{"title":"BadBluetooth: Breaking Android Security Mechanisms via Malicious Bluetooth Peripherals","authors":"Fenghao Xu, Wenrui Diao, Zhou Li, Jiongyi Chen, Kehuan Zhang","doi":"10.14722/ndss.2019.23482","DOIUrl":null,"url":null,"abstract":"—Bluetooth is a widely used communication tech- nology, especially under the scenarios of mobile computing and Internet of Things. Once paired with a host device, a Bluetooth device then can exchange commands and data, such as voice, keyboard/mouse inputs, network, blood pressure data, and so on, with the host. Due to the sensitivity of such data and commands, some security measures have already been built into the Bluetooth protocol, like authentication, encryption, authorization, etc. However, according to our studies on the Bluetooth protocol as well as its implementation on Android system, we find that there are still some design flaws which could lead to serious security consequences. For example, it is found that the authentication process on Bluetooth profiles is quite inconsistent and coarse- grained: if a paired device changes its profile, it automatically gets trust and users would not be notified. Also, there is no strict verification on the information provided by the Bluetooth device itself, so that a malicious device can deceive a user by changing its name, profile information, and icon to be displayed on the screen. To better understand the problem, we performed a systematic study over the Bluetooth profiles and presented three attacks to demonstrate the feasibility and potential damages of such Bluetooth design flaws. The attacks were implemented on a Raspberry Pi 2 device and evaluated with different Android OS versions ranging from 5.1 to the latest 8.1. The results showed adversaries could bypass existing protections of Android (e.g., permissions, isolations, etc.), launch Man-in-the-Middle attack, control the victim apps and system, steal sensitive information, etc. To mitigate such threats, a new Bluetooth validation mechanism was proposed. We implemented the prototype system based on the AOSP project and deployed it on a Google Pixel 2 phone for evaluation. The experiment showed our solution could effectively prevent the attacks.","PeriodicalId":20444,"journal":{"name":"Proceedings 2019 Network and Distributed System Security Symposium","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2019-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"44","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings 2019 Network and Distributed System Security Symposium","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.14722/ndss.2019.23482","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 44
Abstract
—Bluetooth is a widely used communication tech- nology, especially under the scenarios of mobile computing and Internet of Things. Once paired with a host device, a Bluetooth device then can exchange commands and data, such as voice, keyboard/mouse inputs, network, blood pressure data, and so on, with the host. Due to the sensitivity of such data and commands, some security measures have already been built into the Bluetooth protocol, like authentication, encryption, authorization, etc. However, according to our studies on the Bluetooth protocol as well as its implementation on Android system, we find that there are still some design flaws which could lead to serious security consequences. For example, it is found that the authentication process on Bluetooth profiles is quite inconsistent and coarse- grained: if a paired device changes its profile, it automatically gets trust and users would not be notified. Also, there is no strict verification on the information provided by the Bluetooth device itself, so that a malicious device can deceive a user by changing its name, profile information, and icon to be displayed on the screen. To better understand the problem, we performed a systematic study over the Bluetooth profiles and presented three attacks to demonstrate the feasibility and potential damages of such Bluetooth design flaws. The attacks were implemented on a Raspberry Pi 2 device and evaluated with different Android OS versions ranging from 5.1 to the latest 8.1. The results showed adversaries could bypass existing protections of Android (e.g., permissions, isolations, etc.), launch Man-in-the-Middle attack, control the victim apps and system, steal sensitive information, etc. To mitigate such threats, a new Bluetooth validation mechanism was proposed. We implemented the prototype system based on the AOSP project and deployed it on a Google Pixel 2 phone for evaluation. The experiment showed our solution could effectively prevent the attacks.
蓝牙是一种应用广泛的通信技术,特别是在移动计算和物联网的场景下。一旦与主机设备配对,蓝牙设备就可以与主机交换命令和数据,如语音、键盘/鼠标输入、网络、血压数据等。由于这些数据和命令的敏感性,蓝牙协议中已经内置了一些安全措施,如身份验证、加密、授权等。然而,根据我们对蓝牙协议的研究,以及蓝牙协议在Android系统上的实现,我们发现它仍然存在一些设计缺陷,可能会导致严重的安全后果。例如,发现蓝牙配置文件上的身份验证过程非常不一致和粗粒度:如果配对设备更改其配置文件,它将自动获得信任,并且不会通知用户。此外,蓝牙设备本身提供的信息没有严格的验证,因此恶意设备可以通过更改其名称、配置文件信息和屏幕上显示的图标来欺骗用户。为了更好地理解这个问题,我们对蓝牙配置文件进行了系统研究,并提出了三种攻击,以证明这种蓝牙设计缺陷的可行性和潜在危害。这些攻击是在Raspberry Pi 2设备上实施的,并在从5.1到最新的8.1的不同Android操作系统版本上进行了评估。结果显示,攻击者可以绕过Android现有的保护措施(如权限、隔离等),发动中间人攻击,控制受害应用和系统,窃取敏感信息等。为了减轻这种威胁,提出了一种新的蓝牙验证机制。我们基于AOSP项目实现了原型系统,并将其部署在谷歌Pixel 2手机上进行评估。实验表明,我们的解决方案可以有效地防止攻击。