as follows:

1. Can backpropagation algorithm of Neural Network be used to store link key as network parameter?

2. If yes, can it improve Bluetooth security?

In Section 2, we review Bluetooth technology, identify its importance in today’s digital world, discuss how it works, its pros and cons and major type of attacks. Section 3 is a review of deep learning, its relationship with machine learning and artificial intelligence, with focus on ANN and backpropagation algorithm. In Section 4 we demonstrate how backpropagation algorithm of Neural Network can be used to store link key as network parameter by using MATLAB Neural Network toolkit and discuss the result. In Section 5 we present a conclusion and answer the research questions.

(10)

2 BLUETOOTH TECHNOLOGY

In 1989, Nil Rydbeck, the Chief Technology Officer at Ericsson mobile, Sweden, started the development of what he called "short-link" radio technology. He worked with Tord Wingren, Sven Mattis- son, and Jaap Haartsen. Tord worked on specifying and Jaap and Sven worked on development (Nor- man, 2020). The development of what was known today as Bluetooth started in mid-1990s, when the need to connect a keyboard with computer wirelessly arises (Gehrmann et al., 2004). As the project advanced, other significant players in the industry came on-board and that yielded the establishment of Bluetooth SIG in May 1998. The founding members of Bluetooth SIG were Ericsson, Nokia, IBM, Intel, and Toshiba. Other members joined in December 1999: these members were Lucent, Motorola, 3Com, and Microsoft (Haataja, 2009).

Bluetooth technology was inspired to substitute cable connection. It has the advantages of robustness, low cost, easy pairing, and low power consumption. Bluetooth wireless technology is a short-range, low-power, high-speed communication system that functions at the frequency of 2.4 GHz in the free Industrial, Scientific, and Medical (ISM) band. It uses frequency hopping (El-Bendary, 2018). Fre- quency hopping enables the signal to move from one frequency to another at regular intervals, thus avoiding interference. Bluetooth uses a maximum of 79 Baseband frequencies to avoid channels suf- fering from interference (Haataja, 2009).

2.1 Bluetooth Evolution

Bluetooth Technology has advanced a lot during its long way since its first specification formalized on May 20, 1998 by the Bluetooth SIG. There have been different core specification versions, each building of the previous version for improvement. The earliest version of Bluetooth specification was named Bluetooth 1.0A and it was released in July 1999, the improved version (Bluetooth 1.0B) where device manufacturers fixed interoperability problems was made public in December 1999 (Haataja, 2009). Fortunately, every versions of Bluetooth core specification allow backward compatibility, which allows the latest version to support older versions (Bluetooth SIG, 2020).

The technology which creates interoperable Bluetooth-enabled devices that make up the Bluetooth ecosystem is defined by Bluetooth Core specification: it is regularly enhanced and updated by The Bluetooth SIG Working Group. There are four specifications produced by the Bluetooth Core

(11)

Specification Working Group (CSWG): Core Specification Supplements (CSS), Errata, Core Speci- fication Addendum (CSA), and Bluetooth Core Specification.

2.1.1 Bluetooth 1.0A

The first Bluetooth specification ever released. Most device manufacturers encounter limitations making Bluetooth-enabled devices interoperable. (Haataja, 2009).

2.1.2 Bluetooth 1.0B

Bluetooth specification 1.0B was released the same year than Bluetooth 1.0A for solving the interoperability problems. The problem that makes anonymity impossible at protocol level, caused by Blue- tooth hardware device address (BD_ADDR) is still unsolved in this version (Biham and Neuman, 2020).

2.1.3 Bluetooth 1.1

Bluetooth 1.1 was ratified as Institute of Electrical and Electronics Engineers (IEEE) standard 802.12.1-2002 (IEEE, 2002). Problem encountered in implementing Bluetooth 1.0B were rectified.

The upgrade introduces non-encrypted channels functionality and received signal strength indicator (RSSI).

2.1.4 Bluetooth 1.2

Bluetooth 1.2 improves the speed of connection and discovery. The speed of transmission becomes faster compared to the previous versions. It gains resistance to radio frequency interference using Adaptive Frequency Hopping (AFH). There is also improvement in voice quality and audio latency of the radio link by Extended synchronous connection (eSCO). For L2CAP, Bluetooth 1.2 introduced flow control and retransmission mode. Bluetooth 1.2 was ratified as IEEE standard 802.15.1-2005 (IEEE, 2005).

2.1.5 Bluetooth 2.0 + EDR

This Bluetooth Core Specification offers the option of Enhanced Data Rate (EDR). EDR allows faster data transfer and using a reduced duty cycle capable of lower power consumption (Bluetooth SIG, 2006).

(12)

2.1.6 Bluetooth 2.1 + EDR

This version was adopted by Bluetooth SIG on July 26, 2007, and the significant improvement of this Bluetooth Core Specification Version is the addition of Secure Simple Pairing (SSP), which increases the ease of pairing and security level. It also introduces Extended Inquiry Response (EIR), that en- hances better screening of devices before connection (Bluetooth SIG, 2006).

2.1.7 Bluetooth 3.0 + HS

Adopted by the Bluetooth SIG on April 21, 2009. The significant improvement is 802.11, high-speed transport, and Alternative MAC/PHY (AMP). AMP prioritize the use of lower connection models and faster radio when system is idle or when system needs to send massive data respectively (Blue- tooth SIG, 2009).

2.1.8 Bluetooth 4.0

The improvement of this version is the Bluetooth Low Energy (BLE) protocol. Other improvements are the change to allow BLE modes, Generic Attribute Profile (GATT), and Advance Encryption Standard (AES) for the security manager (Bluetooth SIG, 2010).

2.1.9 Bluetooth 4.1

This version of Bluetooth core specification was adopted on December 4, 2013 by Bluetooth SIG.

Bluetooth version 4.1 specification is an updated version of the previous Bluetooth Specification 4.0 where Bluetooth Core Specification Addenda (CSA) was incorporated. Some of the new features include Dual Mode and Topology, LE Link Layer Topology, Mobile wireless Service Coexistence Signaling, Low Duty Cycle Directed Advertising, 802.11n PAL, and Fast Data Advertising Interval (Bluetooth SIG, 2013).

2.1.10 Bluetooth 4.2

This core specification was released on December 2, 2014. Its improvements are features that introduce Internet-of-Things (IoT), such as Internet protocol support profile (IPSP) version 6, IPSP-enabled smart home through Bluetooth smart things. Other significant improvements include Link-layer privacy extended scanner filter policies and Data packet length extension of Low Energy Secure Con- nection (Bluetooth SIG, 2014).

(13)

2.1.11 Bluetooth 5.0

On December 6, 2016, Bluetooth SIG released Bluetooth 5.0, with the main improvement targeted towards new IoT technology. It introduces an option that could increase speed (2 Mb/s) in twofold, at the expense of range or extend range by fourfold at the data transfer rate expense. Bluetooth 5.0 also introduced connectionless service, such as location-relevant navigation. The Park State feature was removed in Bluetooth Core specification 5.0. Some of the significant improvements are Low Energy (LE) Advertising Extensions, LE Channel Selection Algorithm #2, LE Long Range, 2 Mb/s PHY for LE, Slot Availability Mask (SAM), and Higher Output Power, added in Core Specification Addendum 5.0. (Bluetooth SIG, 2016)

2.1.12 Bluetooth 5.1

This version was introduced on January 21, 2019. The significant improvements are GATT Caching, Advertising Channel Index, Periodic Advertising Sync Transfer, Angle of Arrival (AoA), and Angle of Departure (AoD) used for location and tracking (Bluetooth SIG, 2019). The Core Specification Addendum (CSA) 6 added the following features: Mesh-based model hierarchy and Models. Unit Keys were removed from Bluetooth Core specification 5.1. (Bluetooth SIG, 2019)

2.1.13 Bluetooth 5.2

Published on December 31, 2019. This version introduced Enhanced Attribute protocol (EATT), LE Power Control, and LE Isochronous Channels. EATT is an improved version Attribute Protocol (ATT). In addition to the features mentioned earlier, Bluetooth SIG announced LE Audio in January 2020. LE-Audio lowers battery consumption and allows protocols to carry sound (Bluetooth SIG, 2019). LE-Audio allows one audio source to connect with multiple headphones or a headphone to connect to many audio sources.

2.2 Bluetooth Adoption

For over 20 years, Bluetooth technology has improved greatly, with series of updates. It has also met the growing demands for wireless technology innovation (Bluetooth SIG, 2020). According to the market update 2020 released by Bluetooth SIG, its shipment continues to grow as shown in Figures 1 and 2: the shipment of Bluetooth-enabled devices in 2020 was about 4.6 billion and is estimated to reach 6.2 billion by 2024.

(14)

Figure 1. Total Annual Bluetooth Device Shipments. (ABI Research, 2020)

Figure 2. Annual Bluetooth Device Shipments by Radio Version. (ABI Research, 2020)

(15)

Bluetooth technology delivers a complete package, fit for purpose solution to service the need for wireless connectivity: starting from Audio streaming, it expands to Device Networks, Data Transfer, and Location Services.

2.2.1 Audio Streaming

Media consumption has widely increased the adoption of Bluetooth technology and the introduction of LE Audio will reinforce the revolution (see Figure 3). Adopting the technology in earbuds, cars, headsets, smart speakers, and soundbars has changed calling, listening, watching, or controlling voice assistants.

Figure 3. Annual Bluetooth Audio Streaming Device Shipments. (ABI Research, 2020) 2.2.2 Data Transfer

Bluetooth technology connects Billions of everyday devices (see Figure 4). It allows easy pairing and real-time data transfer thanks to its adoption in developing sport, fitness, health, and wellness weara- bles. It is powering the world of the Internet-of-Everything (IoE).

(16)

Figure 4. Annual Bluetooth Data Transfer Device Shipments. (ABI Research, 2020) 2.2.3 Location Services

Solutions developers for point of interest information, wayfinding, positioning systems for asset tracking, and item finding prefer Bluetooth technology as a reliable tool (see Figure 5). The Bluetooth Indoor Positioning System (IPS) is the preferred choice of technology for indoor GPS.

Figure 5. Annual Bluetooth Location Services Device Shipments. (ABI Research, 2020)

(17)

2.2.4 Device Networks

The need to connect many devices and have the capability to control, monitor, and automate all these devices has found the Bluetooth mesh network ideal. In the past two years, the adoption of Bluetooth mesh is powering complex building automation which shipments have doubled every six months and there is no indication this will slow down or backtrack as Figure 6 illustrates (Bluetooth SIG, 2020).

Figure 6: Annual Bluetooth Device Networks Device Shipments. (ABI Research, 2020).

2.3 Overview of Bluetooth Technology

2.3.1 Bluetooth Wireless Technology

Basic Rate (BR) and Low Energy (LR) are the two types of Bluetooth wireless technology systems.

Some Bluetooth-enabled devices implement both systems. These devices can communicate with other devices implementing LR and BR and also with those implementing either LR or BR. Both types facilitate the device discovery, define connection mechanism, and enable device connection.

Basic Rate (BR) System

BR systems offer synchronous and asynchronous connections and operates at data transfer rate of 721.2 kb/s. The data transfer rate for Enhanced Data Rate (EDR) is 2.1 Mb/s and high-speed operation

(18)

system includes optional Enhanced Data Rate (EDR), Alternate Media Access Control (MAC), and Physical (PHY) layer extensions” (Bluetooth SIG,2020).

Low Energy (LE) System

LE supports an optional 2 Mb/s physical layer data rate. It also offers isochronous data transfer, both in the connectionless and connection-oriented mechanisms. LE system is designed to enable products that require low data transfer rates and with low duty cycles (Kabalchi & Kabalchi, 2019). LE con- sumes less power: it is cheap and less complex compared to BR and EDR (Bluetooth SIG, 2020).

2.3.2 Bluetooth Protocols

There are varieties of protocols used in data exchanges in a Bluetooth-enabled system, grouped as controller stack and host stack. The Bluetooth Core system comprises one or more controllers and a host. The host is the higher layer protocol of the Bluetooth stack, responsible for the communication between the controller and the applications. Bluetooth SIG defines Core protocols.

2.3.3 Controller Stack

The controller stack contains the critical radio interface of the Bluetooth protocol. It is usually a con- siderably cheap device enabled with Bluetooth radio and a microprocessor (Enrico & Quaglia, 2020).

Some of the protocols are the following:

• Asynchronous Connection-Less (ACL): ACL serves as a transmission link through which data is transferred in a Bluetooth-enabled system with an access code of 72-bit, packet header of 54 bit, payload, and CRC of 16 bit. It is a preferred choice when avoiding latency is not as crucial as data integrity. It can achieve a maximum data rate of 1306.9 kb/s in symmetric data transfer and 2178.1 kb/s and 177.1 kb/s for outgoing data and incoming data, respectively (Haataja, 2009).

• Synchronous Connection-Oriented (SCO): SCO links transfer voice data. Encoded voice data is transmitted in the reserved timeslot with packet sent every 1, 2, or 3 time slots. There is no retransmission. However, forward error correction is possible. The enhanced SCO (eSCO) provides much flexibility that improves radio availability for other links. (Bluetooth SIG, 2020). The maximum data transfer rate in both directions in a symmetric SCO links is 64 kb/s (Haataja, 2009).

(19)

• Link Management Protocol (LMP): LMP takes care of the management of Bluetooth link. It is implemented on controllers to manage radio links between two devices. It is responsible for negotiating features, monitoring device power, and administering connections. (Gehr- mann et al., 2004)

• Host Controller Interface (HCI): HCI standardizes interaction between controller and host.

In a hostless system, host stack and controller stack are implemented on the same microprocessor. The standard set by the HCI allows the swapping of host stack or controller, requiring minimum adaptation (Enrico & Quaglia, 2020). The use of HCI is optional, although it could function as a software interface.

• Low Energy Link Layer (LELL): LELL manages scanning, connection, advertisement, and security.

2.3.4 Host Stack

Host Stack is used in high-level data handling. It also facilitates the communications between applications and controllers. In most cases, it is part of the operating system. Some of the protocols are the following:

• Logical Link Control and adaptation protocol (L2CAP): L2CAP present an interface for all data applications that use Asynchronous Connection-Less (ACL) links. It achieves large data packet transmission by segmenting and then re-assembling the packet at the receiver side (Gehrmann et al., 2004). Therefore, data can fit into the limits of lower layer data packets. It manages the Quality-of-Service (QoS) for higher layer protocol and the single path transmission of multicast data to other Bluetooth devices (Ahmadi, 2016).

• Service Discovery Protocol (SDP): SDP plays a vital role in the Bluetooth ad-hoc networking capability enabling device discovery and connection. It also discovers and lists what service and support other devices can render. In the protocol stack, SDP is bound to L2CAP. Every support and services are identified by a Universally Unique Identifier (UUID) (Bluetooth SIG.

2020).

• Bluetooth Network Encapsulation Protocol (BNEP): BNEP is a protocol utilized by the per- sonal area network (PAN). It is part of L2CAP in the protocol stack. BNEP delivers network packets to L2CAP. Its functions are included into Subnetwork Access Protocol (SNAP) in wireless Local area networks (LAN). BNEP provides network capabilities to devices that use

(20)

• Radio Frequency Communication (RFCOMM): RFCOMM is a set of protocols bound to L2CAP in the protocol stack. It is responsible for ensuring that user has reliable access and simple data stream. RFCOMM API is readily available on most operating systems and this makes it a favored choice in Bluetooth devices.

• Telephony Control Protocol (TCS): TCS manages the setup and control of voice data (speech and calls) between Bluetooth devices. It is sometimes called telephony control protocol specification binary.

• Audio/Video Control Transport Protocol (AVCTP): AVCTP is bound to L2CAP on the pro- tocol stack. It is used by the remote-control profile to transfer AV/C commands.

• Audio/Video Data Transport Protocol (AVDTP): It is bound to L2CAP on the protocol stack.

AVDTP is essential in video streaming and it is used in video distribution profile. (Bluetooth SIG, 2020)

• Low Energy Attribute Protocol (ATT): ATT is like SDP redesigned to be compatible with low-energy Bluetooth. ATT supports clients to write/read essential attributes revealed by the server in a simple, low-power-compatible format. (Ray & Agarwal, 2016)

• Low Energy Security Manager Protocol (SMP): In LE Bluetooth system, SMP implements pairing and manages the transport specific key distribution. It is bound to L2CAP in the protocol stack.

2.4 Bluetooth Communication

The capability to set up a network with Bluetooth has been available since its inception: however, Bluetooth 5.0 increases this capability and makes Bluetooth technology of choice in the IoT.

Bluetooth networks use piconet topology. A device serves as master, with the capability to connect to maximum of seven active slave nodes. Limitation in the number of connections of slave nodes or devices is a result of the 3-bit address used. There are three types of connections in Bluetooth communication:

• Asynchronous Connection-less (ACL): This is used for symmetric or asymmetric data transfer.

Data integrity is ensured through retransmission (Haataja et al., 2013). It has a maximum data rate of 1306.9 kb/s for both directions in symmetric data transfer and a maximum of 2178.1

(21)

kb/s for outgoing data and 177.1 kb/s for incoming data in asymmetric data transfer (Haataja, 2009).

• Synchronous Connection-Oriented (SCO): This is used to transfer voice data in real time. The link is symmetric, does not use retransmission of voice packet, hence the possibility of dis- torted voice when Bit-Error-Rate (BER) is high. The maximum data transfer rate is 64 kb/s for both directions (Haataja, 2009).

• Enhanced Synchronous Connection-Oriented (eSCO) is also used to transfer real-time two- way voice. However, unlike SCO, eSCO uses retransmission of packets to ensure voice data integrity (Haataja, 2008). The maximum data transfer rate is 288 kb/s in both directions using multislot packets. (Ferro & Potorti, 2005)

When Bluetooth communicates, they form a piconet. This piconet can be referred to as an ad-hoc network, which means it connect wireless devices through Bluetooth technology protocol. One piconet has the possibility to have up to seven active devices as slave and a master device. When there is two or more piconets, a scatternet is formed: this helps to eliminate Bluetooth connection range restrictions. In principle, relaying data between piconets requires them to have common device.

(Haataja et al., 2013)

Figure 7 below depicts a single slave piconet and multi-slave piconet in the A and B diagrams.

Figure 7. Single and Multi-Slave Piconets.

As shown in Figure 8, a scatternet member is a slave in more than one piconet when using ACL links.

1, 2, 3, 4, 5, 6, 7, 8, and 9 are devices in a scatternet. Device 1 is the master in piconet A and device 6 is the master in piconet B. Device 2, 3, 4, and 5 are slaves in piconet 1, while devices 5, 7, 8, and 9 are slaves in piconet B. Device 5 is a slave in both piconet A and B. Piconets A and B form a

(22)

scatternet, which are not synchronized: Thus, device 5 will multiplex between piconets A and B (Haataja, 2009).

Figure 8. Bluetooth topology using ACL links.

In Figure 9, the Bluetooth topology when using SCO or eSCO is shown. The scatternet member is a slave in piconet A and master in piconet B. Device 1 is the master for piconet A with devices 2, 3, 4, and 5 as slaves. In piconet B, device 5 is the master and devices 6, 7, 8, and 9 are slaves. (Bluetooth SIG, 2007)

(23)

Figure 9. Bluetooth topology using SCO or eSCO links.

2.4.1 Bluetooth Security

Bluetooth specification has taken care of the security issues, which has improved alongside Bluetooth specification. In the Bluetooth specification architecture, security at the link level is task to four en- tities:

• Bluetooth Device Address (BD_ADDR): This 48-bit address is unique to every individual Bluetooth device.

• The Random Number (RAND): A pseudo-randomly generated 128-bit number.

• The Private Encryption Key: A pseudo-randomly generated 8-128-bit number.

• Private Authentication Key: A pseudo-randomly generated 128-bit number.

The Bluetooth security in the Generic Access Profile (GAP) can be divided into the following modes as discussed in (Haataja, 2009):

• Nonsecure Mode: In this mode, there is no initiation of security measures.

• Service-Level Enforced Security Mode: A nonsecure ACL link can be established between two devices. However, when L2CAP CL (Connection-Less) or L2CAP CO (Connection-Ori- ented) is initiated, authorization, authentication, and optional encryption occur.

(24)

• Link-Level Enforced Security Mode: Upon initiating an ACL link, authorization, authentica- tion, and encryption procedures occur.

• Service-Level Enforced Security Mode: Practical to Bluetooth devices using SPP. It is similar to the service-level enforced security.

The link-level enforced security is different from service-level enforced security in that before the channel is established, Bluetooth device would have implemented security procedures. Services can be open to all devices, require authentication only, or require both authorization and authentication (Müller, 1999). There are two security levels for devices, trusted and untrusted devices, with a trusted device having unrestricted access to all services.

2.4.2 Bluetooth Pairing

The Bluetooth pairing concept was well established and designed to be easy, providing a wireless connection, thus enabling the setting up of networks. Pairing is essential and a first step in connecting two Bluetooth devices and establishing a connection happens after pairing: it is the state at which paired devices communicate. In order to pair two devices, a shared key is used to authenticate both devices. This shared key is also known as the PIN code. The user usually initiates pairing of two devices and the process proceed automatically after a device has received the request. Pairing is essential to establish keys to encrypt a link: the keys are shared via a transport-specific key distribution.

The methods, protocols for pairing, and key distribution are defined by the Security Manager, which employs key distribution procedure to implement identity verification and encryptions. The keys can encrypt a link in future connections, employ in signed data verification, or perform random address resolution (Bluetooth SIG, 2020).

The phases of pairing are listed below:

• Pairing feature exchange.

• Short Term Key (STK) generation (LE Legacy Pairing).

• Long Term Key (LTK) generation (LE Secure Connections).

• Transport specific key distribution.

In the Bluetooth 4.2 Core specification, secure connections feature was introduced for LE physical transport: this advanced the technology of pairing. AES/CMAC and P/256 elliptic curve were introduced, which are FIPS-approved algorithms (Bluetooth SIG, 2014). Therefore, to distinguish between the secure connection introduced by Bluetooth 4.2 and LE pairing in previous Core specification 4.0 and 4.1, it is termed as “LE Legacy Pairing” (see Figure 10).

(25)

Figure 10. Legacy Pairing and Secure Connection flow chart. (Bluetooth SIG blog, 2020) 2.4.3 Bluetooth Bonding

While pairing is the verification of each device’s security attributes and creating temporary encryption, Bluetooth bonding involves the verification of long-term keys: this happens after pairing has occurred and then the keys are stored for future use. Paired devices already bonded can be easily connected next time.

2.4.4 Bluetooth Authentication

Authentication is the process of ensuring secure connection through identification verification of piconets attempting to connect. Bluetooth technology uses a challenge-response to perform this verification, in which a secret link key is shared between connecting devices. The claimants’ understanding of the secret key is verified with the use of symmetric keys. It is not a requirement that the master

(26)

As shown in Figure 11, the challenge-response method is based on the following steps (Iqbal et al., 2010):

• The verifier device randomizes and sends the challenge to claimant.

• The claimant responds with its (BD_ADDR).

• Then claimant computes authentication response with E1-algorithm and calculates Signed Response (SRES) using AU_RAND, BD_ADDRB, and link key as inputs. 32 bits of the 128 bits are utilized at this stage and remaining 96 bits form the input of Bluetooth encryption key.

• The verifier performs exact computation as above.

• Claimants send selected 32 bits of the E1 output and SRES to the verifier.

• Verifier compares own output of E1 algorithm and received SRES.

• When the 32 bits match, the authentication is successful, otherwise authentication fails.

To ensure mutual authentication, the process listed above needs to be repeated with the claimant and verifier switching roles. There is a waiting interval between failed authentication with a claimant and new authentication attempt. The waiting interval increases with subsequently failed authentication to prevent attackers from setting up multiple authentication attempts in a short time.

Figure 11. Bluetooth Authentication process.

2.4.5 Bluetooth Threats and Vulnerabilities

The wide adoption of Bluetooth technology in all areas of life has made it a target to attackers. How- ever, most known vulnerabilities might have been addressed in an updated version of Bluetooth Core

(27)

specification. New threats and vulnerabilities always emerge. Some of the new threats and vulnerabilities of year 2020 are the following:

1. Bluetooth Impersonation Attacks (BIAS): The BIAS attack is possible due to vulnerability in the Bluetooth specification that allows attacker impersonates during a secure connection establishment. This vulnerability results from the lack of mandatory mutual authentication, authentication procedure downgrade, and overly permissive role switching (Antonioli, 2020).

2. Integer Overflow Vulnerability in Android: An incorrect bounds calculation may result in out of bounds write, which could result in remote execution over Bluetooth without additional execution privileges (Huawei, 2020). The Integer overflow vulnerability in Android was assigned a common vulnerability and exposure identification, namely CVE-2020-0022.

Bluetooth connections as a wireless connection is subjected to threats, such as Denial-of-Service (DoS), impersonation, Man-in-the-Middle (MITM) attack, and eavesdropping. Integrity threats involve information being altered to mislead the recipient. Disclosure threat implies leaked information to an eavesdropper not authorized. Denial-of-Service (DoS) threat involves attacker blocking or lim- iting access to the service.

Besides the general wireless protocol threats, some other threats are particular to Bluetooth-enabled devices (Stirparo & Loschner, 2013), such as:

• Incorrect Protocol Implementation: Flaws in implementation have been the reason for the much famous Bluetooth security breaches. The security quality is a function of product-specific implementation.

• Location Tracking: Devices powered by Bluetooth technology broadcast their unique address, essential for connecting with other devices. However, this also makes tracking possible.

• Key Management: Key disclosure or tampering is possible.

• Bluejacking: Social engineering attack on a susceptible Bluetooth device that sends unsolic- ited messages to compromised devices.

(28)

3 DEEP LEARNING

3.1 Introduction to Deep Learning

Deep learning (DL) is subset of machine learning (IBM, 2020) and machine learning (ML) can be termed as a branch of Artificial Intelligence (AI). Therefore, we will lay a background information to elucidate the relationship.

AI is a vast discipline that has continued to evolve. The concept was first proposed in 1950 by Allan Turing. He introduced the “Turing Test” to investigate if machine can exhibit same level of intelligence like human. In 1956, John McCarthy introduced the name “Artificial Intelligence”. There are various definitions of what AI entails. However, for the purpose of this thesis, we will define AI as the simulation of human intelligence in machines, enabling machine to perform tasks commonly associated with intelligent beings. Subsets of AI are shown in Figure 12.

Figure 12. Artificial Intelligence subsets.

Machine Learning (ML) is a subdivision of artificial intelligence involving systems that could learn from data to understand patterns and infer decisions without being specifically programmed. It is primarily concerned with algorithm that allows system to learn from historical data, identify patterns,

(29)

and make decisions (IBM, 2020). The algorithm improves automatically through experience. There are three subdivisions of machine learning as shown in Figure 13:

Figure 13: Machine Learning Subdivision.

• Supervised Learning: When systems learn from known datasets to predict the output, this is termed as supervised learning. There are two categories of algorithms used in supervised learning, they are:

o Classifications o Regression

• Reinforcement Learning: In reinforcement learning, an AI agent is trained by giving some commands and it gets rewards on each action as a feedback, thus improving the performance.

There are two types of reinforcement learning:

o Negative Reinforcement learning o Positive Reinforcement learning

• Unsupervised learning: In unsupervised learning, agent learns from patterns without corre- sponding output values. The algorithms are trained with unlabelled and unclassified data. Un- supervised learning can be classified into two categories:

o Association o Clustering

Deep learning (DL) is a subset of machine learning, as shown in figure 12. Deep Learning (DL) emulates human brain, empowering systems to learn and perform complex tasks (IBM, 2020). DL enables machine to perform intelligent tasks that are similar to human-like tasks without human

(30)

involvement. Deep learning relies on neural network architecture: it works on deep neural network made of multiple layers as shown in Figure 14.

Figure 14: Deep Neural Network. (IBM cloud education, 2014)

It gains the adjective "deep" because of the multiple layers in the network. Deep learning become possible and effective in the era of big data availability, advancement in computing power and algorithm (Hemsoth, 2017). The major difference between DL and other ML is its capability to learn from unstructured and unlabeled data. (IBM, 2020)

3.2 Artificial Neural Network

Artificial neural networks (ANNs), usually called Neural networks (NNs), involve emulating processing capability of biological neural systems (Meyer-Baese, et al., 2014). It is an algorithm that takes in data as input, pass the data to the hidden layer, where calculations are made and inference deduced before the data is send to an output layer, where the inference is assigned a probability (IBM, 2020). It could also be defined as an adaptive statistical model that draw inspiration and emulate the working principle of human neurons (Abdi et al., 2011). The fundamental concept is to interconnect high number of simple processing elements to build system capable of performing complex processing tasks. An ANN consists of simulated neurons. Each of the neuron is a node connecting to other nodes through links that corresponds to biological axon synapse dendrite connections. The weight of each link determines the level of influence of one node on another. The main attributes of

(31)

ANNs are their many parallel processing architectures and ability to learn from inputs. There are corresponding learning algorithms for each type of ANNs that allow training in an iterative updating manner (Meyer-Baese, et al., 2014). These algorithms can be categorized as supervised and unsupervised learning.

3.2.1 Artificial Neuron

ANN building blocks are basic artificial neurons, also called perceptrons (Sahu, 2018). Artificial neuron and perceptron algorithm was invented by Frank Rosenblatt (Lingireddy & Brion, 2005).

ANN comprises of interconnected artificial neuron. Figure 15 shows a representation of artificial neuron.

Figure 15: Artificial Neuron. (Lingireddy & Brion, 2005)

Artificial neuron takes the inputs, aggregates them and gives the output based on function to neighbor neuron. Inputs are represented by 𝑥₁ 𝑡𝑜 𝑥_𝑛, the weight of connection by 𝑤₁𝑡𝑜 𝑤_𝑛. The summation of the input and weight are feed via transfer function, a threshold unit for output generation, b is the bias.

Equation 1 depicts the operation on neural perceptron, where neural threshold whose value is always 1 is seen as a new input node, with weight equal b and a summarizing from 0 to n (Cain, 2017).

(32)

𝑦 = {

1, ∑ 𝑤_𝑖𝑥_𝑖 ≥ 𝑏

𝑛

𝑖=1

0, ∑ 𝑤_𝑖𝑥_𝑖 < 𝑏

𝑛

𝑖=1

(1)

Using bipolar sigmoid F(y) as transfer function, we can represent the neuron output “z” as shown in Equation 2 where y is the summation of input (Abdullah et al., 2011).

𝑧 = 𝐹(𝑦) = 2

1 + 𝑒⁻¹− 1 (2)

Asides from bipolar sigmoid used as the activation function in Equation 2, there are other common neuron activation functions (Duch & Jankowski, 2000) as shown in Table 1.

Table 1: Neuron activation functions.

Threshold 𝒈(𝒙) =

{𝟏 𝒇𝒐𝒓 𝒙 > 𝟎 𝟎 𝒇𝒐𝒓 𝒙 < 𝟎 Undefined for x= 𝟎

Linear 𝑔(𝑥) = 𝑥

Sigmoid (Logistic)

𝑔(𝑥) = 1 1 + 𝑒^−𝑥

Bipolar Sigmoid

𝑔(𝑥) = 2

1 − 𝑒^−𝑥− 1

(33)

Gaussian

𝑔(𝑥) = 𝑒^−𝑥

2 2𝜎²

As a mathematically expression, linear threshold unit (LTU) was the first artificial neuron. LTU (see Figure 16) is made up of input X with n values, mathematical operation to apply activation function on computed weighted sum and output y.

Figure 16: Linear Threshold Unit. (Medium, 2019)

The weighted sum z is the product of the input and their weights, shown in Equation 3.

𝑧 = 𝑤^𝑇. 𝑋 = ∑ 𝑤_𝑖

𝑛

𝑖=1

𝑥_𝑖 (3)

When Heaviside step activation function is applied, we have Equation 4:

𝑠𝑡𝑒𝑝(𝑧) = {0 𝑖𝑓 𝑧 < 0

1 𝑖𝑓 𝑧 ≥ 0 (4)

The step function outputs are 1 and 0, hence output y in Equation 5 is binary. A single LTU is capable of binary classification (Daniel, 2019).

(34)

𝑦 = 𝑠𝑡𝑒𝑝(𝑧) = 𝑠𝑡𝑒𝑝(𝑤^𝑇. 𝑥) (5) When dealing with perceptron that has more than one LTU, we introduce a bias vector b to calculate the weight vector of each LTU as shown in Equation 6.

𝑦₂=𝑠𝑡𝑒𝑝(𝑧₂)=𝑠𝑡𝑒𝑝(𝑤₂^𝑇.𝑥+𝑏₂) 𝑦₁=𝑠𝑡𝑒𝑝(𝑧₁)=𝑠𝑡𝑒𝑝(𝑤₁^𝑇.𝑥+𝑏₁)

(6)

If we combine the two LTUs, 𝑦₁ and 𝑦₂ we have Equation 7:

𝑦 = 𝑠𝑡𝑒𝑝(𝑤. 𝑥 + 𝑏) (7)

Single layer perceptron can be termed as the simplest form of feedforward neural network: it has the limitation of being able to handle only linearly separable problems (Gallo, 2015). This problem is solved by multilayer perceptron. Feedforward neural network depicts the fundamental principle of neural network and more complex ANN are built on this working principle.

3.2.2 Gradient Descent

Gradient decent is very paramount in neural network. Gradient is the point derivative of a function, descending in the opposite direction of the gradient gives gradient decent. Finding solution to the simple linear Equation 8 helps to understand gradient:

𝑦 = 𝑤₁𝑥₁+ 𝑤₂𝑥₂ (8)

Assuming the values of 𝑤₁ and 𝑤₂, that is true for 𝑦, 𝑥₁ and 𝑥₂ (see Equation 9):

𝑦̂ = 𝑤₁𝑥₁+ 𝑤₂𝑥₂ (9)

Since we assume the value of 𝑤₁ and 𝑤₂, we can then calculate the error (see Equations 10 and 11):

𝐶 =1

2(𝑦 − 𝑦̂)² (10)

𝐶 =1

2(𝑦 − 𝑤₁𝑥₁− 𝑤₂𝑥₂)² (11) The error can be computed using Equation 11: in this equation we simply call Cost or Cost function.

Now to get the value of 𝑤₁ and 𝑤₂ for which the cost is minimum, we take the derivative of C with respect of 𝑤 and 𝑤 , when equal zero (see Equations 12 and 13):

(35)

𝑑𝐶 𝑑𝑤₁ =1

2∗ 2(𝑦 − 𝑤₁𝑥₁− 𝑤₂𝑥₂)(−𝑥₁) (12) 𝑑𝐶

𝑑𝑤₁ =1

2∗ 2(𝑦 − 𝑤₁𝑥₁− 𝑤₂𝑥₂)(−𝑥₁) (13) Equations 12 and 13 are the gradients. However, to reach the minima, we start to update weight value gradually towards the direction of minima, an opposite direction to gradient (see Equations 14 and 15):

𝑤₁ → 𝑤₁− 𝑙𝑟 ∗ 𝑑𝐶

𝑑𝑤₁ (14)

𝑤₂ → 𝑤₂− 𝑙𝑟 ∗ 𝑑𝐶

𝑑𝑤₂ (15)

𝑙𝑟 is the learning rate, Equations 14 and 15 are the Gradient Descent.

3.2.3 Multilayer Perceptron

Multilayer perceptron (MLP) has many applications, thus an important type of neural network. MLP architecture is defined by an input layer, one or more hidden layers and an output layer, each layer comprising of at least one neuron (Meyer-Baese, et al., 2014). The choice of the number neurons and hidden layers is a function of the problem to solve. When there are too many or too few neurons, network’s ability to generalise is limited, due to overfitting, input patterns are memorised and inability to represent input-space features. (IBM, 2020). MLP can handle data that cannot be separated linearly.

In MLP every single node in a layer is connected to each node in the following layer and therefore it is fully connected. Figure 17 shows what a multilayer perceptron looks like.

(36)

Figure 17: MLP network. (IBM, 2020)

MLP employs sigmoidal kernel functions as linear weight and hidden unit (Meyer-Baese, et al., 2014). Figure 18 depicts a MLP with 3 LTUs in the hidden layer and 2 LTU in the output layer.

Figure 18: Multilayer perceptron showing LUTs in hidden and output layer. (David, 2019) The calculation is the same as in the Equation 6, however there are more layers of LTUs to combine, before reaching y (see Equation 16):

ℎ¹ = 𝑠𝑡𝑒𝑝(𝑧¹) = 𝑠𝑡𝑒𝑝(𝑊¹. 𝑥 + 𝑏¹)

𝑦 = 𝑠𝑡𝑒𝑝(𝑧²) = 𝑠𝑡𝑒𝑝(𝑊². ℎ¹+ 𝑏²) (16)

(37)

ANN are train in batches, if k instances Equation 17 are selected from the available m instances, and then combined, we have Equation 18:

𝑥₁ = ( 𝑥_1,1

…

𝑥_1,𝑛) , … . . , 𝑥_𝑘 = ( 𝑥_𝑘,1

…

𝑥_𝑘,𝑛) (17)

𝑋 = ( 𝑥₁^𝑇

… 𝑥_𝑘^𝑇

) = (

𝑥_1,1 … 𝑥_1,𝑛

. … .

𝑥_𝑘,1 … 𝑥_𝑘,𝑛) (18)

Representing the input X in a matrix from (k, n), allows us to show that k is the number of instances and n number of input value (David, 2019). Equation 19 represents the new way to calculate y:

𝑦 = 𝑠𝑡𝑒𝑝(𝑍) = 𝑠𝑡𝑒𝑝(𝑋. 𝑊 + 𝑏) (19)

Multilayer perceptron has a bi-directional propagation, i.e., forward propagation and backward propagation. MLP uses nonlinear activation function, hyperbolic tangent, or logistic function. Inputs are multiplied with weight and supply to the activation function, and in backpropagation weight are mod- ified to reduce loss.

3.3 Backpropagation

Bryson and Ho first introduced backpropagation in 1969, but it was not well known until 1986, when David Rumelhart, Geoffery Hinton, and Ronald Williams published a paper titled “Learning repre- sentations by backpropagation”. Backpropagation is a short name for “backward propagation of er- ror”: it is an algorithm that uses gradient descent for supervised learning of ANN (McGonagle et al., 2019). In simple term, backpropagation algorithms allow network to make guesses about the input data using its parameters, then it measures the error with a loss function, and the error is sent back to adjust wrong parameters in the direction of less error (Pathmind, 2019), these also describe the three steps of the algorithm.

Backpropagation utilizes an error function on an ANN to calculate the gradient of that error function with respect to the input weights. It is the act of finetuning the weights considering the error rate noticed in the last epoch (Al-Masri, 2019). Backpropagation algorithm is bidirectional, forward and backward direction. Training vector is input to the network in the forward direction and classified,

(38)

recursive updating of weight in tandem with noticed error take place in the backward direction (Meyer-Baese, 2014).

To represent backpropagation algorithm mathematically, we initialize weights with numbers not less than -0.1 and not greater than 0.1 (see Equation 20):

𝑤_𝑖𝑗 = 𝑟𝑎𝑛𝑑𝑜𝑚([−1.0, 0.1]), 0 ≤ 𝑖 ≤ 1, 1 ≤ 𝑗 ≤ 𝑚

𝑣_𝑗𝑘 = 𝑟𝑎𝑛𝑑𝑜𝑚([−1.0, 0.1]), 0 ≤ 𝑗 ≤ 𝑚, 1 ≤ 𝑘 ≤ 𝑛 (20) Equation 20 shows the initialization. We then proceed to put forward the training data 𝑝^𝑡= [𝑝₁^𝑡 , 𝑝₂^𝑡 , … . , 𝑝_𝑙^𝑡], 𝑓𝑜𝑟 𝑡ℎ𝑒 𝑝𝑎𝑖𝑟 (𝑝^𝑡 , 𝑐^𝑡) . When 𝑥_𝑖 = 𝑝_𝑖 𝑓𝑜𝑟 1 ≤ 𝑖 ≤ 1. To compute values of neurons at the hidden layers, we employ Equation 21:

ℎ_𝑗 = 1

1 + 𝑒𝑥𝑝[−(𝑤_0𝑗+ ∑^𝑙_𝑖=1𝑤_𝑖𝑗𝑥_𝑖)]; 1 ≤ 𝑗 ≤ 𝑚 (21) Then we compute values of output neurons with Equation 22:

𝑂_𝑘 = 1

1 + 𝑒𝑥𝑝[−(𝑣_0𝑘+ ∑^𝑚_𝑗=1𝑣_𝑗𝑘ℎ_𝑗)]; 1 ≤ 𝑘 ≤ 𝑛 (22) Equations 20, 21, and 22 are the same as used in representation of the flow of data in perceptron during classification. We then proceed to represent the error at the output and hidden layer for forward computation, 𝛿_𝑜𝑘 and 𝛿_ℎ𝑗 respectively (see Equations 23 and 24):

𝛿_𝑜𝑘 = 𝑜_𝑘(1 − 𝑜_𝑘)(𝑐_𝑘^𝑡− 𝑜_𝑘) 𝑓𝑜𝑟 1 ≤ 𝑘 ≤ 𝑛 (23)

𝛿_ℎ𝑗 = ℎ_𝑗(1 − ℎ_𝑗) ∑ 𝛿_𝑜𝑘𝑣_𝑗𝑘

𝑛

𝑘=1

𝑓𝑜𝑟 1 ≤ 𝑗 ≤ 𝑚 (24)

If 𝑣_𝑗𝑘 represents weight value after “t” training and the parameter 0 ≤ η ≤ 1 connote learning rate, we can adjust weight between output and hidden layer using Equation 25:

𝑣_𝑗𝑘(𝑡) = 𝑣_𝑗𝑘(𝑡 − 1) + 𝜂𝛿_𝑜𝑘ℎ_𝑗 (25) Adjusting weight in the backward computation between the hidden and input layer can be done using Equation 26:

𝑤_𝑖𝑗(𝑡) = 𝑤_𝑖𝑗(𝑡 − 1) + 𝜂𝛿_ℎ𝑗𝑝_𝑖^𝑡 (26)

(39)

For iteration, we repeat the steps from Equations 21 to 26.

Sequel to the random selection of the weight of the network, essential computation to minimize error is done using backpropagation algorithm. The algorithm stops when error function is negligible (Ro- jas, 1996). The steps are as follows:

• Feed-forward calculation

• Backpropagation to output layer

• Backpropagation to hidden layer

• Weight updates

(40)

4 Experimental Setup

Bluetooth-enabled device authentication involves sharing a 32-bit link key as a security measure before communication is allowed. The approach in this thesis is to represent the 32-bit link key as a randomly generated weight in the Neural Network Toolbox of 𝑀𝐴𝑇𝐿𝐴𝐵^®. The concept is to store the link key as weight matrix of backpropagation neural network, which make reverse tracking a difficult task, thus making the Bluetooth connection more secure.

4.1 MATLAB

𝑀𝐴𝑇𝐿𝐴𝐵^® is an abbreviation for matrix laboratory, published by MathWorks. It is computing and visualization software build on matrix-based language that support most natural expression of com- putational mathematics (MathWorks Inc,1994). The deep learning toolbox of MATLAB, among other functionalities, allows the setup, training, and simulations of neural networks through com- mand-line function and applications. System requirement for 𝑀𝐴𝑇𝐿𝐴𝐵^® and Simulink on Windows operating system are: Windows 10, windows 7 service pack, Windows Server 2019 and Windows Server 2016. The processor minimum requirement is Intel or AMD x86/64, minimum of 3.4GB of HDD for 𝑀𝐴𝑇𝐿𝐴𝐵^®package and 8 GB for installation. The RAM should be at least 4GB, but 8GB is highly recommended.

4.2 Neural Network Implementation

We created a multilayer feedforward backpropagation ANN with one hidden layer. The number of neurons in the input layer, hidden layer, and output layer are 16, 32, and 16, respectively (see Figure 19). There are 𝑛 samples in the known training keys and 𝑚 samples in unknown keys. We set the link key require for authentication as a 32-bits key K. We then split K into two: 𝐾₁ and 𝐾₂. We input 𝐾₁ the first 16-bits of each key is into neural network and compute 𝐾_{𝑜𝑢𝑡𝑝𝑢𝑡}, when the target is 𝐾₂. After the training, the trained ANN has n keys stored in it. When 𝐾₁ = 𝐾_{𝑜𝑢𝑡𝑝𝑢𝑡} the system authenticates.

(41)

Figure 19. MATLAB implementation of neural network.

In our experimentation, 𝑛 = 100 and 𝑚 = 10000 (Table 2), and epoch is 200.

Table 2. MATLAB workspace data.

Name Value

keys 32 x 100 double

keys_length 32

known_keys_output 16 x 100 double

net 1 x 1 network

num_bits_differ_known_keys 1 x 100 double num_bits_differ_unknown_keys 1 x 1000 double

num_of_keys 100

num_of_unknown_keys 1000

t_train 16 x 100 double

tr 1 x 1 struct

unknown_keys 32 x 1000 double

unknown_keys_input 16 x 1000 double

(42)

unknown_keys_output 16 x 1000 double

unknown_keys_target 16 x 1000 double

x_train 16 x 100 double

4.2.1 Results

At the end of our training, as shown in the performance graph (see Figure 20) and training state plot (see Figure 21), the best training performance was 0.060238 and the Gradient was 0.00014975, at epoch 200.

Figure 20: Performance graph.

(43)

Figure 21: Training state plot.

Zero error was recorded (see Figure 22) and R square value from the regression plot is 0.9694 (see Figure 23). This implies 96% less variance.

Figure 22: Error histogram.

(44)

Figure 23: Regression plot.

(45)

5 CONCLUSION AND FUTURE WORK

In this thesis, we discuss the importance of Bluetooth technology in today’s digital world, its evolution, technology, and recent security threats and vulnerabilities. We proceed to explain the concept of deep learning, a subdivision of machine learning which is also a subset of artificial intelligence.

We then introduce the concept of Artificial neural network which is fundamental to deep learning.

Perceptron, multilayer perceptron, and feed forward neural network was explained and that leads to explain backpropagation algorithm, which is very important in training neural networks.

Using MATLAB neural network toolkit, we set up a feed forward neural network, with backpropagation algorithm. The input, hidden and output layer neuron are 16, 32, and 16, respectively. We represented the 32 bits link key of the Bluetooth authentication in weights and created random 100 known keys and 10 000 random unknown keys. 16 bits of each of the link key were classified as 𝑘₁ and use as input for training. The other 16 bits were classified as target, which is 𝐾₂.

Our results demonstrate zero error, the number of unrecognised keys from the 100 known keys was zero and all 10 000 unknown keys were not recognised. Therefore, storing the Bluetooth link key as training parameters will help to improve Bluetooth security, because training parameters are harder to crack. The research questions can be answer as true as backpropagation algorithm of Neural Net- work can be used to store link key as network parameter and it can improve Bluetooth security through more secure authentication.

There is need for further research to answer some salient questions raised by this proposed method of securing Bluetooth devices, at this stage it is more promising to be adopted in an isolated private Bluetooth-network and will require lot of extra effort to make it work. Some of the future work ideas are as follows. Firstly, more research is needed to ascertain the amount of processing power require to implement this method on Bluetooth devices, since Bluetooth devices in general has limited resources. Also, there is need to simulate Bluetooth network or communication and demonstrate this concept before it could be proven to be a viable approach in securing Bluetooth devices.

(46)

References

1. Abdi, H., Valentin, D., & Geem, Z. (2011). Neural network. SAGE Publications, Inc.

2. Antonioli, D., Tippenhauer, N. O., & Rasmussen, K. (2020). Key Negotiation Downgrade Attacks on Bluetooth and Bluetooth Low Energy. ACM Transactions on Privacy and Security, 23(3), 1–28. https://doi.org/10.1145/3394497

3. Bluetooth Special Interest Group. (2006). Simple White Pairing. Bluetooth SIG.

https://web.archive.org/web/20061018032605/http:/www.bluetooth.com/NR/rdon- lyres/0A0B3F36-D15F-4470-85A6-F2CCFA26F70F/0/SimplePairing_WP_V10r00.pdf 4. Cain, G. (2017). Artificial neural networks: new research. Nova Science Publishers, Inc.

5. Enquist, M., & Ghirlanda, S. (2005). Neural Networks and Animal Behavior (Monographs in Behavior and Ecology) (First Edition). Princeton University Press.

6. Fraccaroli, E., & Quaglia, D. (2020). Engineering IoT Networks. E Fraccaroli.

https://www.springerprofessional.de/en/engineering-iot-networks/17583256

7. Gallo, C. (2021). A neural networks deep dive. IBM Developer. https://developer.ibm.com/articles/cc-cognitive-neural-networks-deep-dive/?mhsrc=ibmsearch_a&mhq=Multi-

layer%20perceptron

8. Haataja, K. (1999). Security Threats and Countermeasures in Bluetooth-Enabled Systems.

University of Eastern Finland.

9. Huawei - Building a Fully Connected, Intelligent World. (2020). Huawei.

https://www.huawei.com/404/?aspxerrorpath=/en/news/2015/03/%3C!--

$HttpRelativeWebRoot--%3Egroups/public/documents/webasset/en.css

10. IEEE Standard for Information technology-- Local and metropolitan area networks-- Specific requirements-- Part 15.1a: Wireless Medium Access Control (MAC) and Physical Layer (PHY) specifications for Wireless Personal Area Networks (WPAN). (2005, June 14). IEEE Standard | IEEE Xplore. https://ieeexplore.ieee.org/document/1490827/;jses- sionid=Mgn6xHCL0laKIL64Yjp_c8mq94Z4ZhEUUnnthz03XQPxUvvU9kn5!997656547?t p=&arnumber=1490827&isnumber=32053

(47)

11. IEEE Standard for Telecommunications and Information Exchange Between Systems - LAN/MAN - Specific Requirements - Part 15: Wireless Medium Access Control (MAC) and Physical Layer (PHY) Specifications for Wireless Personal Area Networks (WPANs). (2002, June 14). IEEE Standard | IEEE Xplore. https://ieeexplore.ieee.org/document/1016473/;jses- sionid=bFz6waODwBJJZzYq70snpvgFdxAa50zuWuxL0jZXF38QRJMjkbmY!-

775129970?tp=&arnumber=1016473&isnumber=21872

12. Kabalci, E., & Kabalci, Y. (2019). From Smart Grid to Internet of Energy (1st ed.). Academic Press.

13. Karr, S. (2016). Specifications. Bluetooth® Technology Website. https://www.blue- tooth.com/specifications/

14. Kattan, A., Abdullah, R., & Geem, Z. (2011). Artificial Neural Network Training and Soft- ware Implementation Techniques. Nova Science Publishers, Inc..

15. Lingireddy, S., & Brion, G. M. (2005). Artificial neural networks in water supply engineering.

ASCE Publications.

16. McGonagle, J., Shaikouski, G., Williams, C., Hsu, A., Khim, J., & Miller, A. (2021). Back- propagation | Brilliant Math & Science Wiki. Brilliant Org. https://brilliant.org/wiki/back- propagation/

17. Muller, T. (1999). Bluetooth Security Architecture. Bluetooth SIG, 11. https://www.blue- tooth.com/develop-with-bluetooth/build/download/download.asp?doc=174

18. Pathmind. (2019). A Beginner’s Guide to Backpropagation in Neural Networks.

https://wiki.pathmind.com/backpropagation

19. Rahman, C. (2004). Bluetooth Technology Website. Bluetooth® Technology Website.

https://www.bluetooth.com/

20. Rojas, R. (1996). Neural Networks. Springer-Verlag, Berlin.

21. Software Engineering Institute. (2021). CERT/CC Vulnerability Note VU#647177. Carnegie Mellon University. https://www.kb.cert.org/vuls/id/647177/

(48)

22. Springer. (2020). Engineering IoT Networks. Springerprofessional.De. https://www.spring- erprofessional.de/en/engineering-iot-networks/17583256

23. Rumelhart, D. E. (1986, October 9). Learning representations by back-propagating errors.

Nature.https://www.nature.com/articles/323533a0?error=cookies_not_sup- ported&code=a2c6dbe9-e3f2-4930-ae71-a49aef5a2b9f

24. Sahu, V. (2018, July 1). Power of a Single Neuron - Towards Data Science. Medium.

https://towardsdatascience.com/power-of-a-single-neuron-perceptron-c418ba445095

25. Karr, S. (2019, January 21). Core Specification 5.2. Bluetooth® Technology Website.

https://www.bluetooth.com/specifications/specs/core-specification/

26. Rumy, S. B. (2020, July 12). A Detailed Tech Guide on How Bluetooth Works. Rumy IT Tips.

https://rumyittips.com/a-detailed-tech-guide-on-how-bluetooth-works/

27. Al-Masri, A. (2020, October 18). How Does Back-Propagation in Artificial Neural Networks Work? Medium. https://towardsdatascience.com/how-does-back-propagation-in-artificial- neural-networks-work-c7cad873ea7

28. Ren, K. (2020, November 12). Bluetooth Pairing Part 1 -Pairing Feature Exchange. Blue- tooth® Technology Website. https://www.bluetooth.com/blog/bluetooth-pairing-part-1-pairing-feature-exchange/

29. Limited, A. (2020, November 16). Livescribe+ Desktop - Difference between pairing & con- nection. Livescribe. https://livescribe.helpscoutdocs.com/article/1989-livescribe-desktop-dif- ference-between-pairing-connection

30. Vadapalli, P. (2021, January 29). 7 Types of Neural Networks in Artificial Intelligence Ex- plained. UpGrad Blog. https://www.upgrad.com/blog/types-of-neural-networks/

31. Karr, S. (2021, March 18). Bluetooth Core Specification Version 5.1 Feature Overview. Blue- tooth® Technology Website. https://www.bluetooth.com/bluetooth-resources/bluetooth- core-specification-v5-1-feature-overview/

32. IBM. (2021, April 21). Deep Learning. IBM Education.

https://www.ibm.com/cloud/learn/deep-learning

(49)

Application of Deep Learning Method in Bluetooth Security

University of Eastern Finland School of Computing

Master’s Thesis