automatic fingerprinting of vulnerable ble iot devices
play

Automatic Fingerprinting Of Vulnerable BLE IoT Devices With Static - PowerPoint PPT Presentation

Computer Security Laboratory Automatic Fingerprinting Of Vulnerable BLE IoT Devices With Static UUIDs From Mobile Apps Chaoshun Zuo, Haohuang Wen , Zhiqiang Lin, and Yinqian Zhang Department of Computer Science and Engineering The Ohio State


  1. Computer Security Laboratory Automatic Fingerprinting Of Vulnerable BLE IoT Devices With Static UUIDs From Mobile Apps Chaoshun Zuo, Haohuang Wen , Zhiqiang Lin, and Yinqian Zhang Department of Computer Science and Engineering The Ohio State University CCS 2019 T HE O HIO S TATE U NIVERSITY

  2. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References Bluetooth Low Energy and IoT 2 / 37

  3. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References BLE IoT Devices and Companion Apps BLE IoT Devices 3 / 37

  4. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References BLE IoT Devices and Companion Apps Companion Mobile Apps BLE IoT Devices 3 / 37

  5. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References General Workflow of Device Communication in TCP/IP Setting Device OS App 4 / 37

  6. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References General Workflow of Device Communication in TCP/IP Setting Device OS App 1. Listen to port 443 4 / 37

  7. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References General Workflow of Device Communication in TCP/IP Setting Device OS App 1. Listen to port 443 2. <Request, 192.168.1.1, port 443> 4 / 37

  8. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References General Workflow of Device Communication in TCP/IP Setting Device OS App 1. Listen to port 443 2. <Request, 192.168.1.1, port 443> 3. Connect 4 / 37

  9. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References General Workflow of Device Communication in TCP/IP Setting Device OS App 1. Listen to port 443 2. <Request, 192.168.1.1, port 443> 3. Connect 4. Communication 4 / 37

  10. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References General Workflow of BLE IoT Devices and Companion Apps 5 / 37

  11. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References General Workflow of BLE IoT Devices and Companion Apps 5 / 37

  12. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References General Workflow of BLE IoT Devices and Companion Apps 5 / 37

  13. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References General Workflow of BLE IoT Devices and Companion Apps 5 / 37

  14. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References General Workflow of BLE IoT Devices and Companion Apps 5 / 37

  15. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References General Workflow of BLE IoT Devices and Companion Apps 5 / 37

  16. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References General Workflow of BLE IoT Devices and Companion Apps 5 / 37

  17. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References Our Observations A BLE Broadcast Packet 6 / 37

  18. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References Our Observations A BLE Broadcast Packet Decompiled Code in a Companion App 6 / 37

  19. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References Our Observations Key Insights 1 UUIDs are broadcasted by BLE IoT devices to nearby smartphones. 2 UUIDs are static. 3 Mobile apps contain UUIDs. 4 Mobile apps identify target BLE IoT devices based on their broadcast UUIDs. 7 / 37

  20. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References Hierarchy of UUIDs Service name: KINSA_SERVICE uuid: 00000000-006a-746c-6165… characteristics: name: REQUEST_CHARACTERISTIC uuid: 00000004-006a-746c-6165… descriptors: […] name: RESPONSE_CHARACTERISTIC uuid: 00000002-006a-746c-6165… descriptors: […] Service name: BATTERY_SERVICE uuid: 180F characteristics: […] … 8 / 37

  21. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References Hierarchy of UUIDs Service name: KINSA_SERVICE uuid: 00000000-006a-746c-6165… characteristics: name: REQUEST_CHARACTERISTIC uuid: 00000004-006a-746c-6165… descriptors: […] name: RESPONSE_CHARACTERISTIC uuid: 00000002-006a-746c-6165… descriptors: […] Service name: BATTERY_SERVICE uuid: 180F characteristics: […] … 8 / 37

  22. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References How to Fingerprint a BLE IoT Device with Static UUIDs Static Analysis Static UUIDs 9 / 37

  23. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References How to Fingerprint a BLE IoT Device with Static UUIDs Static Analysis Static UUIDs Sniff Advertised Sniffed UUIDs BLE Packets 9 / 37

  24. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References How to Fingerprint a BLE IoT Device with Static UUIDs Static Analysis Static UUIDs Fingerprinting BLE IoT Sniff Advertised Device Sniffed UUIDs BLE Packets 9 / 37

  25. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References Application of BLE IoT Device Fingerprinting Static Analysis Static UUIDs Fingerprinting Vulnerabilities Sniff Advertised Sniffed UUIDs BLE Packets 10 / 37

  26. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References Application of BLE IoT Device Fingerprinting Static Analysis Static UUIDs Fingerprinting Vulnerabilities Vulnerable Sniff Advertised Device Sniffed UUIDs BLE Packets 10 / 37

  27. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References Our Contributions 1 Novel Discovery . We are the first to discover BLE IoT devices can be fingerprinted with static UUIDs. 2 Effective Techniques . We have implemented an automatic tool BLEScope to harvest UUIDs and detect vulnerabilities from mobile apps. 3 Evaluation . We have tested our tool with 18 , 166 BLE mobile apps from Google Play store, and found 168 , 093 UUIDs and 1 , 757 vulnerable BLE IoT apps. 4 Countermeasures. We present channel-level protection, app-level protection, and protocol-level protection (with dynamic UUID generation). 11 / 37

  28. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References Overview of BLEScope Android APKs 1 Value-set Analysis UUID & Hierarchy 12 / 37

  29. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References Overview of BLEScope Android APKs 1 Value-set Analysis UUID & Hierarchy Sniffed UUID Fingerprinting Advertisement UUIDs 2 Fingerprint-able Devices 12 / 37

  30. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References Overview of BLEScope Android APKs 1 Value-set Analysis UUID & Hierarchy Sniffed App-level Vulnerability 2 UUID Fingerprinting Advertisement Identification UUIDs 3 2 Fingerprint-able Unauthorized Sniffable- Devices Accessible Devices Devices 12 / 37

  31. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References Challenges and Insights Challenges 1 How to extract UUIDs from mobile apps 2 How to reconstruct UUID hierarchy 3 How to identify flawed authentication vulnerability 13 / 37

  32. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References Challenges and Insights Challenges 1 How to extract UUIDs from mobile apps 2 How to reconstruct UUID hierarchy 3 How to identify flawed authentication vulnerability Solutions 1 Resolving UUIDs using context and value-set analysis 2 Reconstructing UUID hierarchy with control dependence 3 Identifying flawed authentication with data dependence 13 / 37

  33. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References Value Set Analysis Android APKs 1 Value-set Analysis UUID & Hierarchy Sniffed App-level Vulnerability 2 UUID Fingerprinting Advertisement Identification UUIDs 3 2 Fingerprint-able Unauthorized Sniffable- Devices Accessible Devices Devices 14 / 37

  34. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References Value Set Analysis Android APKs Category API Name 1 BluetoothGatt: BluetoothGattService getService BluetoothGattService: BluetoothGattCharacteristic getCharacteristic Value-set Analysis UUID & Hierarchy BluetoothGattCharacteristic: BluetoothGattDescriptor getDescriptor UUID ScanFilter.Builder: ScanFilter.Builder setServiceUuid ScanFilter.Builder: ScanFilter.Builder setServiceUuid ScanFilter.Builder: ScanFilter.Builder setServiceData Sniffed App-level Vulnerability 2 UUID Fingerprinting Advertisement Identification ScanFilter.Builder: ScanFilter.Builder setServiceData UUIDs 3 2 Table: APIs for UUID extraction and hierarchy reconstruction Fingerprint-able Unauthorized Sniffable- Devices Accessible Devices Devices 14 / 37

Recommend


More recommend