Fenghao Xu (The Chinese University of Hong Kong), Wenrui Diao (Jinan University), Zhou Li (University of California, Irvine), Jiongyi Chen (The Chinese University of Hong Kong), Kehuan Zhang (The Chinese University of Hong Kong)

Bluetooth is a widely used communication technology, especially under the scenarios of mobile computing and Internet of Things. Once paired with a host device, a Bluetooth device then can exchange commands and data, such as voice, keyboard/mouse inputs, network, blood pressure data, and so on, with the host. Due to the sensitivity of such data and commands, some security measures have already been built into the Bluetooth protocol, like authentication, encryption, authorization, etc.

However, according to our studies on the Bluetooth protocol as well as its implementation on Android system, we find that there are still some design flaws which could lead to serious security consequences. For example, it is found that the authentication process on Bluetooth profiles is quite inconsistent and coarse-grained: if a paired device changes its profile, it automatically gets trust and users would not be notified. Also, there is no strict verification on the information provided by the Bluetooth device itself, so that a malicious device can deceive a user by changing its name, profile information, and icon to be displayed on the screen.

To better understand the problem, we performed a systematic study over the Bluetooth profiles and presented three attacks to demonstrate the feasibility and potential damages of such Bluetooth design flaws. The attacks were implemented on a Raspberry Pi 2 device and evaluated with different Android OS versions ranging from 5.1 to the latest 8.1. The results showed adversaries could bypass existing protections of Android (e.g., permissions, isolations, etc.), launch Man-in-the-Middle attack, control the victim apps and system, steal sensitive information, etc. To mitigate such threats, a new Bluetooth validation mechanism was proposed. We implemented the prototype system based on the AOSP project and deployed it on a Google Pixel 2 phone for evaluation. The experiment showed our solution could effectively prevent the attacks.

View More Papers

REDQUEEN: Fuzzing with Input-to-State Correspondence

Cornelius Aschermann (Ruhr-Universität Bochum), Sergej Schumilo (Ruhr-Universität Bochum), Tim Blazytko (Ruhr-Universität Bochum), Robert Gawlik (Ruhr-Universität Bochum), Thorsten Holz (Ruhr-Universität Bochum)

Read More

Ginseng: Keeping Secrets in Registers When You Distrust the...

Min Hong Yun (Rice University), Lin Zhong (Rice University)

Read More

We Value Your Privacy ... Now Take Some Cookies:...

Martin Degeling (Ruhr-Universität Bochum), Christine Utz (Ruhr-Universität Bochum), Christopher Lentzsch (Ruhr-Universität Bochum), Henry Hosseini (Ruhr-Universität Bochum), Florian Schaub (University of Michigan), Thorsten Holz (Ruhr-Universität Bochum)

Read More

Stealthy Adversarial Perturbations Against Real-Time Video Classification Systems

Shasha Li (University of California Riverside), Ajaya Neupane (University of California Riverside), Sujoy Paul (University of California Riverside), Chengyu Song (University of California Riverside), Srikanth V. Krishnamurthy (University of California Riverside), Amit K. Roy Chowdhury (University of California Riverside), Ananthram Swami (United States Army Research Laboratory)

Read More