BlueDoor: Breaking the secure information flow via BLE vulnerability

Abstract

Today's smart devices like fitness tracker, smartwatch, etc., often employ Bluetooth Low Energy (BLE) for data transmission. Such devices thus become our information portal, e.g., SMS message and notifications are delivered to those devices through BLE. In this study, we present BlueDoor, which can obtain unauthorized information from smart devices via BLE vulnerability. We thoroughly examine the BLE protocol, and leverage its intrinsic properties designed for low-cost embedded and wearable devices to bypass the encryption and authentication in BLE. By mimicking a low capacity device to downgrade the process of encryption key negotiation and authentication, BlueDoor can enforce a new key with the peripheral BLE device and pass the authentication without user participation. As a result, BlueDoor can extract BLE packets as well as read/write stored data on BLE devices. We show that BlueDoor works well on the fundamental design tradeoff of using BLE on diverse embedded and wearable devices, and thus can be generalized to various BLE devices. We implement the BlueDoor design and examine its performance on 15 COTS BLE enabled smart devices, including fitness trackers, smartwatch, smart bulb, etc. The results show that BlueDoor can break the information flow and obtain different types of information (e.g., SMS message, notifications) delivered to BLE devices. In addition to privacy threats, this further means traditional operations such as using SMS for verification in widely adopted authentication, are insecure.