14

Mike Ryan claims that it is possible to inject packets (probably with Ubertooth) in an ongoing BLE conversation. His attempt to do so lead to jamming the connection (Sources 1 and 2).

The Bluetooth specs (v4.0) state that the time between sending 2 packets is 150µs. So if one device starts listening after 150µs and the other one starts sending after 150µs then the only time one could inject a packet would be when one of the devices is also transmitting. This would cause an interference which would result either in "losing" the packet or receiving a faulty packet. Thus for the attacker an injection would never be successful and lead to a DoS in the "best case".

So is successful injection of packets possible or is ubertooth advertising an "impossible feature"?

P.S. Let me know if you know a more appropriate forum I can ask this question.

user2338815
  • 141
  • 1
  • 4
  • 1
    Sounds like a question for a RF engineer familiar with Bluetooth LE. The obvious thing to try is add 10-15dB to your transmit power. – derobert Aug 04 '15 at 20:35
  • Repeat question? -- http://security.stackexchange.com/q/100443/140 – atdre Oct 15 '15 at 17:17
  • 2
    I think this is the appropriate forum. You are talking about a protocol hack that has been demonstrated (per Mike Ryan) to have DoS potential and, at least conceptually, could be developed into an attack to expose confidentiality or interfere with device control. All that falls into the security realm. – JaimeCastells Oct 21 '15 at 21:10
  • https://github.com/securing/gattacker – atdre Nov 01 '16 at 16:12

1 Answers1

2

Bluetooth LE isn't a protocol per se. iBeacon, altBeacon, and Eddystone are examples of Bluetooth LE protocols which do not inherently have a security mechanism. For example, an attacker knowing that a particular beacon has a given set of IDs (which are broadcast indiscriminately over the air on a known frequency) can use these same IDs to "spoof" the beacon.

Bluetooth also employs MAC addresses which are also well-known to anyone listening on the Bluetooth frequency and can also be spoofed.

Bluetooth device pairing is an unsecured, coupling mechanism to help users manage devices but does not provide a reliable security layer. Bluetooth standards have been evolving steadily in response to user and hardware needs but are unlikely to be secured in the same way other high-speed wireless protocols are. You can read a good summary about the evolving Bluetooth standard on Wikipedia

Bron Davies
  • 237
  • 1
  • 5