bias bluetooth impersonation attacks
play

BIAS: Bluetooth Impersonation AttackS Daniele Antonioli (EPFL), Nils - PowerPoint PPT Presentation

Feb 18, 2024 •561 likes •923 views

IEEE S&P 2020 BIAS: Bluetooth Impersonation AttackS Daniele Antonioli (EPFL), Nils Tippenhauer (CISPA), Kasper Rasmussen (Oxford Univ.) Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS 1 Bluetooth standard

  1. IEEE S&P 2020 BIAS: Bluetooth Impersonation AttackS Daniele Antonioli (EPFL), Nils Tippenhauer (CISPA), Kasper Rasmussen (Oxford Univ.) Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS 1

  2. Bluetooth standard • Bluetooth standard ◮ Specifies Bluetooth Classic (BT) and Bluetooth Low Energy (BLE) ◮ 1 vulnerability in the standard = billions of exploitable devices Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS Cover 2

  3. Contribution: Bluetooth Impersonation AttackS (BIAS) • Bluetooth Impersonation AttackS (BIAS) ◮ Exploiting standard-compliant vulnerabilities in Bluetooth authentication ◮ To impersonate any Bluetooth device without having to authenticate Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS Cover 3

  4. Contribution: Bluetooth Impersonation AttackS (BIAS) • Bluetooth Impersonation AttackS (BIAS) ◮ Exploiting standard-compliant vulnerabilities in Bluetooth authentication ◮ To impersonate any Bluetooth device without having to authenticate Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS Cover 3

  5. Bluetooth Threat Model Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS 4

  6. Bluetooth Threat Model Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS 4

  7. Bluetooth Threat Model Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS 4

  8. Bluetooth Threat Model Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS 4

  9. Bluetooth Threat Model Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS 4

  10. Bluetooth Threat Model Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS 4

  11. Bluetooth Threat Model Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS 4

  12. Bluetooth Threat Model Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS 4

  13. BIAS Attacks on Bluetooth Session Establishment Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS 5

  14. BIAS Attacks on Bluetooth Session Establishment Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS 5

  15. BIAS Attacks on Bluetooth Session Establishment Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS 5

  16. Legacy Secure Connection (LSC) Authentication Alice (slave) Bob (master) A B B, LSC A, LSC C B R A = H(C B , A, K L ) R A check Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS on LSC 6

  17. Standard-Compliant Vulnerabilities in LSC Authentication 1 LSC authentication is not used mutually for session establishment 2 A device can switch authentication role Alice (slave) Bob (master) A B B, LSC A, LSC C B R A = H(C B , A, K L ) R A check Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS on LSC 7

  18. BIAS Attack on LSC: Master Impersonation Alice (slave) Charlie as Bob (master) A C B, LSC A, LSC C C R A = H(C C , A, K L ) Skip R A check Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS on LSC 8

  19. BIAS Attack on LSC: Slave Impersonation Charlie as Alice (slave) Bob (master) C B B, LSC A, Role Switch, LSC Accept Role Switch Charlie is the master (verifier) C C R B = H(C C , B, K L ) Skip R B check Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS on LSC 9

  20. Secure Connections (SC) Authentication Alice (slave) Bob (master) A B B, SC A, SC C B C A R B , R A = H(C B , C A , R B , R A = H(C B , C A , B, A, K L ) B, A, K L ) R A R B R B check R A check Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS on SC 10

  21. Standard-Compliant Issues with SC Authentication 1 SC negotiation is not integrity-protected 2 SC support is not enforced for pairing and session establishment Alice (slave) Bob (master) A B B, SC A, SC C B C A R B , R A = H(C B , C A , R B , R A = H(C B , C A , B, A, K L ) B, A, K L ) R A R B R B check R A check Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS on SC 11

  22. BIAS Attack on SC: Master Impersonation Alice (slave) Charlie as Bob (master) A C B, LSC A, SC SC downgraded to LSC BIAS master impersonation on LSC Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS on SC 12

  23. BIAS Attack on SC: Slave Impersonation Charlie as Alice (slave) Bob (master) C B B, SC A, LSC SC downgraded to LSC BIAS slave impersonation on LSC Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS on SC 13

  24. Very Secure Connections (VSC) ?! • Let’s define Very Secure Connections (fictional security mode) ◮ Use SC authentication (mutual) ◮ Not vulnerable to SC downgrade • Are we safe against impersonation attacks on VSC? ◮ No, VSC is vulnerable to master and slave reflection attacks ◮ See the paper for the details Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS on VSC 14

  25. Implementation of the BIAS Attacks https://github.com/francozappa/bias Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS Implementation 15

  26. Evaluation: BIAS Attacks on 31 Devices (28 BT Chips) Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS Evaluation 16

  27. Evaluation: BIAS Attacks on 31 Devices (28 BT Chips) Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS Evaluation 16

  28. BIAS + KNOB: Break Bluetooth Session Establishment Alice (master) Bob (slave) A B Phase 1: pairing key authentication Phase 2: session key negotation Phase 3: secure session Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS + KNOB 17

  29. BIAS + KNOB: Break Bluetooth Session Establishment Alice (master) Charlie as Bob (slave) A B Phase 1: pairing key authentication (BIAS attack) Phase 2: session key negotation Phase 3: secure session Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS + KNOB 17

  30. BIAS + KNOB: Break Bluetooth Session Establishment Alice (master) Charlie as Bob (slave) A B Phase 1: pairing key authentication (BIAS attack) Phase 2: session key negotation (KNOB attack [SEC19]) Phase 3: secure session Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS + KNOB 17

  31. BIAS + KNOB: Break Bluetooth Session Establishment Alice (master) Charlie as Bob (slave) A B Phase 1: pairing key authentication (BIAS attack) Phase 2: session key negotation (KNOB attack [SEC19]) Phase 3: secure session (Charlie is Bob) Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS + KNOB 17

  32. BIAS + KNOB: Break Bluetooth Session Establishment Charlie as Alice (master) Bob (slave) A B Phase 1: pairing key authentication (BIAS attack) Phase 2: session key negotation (KNOB attack [SEC19]) Phase 3: secure session (Charlie is Alice) Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS BIAS + KNOB 17

  33. BIAS Attacks Countermeasures and Disclosure • We propose a set of countermeasures ◮ Use LSC authentication mutually during session establishment ◮ Integrity-protect session establishment with the pairing key ◮ Enforce SC support across pairing and session establishment • We disclosed the BIAS attacks, and the Bluetooth standard has been updated ◮ However, most of the devices are still vulnerable ◮ E.g., no user or device updates, no device recalls Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS Conclusion 18

  34. Conclusion: Bluetooth Impersonation AttackS (BIAS) • Bluetooth Impersonation AttackS (BIAS) ◮ Exploiting standard-compliant vulnerabilities in Bluetooth authentication ◮ To impersonate any Bluetooth device without having to authenticate ◮ Website: https://francozappa.github.io/about-bias/ ◮ Code: https://github.com/francozappa/bias Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS Conclusion 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy Daniele

A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy Daniele

WAC workshop 2020 A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy Daniele Antonioli Daniele Antonioli ( @francozappa ) A review of the BIAS and KNOB attacks on Bluetooth Classic and Bluetooth Low Energy 1

949 views • 69 slides
seclab Impersonation Attacks through a Dedicated Bi-directional Authenticated Channel THE

seclab Impersonation Attacks through a Dedicated Bi-directional Authenticated Channel THE

Protecting Web-based Single Sign-on Protocols against Relying Party seclab Impersonation Attacks through a Dedicated Bi-directional Authenticated Channel THE COMPUTER SECURITY GROUP AT UC SANTA BARBARA Yinzhi Cao

704 views • 45 slides
IMP4GT IMPersonation Attacks in 4G NeTworks David Rupprecht , Katharina Kohls, Thorsten Holz, and

IMP4GT IMPersonation Attacks in 4G NeTworks David Rupprecht , Katharina Kohls, Thorsten Holz, and

IMP4GT IMPersonation Attacks in 4G NeTworks David Rupprecht , Katharina Kohls, Thorsten Holz, and Christina Ppper 25.02.2020 NDSS Symposium, San Diego, USA Motivation: Internet Passes 2 LTE Security Aims Mutual Authentication Traffic

766 views • 15 slides
BLESA: Spoofing Attacks against Reconnections in Bluetooth Low Energy Jianliang Wu 1 , Yuhong Nan

BLESA: Spoofing Attacks against Reconnections in Bluetooth Low Energy Jianliang Wu 1 , Yuhong Nan

BLESA: Spoofing Attacks against Reconnections in Bluetooth Low Energy Jianliang Wu 1 , Yuhong Nan 1 , Vireshwar Kumar 1 , Dave (Jing) Tian 1 , Antonio Bianchi 1 , Mathias Payer 2 , Dongyan Xu 1 1 Purdue University 2 EPFL Motivation Bluetooth

626 views • 18 slides
Bluetooth Team 1 What is Bluetooth? Origins Ericsson, 1994 Harald Bluetooth

Bluetooth Team 1 What is Bluetooth? Origins Ericsson, 1994 Harald Bluetooth

Bluetooth Team 1 What is Bluetooth? Origins Ericsson, 1994 Harald Bluetooth Today Bluetooth Special Interests Group Compatible with a multitude of devices Widespread IEEE Standard Secure

230 views • 7 slides
Using Bluetooth Low Energy for Location What is BLE? Bluetooth Low Energy Originally designed by

Using Bluetooth Low Energy for Location What is BLE? Bluetooth Low Energy Originally designed by

Using Bluetooth Low Energy for Location What is BLE? Bluetooth Low Energy Originally designed by Nokia as Wibree (2001) Bluetooth Smart Why has BLE been so Successful? Rapid adoption by vendors Apple Samsung Simple design Cheap in

422 views • 20 slides
Using Bluetooth to Determine Using Bluetooth to Determine Travel Times www.kmjinc.com 1 Agenda

Using Bluetooth to Determine Using Bluetooth to Determine Travel Times www.kmjinc.com 1 Agenda

ITE Mid-Colonial District Annual Meeting April 29, 2010 Using Bluetooth to Determine Using Bluetooth to Determine Travel Times www.kmjinc.com 1 Agenda Bluetooth and How It Works The BlueTOAD TM Device Evaluation Project

270 views • 22 slides
Authentication & Impersonation CS 161: Computer Security Prof. David Wagner February 21, 2013

Authentication & Impersonation CS 161: Computer Security Prof. David Wagner February 21, 2013

Authentication & Impersonation CS 161: Computer Security Prof. David Wagner February 21, 2013 Goals For Today Authentication A broad look at the problem of impersonation Users not interacting with what they think they are

546 views • 38 slides
BIAS What Is Bias? Bias can be defined as favoring one side, position, or belief being

BIAS What Is Bias? Bias can be defined as favoring one side, position, or belief being

BIAS What Is Bias? Bias can be defined as favoring one side, position, or belief being partial or prejudiced Where have you seen bias? Bias vs. Propaganda Bias is prejudice; a preconceived judgment or an opinion formed

717 views • 29 slides
NFC Payments: The Art of Relay & Replay Attacks Who am I? Security Researcher

NFC Payments: The Art of Relay & Replay Attacks Who am I? Security Researcher

NFC Payments: The Art of Relay & Replay Attacks Who am I? Security Researcher Samsung Pay Exploiting Mag-stripe info with Bluetooth audio Co-founder of Women in Tech Fund @Netxing (WomenInTechFund.org) Content

1.07k views • 73 slides
Presented By: Paul Misticawi VP of Sales, TrafficCast What is Bluetooth How are

Presented By: Paul Misticawi VP of Sales, TrafficCast What is Bluetooth How are

Presented By: Paul Misticawi VP of Sales, TrafficCast What is Bluetooth How are traveltimes derived from Bluetooth devices Turning Raw Data into Information Applications Using Bluetooth TravelTimes Using

198 views • 16 slides
Equity & Excellence: Hidden Bias Implicit Bias Inherent Bias

Equity & Excellence: Hidden Bias Implicit Bias Inherent Bias

Equity & Excellence: Hidden Bias Implicit Bias Inherent Bias ____________________________________________ Vincent R. De Lucia Educator-in-Residence Director of Mandatory Training & PD New Jersey School Boards Association Anderson

426 views • 41 slides
IoTSSC Bluetooth Bluetooth Classic (Basic Rate BR/Enhanced Data Rate EDR) In 1990s

IoTSSC Bluetooth Bluetooth Classic (Basic Rate BR/Enhanced Data Rate EDR) In 1990s

IoTSSC Bluetooth Bluetooth Classic (Basic Rate BR/Enhanced Data Rate EDR) In 1990s Ericsson wanted to connect other devices to mobile phone without cables Established a consortium which accumulated over the years 20k members (!)

933 views • 46 slides
Next Generation BlueZ & Bluetooth Smart Devices Johan Hedberg (Intel) Bluetooth Short

Next Generation BlueZ & Bluetooth Smart Devices Johan Hedberg (Intel) Bluetooth Short

Next Generation BlueZ & Bluetooth Smart Devices Johan Hedberg (Intel) Bluetooth Short Introduction Short range wireless technology operating at 2.4 GHz Originally announced in 1998 as a replacement for RS-232 but has evolved

346 views • 21 slides
bad decision bias? 2 5 6 Affinity Bias: What can we do? 2. 3. 1. Seek

bad decision bias? 2 5 6 Affinity Bias: What can we do? 2. 3. 1. Seek

bad decision bias? 2 5 6 Affinity Bias: What can we do? 2. 3. 1. Seek outputs Compare rather than Be aware performance compentenci not people es 7 9 10 11 12 Unconscious bias refers to a

292 views • 15 slides
BIAS BIAS LIGHT LIGHT & & MEDIUM MEDIUM TR TRUCK UCK TIRES TIRES Bias Bias Ligh

BIAS BIAS LIGHT LIGHT & & MEDIUM MEDIUM TR TRUCK UCK TIRES TIRES Bias Bias Ligh

BIAS BIAS LIGHT LIGHT & & MEDIUM MEDIUM TR TRUCK UCK TIRES TIRES Bias Bias Ligh ight T t Truck / / Trail iler r Ti Tire Si Size No Nome mencla latu ture 9.50-16 9.50 16.5L .5LT/D T/D ST ST 7.00 7.00-15 15 1 10

121 views • 11 slides
Molecular classification of colorectal cancer Fred T Bosman University Institute of Pathology

Molecular classification of colorectal cancer Fred T Bosman University Institute of Pathology

Molecular classification of colorectal cancer Fred T Bosman University Institute of Pathology Lausanne Current WHO classification of carcinoma of the colorectum Adenocarcinoma, NOS Cribriform comedo-type adenocarcinoma Medullary

633 views • 47 slides
Selection and haplotypes EHH statistics Anders Albrechtsen Haplotypes Signature of selection

Selection and haplotypes EHH statistics Anders Albrechtsen Haplotypes Signature of selection

Selection and haplotypes EHH statistics Anders Albrechtsen Haplotypes Signature of selection Mutation enters the population Mutation increases in frequency due to positive selection Increases LD Affects the variability

666 views • 25 slides
Tracking the spread of Tracking the spread of insecticide resistance in insecticide resistance

Tracking the spread of Tracking the spread of insecticide resistance in insecticide resistance

05/06/2019 Tracking the spread of insecticide resistance in Anopheles gambiae populations - 6 June 2019 - Alistair Miles Tracking the spread of Tracking the spread of insecticide resistance in insecticide resistance in Anopheles gambiae

652 views • 42 slides
UPC++ for Bioinformatics: A Case Study Using Genome-Wide Association Studies Jan C. Kssens*,

UPC++ for Bioinformatics: A Case Study Using Genome-Wide Association Studies Jan C. Kssens*,

UPC++ for Bioinformatics: A Case Study Using Genome-Wide Association Studies UPC++ for Bioinformatics: A Case Study Using Genome-Wide Association Studies Jan C. Kssens*, Jorge Gonzlez-Domnguez** , Lars Wienbrandt*,Bertil Schmidt**

1.08k views • 70 slides
ANLP Lecture 29: Gender Bias in NLP Sharon Goldwater 19 Nov 2019 Recap Some co- reference

ANLP Lecture 29: Gender Bias in NLP Sharon Goldwater 19 Nov 2019 Recap Some co- reference

ANLP Lecture 29: Gender Bias in NLP Sharon Goldwater 19 Nov 2019 Recap Some co- reference examples cant be solved by agreement, syntax, or other local features, but require semantic information (world knowledge?): The [city

294 views • 28 slides
Understanding Unconscious/Implicit Bias Tuesday, April 3, 2018 1:00 p.m. 1:50 p.m. NIH

Understanding Unconscious/Implicit Bias Tuesday, April 3, 2018 1:00 p.m. 1:50 p.m. NIH

Understanding Unconscious/Implicit Bias Tuesday, April 3, 2018 1:00 p.m. 1:50 p.m. NIH Natcher Conference Center Bldg. 45 - Rooms C1&C2 Presented by Bonita V. White, M.A., J.D. Director, Diversity & Inclusion Division and HHS

285 views • 27 slides
Long-Range Planning and Behavioral Biases: A Computational Approach Jon Kleinberg Including

Long-Range Planning and Behavioral Biases: A Computational Approach Jon Kleinberg Including

Long-Range Planning and Behavioral Biases: A Computational Approach Jon Kleinberg Including joint work with Manish Raghavan and Sigal Oren. Cornell University Long-Range Planning Growth in on-line systems where users and groups have long

552 views • 44 slides
Machine Learning 2 DS 4420 - Spring 2020 Bias and fairness Byron C. Wallace Material in this

Machine Learning 2 DS 4420 - Spring 2020 Bias and fairness Byron C. Wallace Material in this

Machine Learning 2 DS 4420 - Spring 2020 Bias and fairness Byron C. Wallace Material in this lecture modified from materials created by Jay Alammar (http://jalammar.github.io/ illustrated-transformer/) and Sasha Rush

1.6k views • 79 slides

More recommend