bias bluetooth impersonation attacks
play

BIAS: Bluetooth Impersonation AttackS Daniele Antonioli (EPFL), Nils - PowerPoint PPT Presentation

Feb 18, 2024 •561 likes •923 views

IEEE S&P 2020 BIAS: Bluetooth Impersonation AttackS Daniele Antonioli (EPFL), Nils Tippenhauer (CISPA), Kasper Rasmussen (Oxford Univ.) Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS 1 Bluetooth standard

  1. IEEE S&P 2020 BIAS: Bluetooth Impersonation AttackS Daniele Antonioli (EPFL), Nils Tippenhauer (CISPA), Kasper Rasmussen (Oxford Univ.) Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS 1

  2. Bluetooth standard • Bluetooth standard ◮ Specifies Bluetooth Classic (BT) and Bluetooth Low Energy (BLE) ◮ 1 vulnerability in the standard = billions of exploitable devices Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS Cover 2

  3. Contribution: Bluetooth Impersonation AttackS (BIAS) • Bluetooth Impersonation AttackS (BIAS) ◮ Exploiting standard-compliant vulnerabilities in Bluetooth authentication ◮ To impersonate any Bluetooth device without having to authenticate Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS Cover 3

  4. Contribution: Bluetooth Impersonation AttackS (BIAS) • Bluetooth Impersonation AttackS (BIAS) ◮ Exploiting standard-compliant vulnerabilities in Bluetooth authentication ◮ To impersonate any Bluetooth device without having to authenticate Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS Cover 3

  5. Bluetooth Threat Model Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS 4

  6. Bluetooth Threat Model Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS 4

  7. Bluetooth Threat Model Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS 4

  8. Bluetooth Threat Model Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS 4

  9. Bluetooth Threat Model Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS 4

  10. Bluetooth Threat Model Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS 4

  11. Bluetooth Threat Model Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS 4

  12. Bluetooth Threat Model Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS 4

  13. BIAS Attacks on Bluetooth Session Establishment Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS 5

  14. BIAS Attacks on Bluetooth Session Establishment Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS 5

  15. BIAS Attacks on Bluetooth Session Establishment Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS 5

  16. Legacy Secure Connection (LSC) Authentication Alice (slave) Bob (master) A B B, LSC A, LSC C B R A = H(C B , A, K L ) R A check Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS on LSC 6

  17. Standard-Compliant Vulnerabilities in LSC Authentication 1 LSC authentication is not used mutually for session establishment 2 A device can switch authentication role Alice (slave) Bob (master) A B B, LSC A, LSC C B R A = H(C B , A, K L ) R A check Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS on LSC 7

  18. BIAS Attack on LSC: Master Impersonation Alice (slave) Charlie as Bob (master) A C B, LSC A, LSC C C R A = H(C C , A, K L ) Skip R A check Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS on LSC 8

  19. BIAS Attack on LSC: Slave Impersonation Charlie as Alice (slave) Bob (master) C B B, LSC A, Role Switch, LSC Accept Role Switch Charlie is the master (verifier) C C R B = H(C C , B, K L ) Skip R B check Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS on LSC 9

  20. Secure Connections (SC) Authentication Alice (slave) Bob (master) A B B, SC A, SC C B C A R B , R A = H(C B , C A , R B , R A = H(C B , C A , B, A, K L ) B, A, K L ) R A R B R B check R A check Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS on SC 10

  21. Standard-Compliant Issues with SC Authentication 1 SC negotiation is not integrity-protected 2 SC support is not enforced for pairing and session establishment Alice (slave) Bob (master) A B B, SC A, SC C B C A R B , R A = H(C B , C A , R B , R A = H(C B , C A , B, A, K L ) B, A, K L ) R A R B R B check R A check Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS on SC 11

  22. BIAS Attack on SC: Master Impersonation Alice (slave) Charlie as Bob (master) A C B, LSC A, SC SC downgraded to LSC BIAS master impersonation on LSC Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS on SC 12

  23. BIAS Attack on SC: Slave Impersonation Charlie as Alice (slave) Bob (master) C B B, SC A, LSC SC downgraded to LSC BIAS slave impersonation on LSC Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS on SC 13

  24. Very Secure Connections (VSC) ?! • Let’s define Very Secure Connections (fictional security mode) ◮ Use SC authentication (mutual) ◮ Not vulnerable to SC downgrade • Are we safe against impersonation attacks on VSC? ◮ No, VSC is vulnerable to master and slave reflection attacks ◮ See the paper for the details Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS on VSC 14

  25. Implementation of the BIAS Attacks https://github.com/francozappa/bias Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS Implementation 15

  26. Evaluation: BIAS Attacks on 31 Devices (28 BT Chips) Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS Evaluation 16

  27. Evaluation: BIAS Attacks on 31 Devices (28 BT Chips) Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS Evaluation 16

  28. BIAS + KNOB: Break Bluetooth Session Establishment Alice (master) Bob (slave) A B Phase 1: pairing key authentication Phase 2: session key negotation Phase 3: secure session Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS + KNOB 17

  29. BIAS + KNOB: Break Bluetooth Session Establishment Alice (master) Charlie as Bob (slave) A B Phase 1: pairing key authentication (BIAS attack) Phase 2: session key negotation Phase 3: secure session Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS + KNOB 17

  30. BIAS + KNOB: Break Bluetooth Session Establishment Alice (master) Charlie as Bob (slave) A B Phase 1: pairing key authentication (BIAS attack) Phase 2: session key negotation (KNOB attack [SEC19]) Phase 3: secure session Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS + KNOB 17

  31. BIAS + KNOB: Break Bluetooth Session Establishment Alice (master) Charlie as Bob (slave) A B Phase 1: pairing key authentication (BIAS attack) Phase 2: session key negotation (KNOB attack [SEC19]) Phase 3: secure session (Charlie is Bob) Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS + KNOB 17

  32. BIAS + KNOB: Break Bluetooth Session Establishment Charlie as Alice (master) Bob (slave) A B Phase 1: pairing key authentication (BIAS attack) Phase 2: session key negotation (KNOB attack [SEC19]) Phase 3: secure session (Charlie is Alice) Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS + KNOB 17

  33. BIAS Attacks Countermeasures and Disclosure • We propose a set of countermeasures ◮ Use LSC authentication mutually during session establishment ◮ Integrity-protect session establishment with the pairing key ◮ Enforce SC support across pairing and session establishment • We disclosed the BIAS attacks, and the Bluetooth standard has been updated ◮ However, most of the devices are still vulnerable ◮ E.g., no user or device updates, no device recalls Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS Conclusion 18

  34. Conclusion: Bluetooth Impersonation AttackS (BIAS) • Bluetooth Impersonation AttackS (BIAS) ◮ Exploiting standard-compliant vulnerabilities in Bluetooth authentication ◮ To impersonate any Bluetooth device without having to authenticate ◮ Website: https://francozappa.github.io/about-bias/ ◮ Code: https://github.com/francozappa/bias Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS Conclusion 19

Recommend

A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy Daniele

A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy Daniele

WAC workshop 2020 A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy Daniele Antonioli Daniele Antonioli ( @francozappa ) A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy 1

949 views • 69 slides
seclab Impersonation Attacks through a Dedicated Bi-directional Authenticated Channel THE

seclab Impersonation Attacks through a Dedicated Bi-directional Authenticated Channel THE

Protecting Web-based Single Sign-on Protocols against Relying Party seclab Impersonation Attacks through a Dedicated Bi-directional Authenticated Channel THE COMPUTER SECURITY GROUP AT UC SANTA BARBARA Yinzhi Cao

704 views • 45 slides
IMP4GT IMPersonation Attacks in 4G NeTworks David Rupprecht , Katharina Kohls, Thorsten Holz, and

IMP4GT IMPersonation Attacks in 4G NeTworks David Rupprecht , Katharina Kohls, Thorsten Holz, and

IMP4GT IMPersonation Attacks in 4G NeTworks David Rupprecht , Katharina Kohls, Thorsten Holz, and Christina Ppper 25.02.2020 NDSS Symposium, San Diego, USA Motivation: Internet Passes 2 LTE Security Aims Mutual Authentication Traffic

766 views • 15 slides
BLESA: Spoofing Attacks against Reconnections in Bluetooth Low Energy Jianliang Wu 1 , Yuhong Nan

BLESA: Spoofing Attacks against Reconnections in Bluetooth Low Energy Jianliang Wu 1 , Yuhong Nan

BLESA: Spoofing Attacks against Reconnections in Bluetooth Low Energy Jianliang Wu 1 , Yuhong Nan 1 , Vireshwar Kumar 1 , Dave (Jing) Tian 1 , Antonio Bianchi 1 , Mathias Payer 2 , Dongyan Xu 1 1 Purdue University 2 EPFL Motivation Bluetooth

626 views • 18 slides
Bluetooth Team 1 What is Bluetooth? Origins Ericsson, 1994 Harald Bluetooth

Bluetooth Team 1 What is Bluetooth? Origins Ericsson, 1994 Harald Bluetooth

Bluetooth Team 1 What is Bluetooth? Origins Ericsson, 1994 Harald Bluetooth Today Bluetooth Special Interests Group Compatible with a multitude of devices Widespread IEEE Standard Secure

230 views • 7 slides
Using Bluetooth Low Energy for Location What is BLE? Bluetooth Low Energy Originally designed by

Using Bluetooth Low Energy for Location What is BLE? Bluetooth Low Energy Originally designed by

Using Bluetooth Low Energy for Location What is BLE? Bluetooth Low Energy Originally designed by Nokia as Wibree (2001) Bluetooth Smart Why has BLE been so Successful? Rapid adoption by vendors Apple Samsung Simple design Cheap in

422 views • 20 slides
Using Bluetooth to Determine Using Bluetooth to Determine Travel Times www.kmjinc.com 1 Agenda

Using Bluetooth to Determine Using Bluetooth to Determine Travel Times www.kmjinc.com 1 Agenda

ITE Mid-Colonial District Annual Meeting April 29, 2010 Using Bluetooth to Determine Using Bluetooth to Determine Travel Times www.kmjinc.com 1 Agenda Bluetooth and How It Works The BlueTOAD TM Device Evaluation Project

270 views • 22 slides
Authentication & Impersonation CS 161: Computer Security Prof. David Wagner February 21, 2013

Authentication & Impersonation CS 161: Computer Security Prof. David Wagner February 21, 2013

Authentication & Impersonation CS 161: Computer Security Prof. David Wagner February 21, 2013 Goals For Today Authentication A broad look at the problem of impersonation Users not interacting with what they think they are

546 views • 38 slides
BIAS What Is Bias? Bias can be defined as favoring one side, position, or belief being

BIAS What Is Bias? Bias can be defined as favoring one side, position, or belief being

BIAS What Is Bias? Bias can be defined as favoring one side, position, or belief being partial or prejudiced Where have you seen bias? Bias vs. Propaganda Bias is prejudice; a preconceived judgment or an opinion formed

717 views • 29 slides
NFC Payments: The Art of Relay & Replay Attacks Who am I? Security Researcher

NFC Payments: The Art of Relay & Replay Attacks Who am I? Security Researcher

NFC Payments: The Art of Relay & Replay Attacks Who am I? Security Researcher Samsung Pay Exploiting Mag-stripe info with Bluetooth audio Co-founder of Women in Tech Fund @Netxing (WomenInTechFund.org) Content

1.07k views • 73 slides
Presented By: Paul Misticawi VP of Sales, TrafficCast What is Bluetooth How are

Presented By: Paul Misticawi VP of Sales, TrafficCast What is Bluetooth How are

Presented By: Paul Misticawi VP of Sales, TrafficCast What is Bluetooth How are traveltimes derived from Bluetooth devices Turning Raw Data into Information Applications Using Bluetooth TravelTimes Using

198 views • 16 slides
Equity & Excellence: Hidden Bias Implicit Bias Inherent Bias

Equity & Excellence: Hidden Bias Implicit Bias Inherent Bias

Equity & Excellence: Hidden Bias Implicit Bias Inherent Bias ____________________________________________ Vincent R. De Lucia Educator-in-Residence Director of Mandatory Training & PD New Jersey School Boards Association Anderson

426 views • 41 slides
IoTSSC Bluetooth Bluetooth Classic (Basic Rate BR/Enhanced Data Rate EDR) In 1990s

IoTSSC Bluetooth Bluetooth Classic (Basic Rate BR/Enhanced Data Rate EDR) In 1990s

IoTSSC Bluetooth Bluetooth Classic (Basic Rate BR/Enhanced Data Rate EDR) In 1990s Ericsson wanted to connect other devices to mobile phone without cables Established a consortium which accumulated over the years 20k members (!)

933 views • 46 slides
Next Generation BlueZ & Bluetooth Smart Devices Johan Hedberg (Intel) Bluetooth Short

Next Generation BlueZ & Bluetooth Smart Devices Johan Hedberg (Intel) Bluetooth Short

Next Generation BlueZ & Bluetooth Smart Devices Johan Hedberg (Intel) Bluetooth Short Introduction Short range wireless technology operating at 2.4 GHz Originally announced in 1998 as a replacement for RS-232 but has evolved

346 views • 21 slides
bad decision bias? 2 5 6 Affinity Bias: What can we do? 2. 3. 1. Seek

bad decision bias? 2 5 6 Affinity Bias: What can we do? 2. 3. 1. Seek

bad decision bias? 2 5 6 Affinity Bias: What can we do? 2. 3. 1. Seek outputs Compare rather than Be aware performance compentenci not people es 7 9 10 11 12 Unconscious bias refers to a

292 views • 15 slides
BIAS BIAS LIGHT LIGHT & & MEDIUM MEDIUM TR TRUCK UCK TIRES TIRES Bias Bias Ligh

BIAS BIAS LIGHT LIGHT & & MEDIUM MEDIUM TR TRUCK UCK TIRES TIRES Bias Bias Ligh

BIAS BIAS LIGHT LIGHT & & MEDIUM MEDIUM TR TRUCK UCK TIRES TIRES Bias Bias Ligh ight T t Truck / / Trail iler r Ti Tire Si Size No Nome mencla latu ture 9.50-16 9.50 16.5L .5LT/D T/D ST ST 7.00 7.00-15 15 1 10

121 views • 11 slides
Bias in, Bias out: Gender Equality and the Fourth Industrial Revolution Debra Howcroft and

Bias in, Bias out: Gender Equality and the Fourth Industrial Revolution Debra Howcroft and

Bias in, Bias out: Gender Equality and the Fourth Industrial Revolution Debra Howcroft and Jill Rubery Work and Equalities Institute University of Manchester Bias in, bias out: an overview Two parts Identify the methodology

706 views • 21 slides
CS5530 Mobile/Wireless Systems Android Bluetooth Interface Yanyan Zhuang Department of Computer

CS5530 Mobile/Wireless Systems Android Bluetooth Interface Yanyan Zhuang Department of Computer

CS5530 Mobile/Wireless Systems Android Bluetooth Interface Yanyan Zhuang Department of Computer Science http://www.cs.uccs.edu/~yzhuang UC. Colorado Springs CS5530 Ref. CN5E, NT@UW, WUSTL Bluetooth Communication Bluetooth-enabled

343 views • 18 slides
Expectancy bias and Bias and forensic evidence Bias and speech research forensic speech

Expectancy bias and Bias and forensic evidence Bias and speech research forensic speech

Overview Bias effects Expectancy bias and Bias and forensic evidence Bias and speech research forensic speech research Blind forensic speech research Maartje Schreuder TMFI / Maastricht University I AFPA 2011 Bundeskrim

180 views • 7 slides
Impersonation CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman, Mobin Javed,

Impersonation CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman, Mobin Javed,

Impersonation CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman, Mobin Javed, Antonio Lupher, Paul Pearce & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ March 5, 2013 Goals For Today Web driveby

945 views • 76 slides
Implicit Bias Implicit bias Implicit bias refers to attitudes or stereotypes that affect our

Implicit Bias Implicit bias Implicit bias refers to attitudes or stereotypes that affect our

Implicit Bias Implicit bias Implicit bias refers to attitudes or stereotypes that affect our understanding, actions and decisions in an unconscious manner. It's different from suppressed thoughts we might conceal to keep the peace; it's

634 views • 16 slides
Bluetooth on modern Linux Szymon Janc szymon.janc@codecoup.pl Embedded Linux Conference, San

Bluetooth on modern Linux Szymon Janc szymon.janc@codecoup.pl Embedded Linux Conference, San

Bluetooth on modern Linux Szymon Janc szymon.janc@codecoup.pl Embedded Linux Conference, San Diego, 2016 Agenda Introduction Bluetooth technology recap Linux Bluetooth stack architecture Linux kernel BlueZ 5

743 views • 28 slides
Embedded wireless networking using Bluetooth & 802.11: state-of-the-art and research

Embedded wireless networking using Bluetooth & 802.11: state-of-the-art and research

Embedded wireless networking using Bluetooth & 802.11: state-of-the-art and research challenges Pravin Bhagwat pravin@acm.org http://www.winlab.rutgers.edu/~pravin 16 th ACM Supercomputing New York, NY June 22, 2001 Bluetooth A cable

1.31k views • 109 slides
Impersonation CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed

Impersonation CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed

Impersonation CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ March 1, 2011 Announcements Midterm next Tuesday March 8th Scope is course

820 views • 78 slides

More recommend