Securing Bluetooth Low Energy Enabled Industrial Monitors

The Bluetooth Low Energy (BLE) protocol is widely deployed on wireless devices in the consumer market, where applications benefit from its low energy consumption and low implementation overhead. BLE is also increasingly used in critical infrastructure applications, primarily in wireless sensor networks (WSN) for healthcare and environmental monitoring. While much research addresses the implementation and resiliency of these types of networks, little research focuses on detection of attacks on WSN sensors. To that extent, research that focuses on detection of attacks on BLE devices is lacking. Furthermore, BLE security research lags behind attack tool development. The general lack of security has led to recent development of two separate BLE man-in-the-middle frameworks, a privacy-violating BLE localization tool, and successful attacks on 12 commercially available BLE locks. To enable post-production updates, several vendors include the capability to alter device firmware over-the-air using BLE. Unfortunately, the standard service used for this purpose does not require authentication and has no built-in security. Consequently, a malicious actor can exploit the update mechanism to download malware to a target BLE device. This work contributes to the field of WSN and BLE security by illustrating an example attack methodology through a firmware exploit on a BLE industrial monitor. The attack vector is presented in its entirety, from target selection and enumeration to exploitation and malware deployment. Challenges in detection for this attack are presented from the perspective of a peripheral, end user, and third-party traffic sniffer. An experiment is designed to illustrate an additional challenge with sniffer-based detection, where some sniffers become less effective at capturing traffic over time. A mechanism for firmware recovery is proposed, emphasizing its difficulty for a normal end user, and further motivating the need for attack detection mechanisms. Finally, actionable steps are provided for vendors and end users to help defend BLE devices and enhance application security.