Search Icon
2027 Submissions

Formal Analysis of BLE Secure Connection Pairing and Revelation of the PE Confusion Attack

Min Shi (Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University), Yongkang Xiao (Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University), Jing Chen (Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University), Kun He (Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University), Ruiying Du (Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University), Meng Jia (Department of Computing, The Hong Kong Polytechnic University)

The Secure Connection (SC) pairing is the latest version of the security protocol designed to protect sensitive information transmitted over Bluetooth Low Energy (BLE) channels. A formal and rigorous analysis of this protocol is essential for improving security assurances and identifying potential vulnerabilities. However, the complexity of the protocol flow, difficulties in formalizing pairing method selection, and overly idealized user assumptions present significant obstacles to such analysis. In this paper, we address these challenges and present an accurate and comprehensive formal analysis of the BLE-SC pairing protocol using Tamarin. We extract state machines for each participant as the blueprint for modeling the protocol, and we use an equational theory to formalize the pairing method selection logic. Our model incorporates subtle user behaviors and considers stronger adversary capabilities, including the potential compromise of private channels such as the temporary out-of-band channel. We develop a verification strategy to automate protocol analysis and implement a script to parallelize verification tasks across multiple servers. We verify 84 pairing cases and identify the minimal security assumptions required for the protocol. Moreover, our results reveal a new Man-in-the-Middle (MitM) attack, which we call the PE confusion attack. We provide tools and Proof-of-Concept (PoC) exploits for simulating and understanding this attack within a controlled environment. Finally, we propose countermeasures to defend against this attack, improving the security of the BLE-SC pairing protocol.

Paper
Slides
Video

View More Papers

TBTrackerX: Fantastic Trigger Bots and Where to Find Malicious...

Mohammad Majid Akhtar (School of Computer Science and Engineering, University of New South Wales, Sydney, Australia), Rahat Masood (School of Computer Science and Engineering, University of New South Wales, Sydney, Australia), Muhammad Ikram (School of Computing, Macquarie University, Sydney, Australia), Salil S. Kanhere (School of Computer Science and Engineering, University of New South Wales, Sydney,…

Read More

Unknown Target: Uncovering and Detecting Novel In-Flight Attacks to...

Giacomo Longo (CASD - University School of Advanced Defense Studies, Rome, Italy), Giacomo Ratto (CASD - University School of Advanced Defense Studies, Rome, Italy), Alessio Merlo (CASD - University School of Advanced Defense Studies, Rome, Italy), Enrico Russo (DIBRIS - University of Genova, Genova, Italy)

Read More

STIP: Three-Party Privacy-Preserving and Lossless Inference for Large Transformers...

Mu Yuan (The Chinese University of Hong Kong), Lan Zhang (University of Science and Technology of China), Yihang Cheng (University of Science and Technology of China), Miao-Hui Song (University of Science and Technology of China), Guoliang Xing (The Chinese University of Hong Kong), Xiang-Yang Li (University of Science and Technology of China)

Read More