OASIS: An Intrusion Detection System Embedded in Bluetooth Low Energy Controllers
Authors: 
Romain Cayre, Vincent Nicomette, Guillaume Auriol, Mohamed Kaâniche, Aurélien FrancillonAuthors Info & Claims
Romain Cayre, Vincent Nicomette, Guillaume Auriol, Mohamed Kaâniche, Aurélien FrancillonAuthors Info & ClaimsPages 700 - 715
Abstract
Bluetooth Low Energy has established itself as one of the central protocols of the Internet of Things. Its many features (mobility, low energy consumption) make it an attractive protocol for smart devices. However, numerous critical vulnerabilities affecting BLE have been made public in recent years, some of which are linked to the protocol's design itself. The impossibility of correcting these vulnerabilities without affecting the specification requires the development of effective intrusion detection systems, enabling the detection and prevention of these threats. Unfortunately, the protocol relies on peer-to-peer communications and introduces many complex and dynamic mechanisms (e.g., channel hopping), making monitoring complex, costly and limited. Existing intrusion detection approaches lack flexibility, are limited in scope and introduce high deployment costs.
In this paper, we explore a novel approach consisting in embedding an intrusion detection system directly within BLE controllers. This strategic position tackles these challenges by enabling a more advanced analysis and instrumentation of the protocol and opens the way to new defensive applications. We propose OASIS, a framework for injecting detection heuristics into controllers' firmwares in a generic way without affecting the normal operation of the protocol stack. It can be deployed in various contexts during the life cycle of a device, from the chip manufacturer to a software developer making use of proprietary components, or even in a full black box context by a security analyst to harden a commercial product. We describe its modular architecture and present its implementation within five of the most popular BLE chips from three different manufacturers, deployed in billions of devices and embedding heterogeneous protocol stacks. We present five modules for critical low-level protocol attack detection. We show that OASIS has a low impact on the controller performance (power, timing, memory) and evaluate its usage in a real-world setting.
References
[1]
Daniele Antonioli, Nils Ole Tippenhauer, and Kasper B Rasmussen. The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR. In 28th USENIX Security Symposium (USENIX Security 19), pages 1047--1061, 2019.
[2]
ARM.com. Cortex-M3 Technical Reference Manual r2p0, 7.3 About the Flash Patch and Breakpoint Unit (FPB). ARM Documentation, February 2010. Available at: https://developer.arm.com/documentation/ddi0337/h?lang=en.
[3]
Armis. Blueborne Technical White Paper. https://go.armis.com/hubfs/BlueBorneTechnicalWhitePaper.pdf, 2017.
[4]
Armis. BleedingBit Technical White Paper. https://go.armis.com/hubfs/BLEEDINGBIT-TechnicalWhitePaper.pdf, 2018.
[5]
Bluetooth SIG. Bluetooth Core Specification, 07 2021. Rev. 5.3.
[6]
Damien Cauquil. Btlejuice: The Bluetooth Smart MITM framework. In DEF CON, volume 24, 2016. Available at https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20villages/DEF%20CON%2024%20Internet%20of%20Things%20Village%20-%20Damien%20Cauquil%20-%20Btlejuice%20The%20Bluetooth%20Smart%20Mitm%20Framework.mp4.
[7]
Damien Cauquil. Sniffing BTLE with the Micro:Bit. PoC or GTFO, 17:13--20, 2017.
[8]
Damien Cauquil. You'd better secure your BLE devices or we'll kick your butts ! In DEF CON, volume 26, 2018. Available at https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/DEFCON-26-Damien-Cauquil-Secure-Your-BLE-Devices-Updated.pdf.
[9]
Damien Cauquil. Defeating Bluetooth Low Energy 5 PRNG for fun and jamming. In DEF CON, volume 27, 2019. Available at https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20presentations/DEFCON-27-Damien-Cauquil-Defeating-Bluetooth-Low-Energy-5-PRNG-for-fun-and-jamming.PDF.
[10]
Romain Cayre, Florent Galtier, Guillaume Auriol, Vincent Nicomette, Mohamed Kaâniche, and Géraldine Marconato. InjectaBLE: Injecting malicious traffic into established Bluetooth Low Energy connections. In IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2021), Taipei (virtual), Taiwan, June 2021.
[11]
Romain Cayre, Vincent Nicomette, Guillaume Auriol, Eric Alata, Mohamed Kaâniche, and Geraldine Marconato. Mirage: towards a Metasploit-like framework for IoT. In 2019 IEEE 30th International Symposium on Software Reliability Engineering (ISSRE), pages 261--270. IEEE, 2019.
[12]
Jiska Classen and Matthias Hollick. Inside job: Diagnosing Bluetooth Lower Layers Using Off-the-Shelf Devices. Proceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks, May 2019.
[13]
Jiska Classen and Matthias Hollick. Extracting Physical-Layer BLE Advertisement Information from Broadcom and Cypress Chips. In Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec '20, page 337--339, New York, NY, USA, 2020. Association for Computing Machinery.
[14]
Ang Cui and Salvatore J. Stolfo. Defending Legacy Embedded Systems with Software Symbiotes. In The 14th International Symposium on Recent Advances in Intrusion Detection (RAID), 2011.
[15]
Great Scott Gadgets. Ubertooth Retirement. Available at: https://greatscottgadgets.com/2022/12-22-ubertooth-retirement/.
[16]
Matheus E. Garbelini, Chundong Wang, Sudipta Chattopadhyay, Sun Sumei, and Ernest Kurniawan. SweynTooth: Unleashing Mayhem over Bluetooth Low Energy. In 2020 USENIX Annual Technical Conference (USENIX ATC 20), pages 911--925. USENIX Association, July 2020.
[17]
Eric Gustafson, Paul Grosen, Nilo Redini, Saagar Jha, Andrea Continella, Ruoyu Wang, Kevin Fu, Sara Rampazzi, Christopher Kruegel, and Giovanni Vigna. Shimware: Toward Practical Security Retrofitting for Monolithic Firmware Images. In In Proceedings of the International Symposium on Research in Attacks, Intrusions and Defenses (RAID), October 2023.
[18]
Jose Gutierrez del Arroyo, Jason Bindewald, Scott Graham, and Mason Rice. Enabling Bluetooth Low Energy Auditing through Synchronized Tracking of Multiple Connections. Int. J. Crit. Infrastruct. Prot., 18(C):58--70, sep 2017.
[19]
Sławomir Jasek. Gattacking Bluetooth Smart Devices. In BlackHat USA, 2016. Available at http://gattack.io/whitepaper.pdf.
[20]
Mahmood Jasim Khalsan and Michael Opoku Agyeman. An overview of prevention/mitigation against memory corruption attack. In Proceedings of the 2nd International Symposium on Computer Science and Intelligent Control, pages 1--6, 2018.
[21]
Abdelkader Lahmadi, Alexis Duque, Nathan Heraief, and Julien Francq. MitM Attack Detection in BLE Networks using Reconstruction and Classification Machine Learning Techniques. In MLCS 2020-2nd Workshop on Machine Learning for Cybersecurity, 2020.
[22]
Dennis Mantz, Jiska Classen, Matthias Schulz, and Matthias Hollick. InternalBlue - Bluetooth Binary Patching and Experimentation Framework. Proceedings of the 17th Annual International Conference on Mobile Systems, Applications, and Services, Jun 2019.
[23]
AKM Iqtidar Newaz, Amit Kumar Sikder, Leonardo Babun, and A. Selcuk Uluagac. HEKA: A Novel Intrusion Detection System for Attacks to Personal Medical Devices. In 2020 IEEE Conference on Communications and Network Security (CNS), pages 1--9, 2020.
[24]
Steven Noel and Sushil Jajodia. Optimal IDS sensor placement and alert prioritization using attack graphs. Journal of Network and Systems Management, 16:259--275, 2008.
[25]
Sultan Qasim Khan. Sniffle: A sniffer for Bluetooth 5 (LE). In Hardwear.io, 2019. Available at https://www.hardwear.io/netherlands-2019/speakers/sultan-qasim-khan.php.
[26]
Mike Ryan. Bluetooth: With Low Energy Comes Low Security. In 7th USENIX Workshop on Offensive Technologies (WOOT 13), Washington, D.C., August 2013. USENIX Association.
[27]
Sopan Sarkar, Jianqing Liu, and Emil Jovanov. A Robust Algorithm for Sniffing BLE Long-Lived Connections in Real-Time. In 2019 IEEE Global Communications Conference, GLOBECOM 2019, Waikoloa, HI, USA, December 9--13, 2019, pages 1--6. IEEE, 2019.
[28]
Pratik Satam, Shalaka Satam, and Salim Hariri. Bluetooth Intrusion Detection System (BIDS). In 2018 IEEE/ACS 15th International Conference on Computer Systems and Applications, AICCSA 2018, Proceedings of IEEE/ACS International Conference on Computer Systems and Applications, AICCSA. IEEE Computer Society, January 2019.
[29]
Shalaka Satam, Pratik Satam, and Salim Hariri. Multi-level Bluetooth Intrusion Detection System. In 2020 IEEE/ACS 17th International Conference on Computer Systems and Applications (AICCSA), pages 1--8, 2020.
[30]
Nordic Semiconductor. Power Profiler Kit. Available at: https://www.nordicsemi.com/Products/Development-hardware/power-profiler-kit.
[31]
Devkishen Sisodia, Samuel Mergendahl, Jun Yu Li, and Hasan Çam. Securing the Smart Home via a Two-Mode Security Framework. In Security and Privacy in Communication Networks, 2018.
[32]
Yunsick Sung. Intelligent Security IT System for Detecting Intruders Based on Received Signal Strength Indicators. Entropy, 18(10):1--16, October 2016.
[33]
Juan E. Tapiador and John A. Clark. The placement-configuration problem for Intrusion Detection nodes in Wireless Sensor Networks. Computers & Electrical Engineering, 39(7):2306--2317, 2013.
[34]
Haohuang Wen, Zhiqiang Lin, and Yinqian Zhang. FirmXRay: Detecting Bluetooth Link Layer Vulnerabilities From Bare-Metal Firmware, page 167--180. Association for Computing Machinery, New York, NY, USA, 2020.
[35]
Jianliang Wu, Yuhong Nan, Vireshwar Kumar, Mathias Payer, and Dongyan Xu. BlueShield GitHub repository. Available at: https://github.com/allenjlw/BlueShield/.
[36]
Jianliang Wu, Yuhong Nan, Vireshwar Kumar, Mathias Payer, and Dongyan Xu. BlueShield: Detecting Spoofing Attacks in Bluetooth Low Energy Networks. In 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020), pages 397--411, San Sebastian, October 2020. USENIX Association.
[37]
Jianliang Wu, Yuhong Nan, Vireshwar Kumar, Dave (Jing) Tian, Antonio Bianchi, Mathias Payer, and Dongyan Xu. BLESA: Spoofing attacks against reconnections in bluetooth low energy. In 14th USENIX Workshop on Offensive Technologies (WOOT 20). USENIX Association, August 2020.
[38]
Jianliang Wu, Ruoyu Wu, Daniele Antonioli, Mathias Payer, Nils Ole Tippenhauer, Dongyan Xu, Dave (Jing) Tian, and Antonio Bianchi. LIGHTBLUE: Automatic Profile-Aware debloating of bluetooth stacks. In 30th USENIX Security Symposium (USENIX Security 21), pages 339--356. USENIX Association, August 2021.
[39]
Muhammad Yaseen, Waseem Iqbal, Imran Rashid, Haider Abbas, Mujahid Mohsin, Kashif Saleem, and Yawar Abbas Bangash. MARC: A Novel Framework for Detecting MITM Attacks in eHealthcare BLE Systems. Journal of Medical Systems, 43(11):324, 2019.
Index Terms
- OASIS: An Intrusion Detection System Embedded in Bluetooth Low Energy Controllers
Recommendations
Rule generalisation in intrusion detection systems using SNORT
Intrusion Detection Systems (IDSs) provide an important layer of security for computer systems and networks. An IDS's responsibility is to detect suspicious or unacceptable system and network activity and to alert a systems administrator to this ...
New efficient intrusion detection and prevention system for Bluetooth networks
MOBILWARE '08: Proceedings of the 1st international conference on MOBILe Wireless MiddleWARE, Operating Systems, and ApplicationsIn this paper, we investigate how various Bluetooth security attacks in progress can be prevented and stopped by monitoring communication for discovery of such attacks. Moreover, we propose an idea of the new efficient Intrusion Detection and Prevention ...
Network Intrusion Detection: Automated and Manual Methods Prone to Attack and Evasion
In this article, the authors describe common intrusion detection techniques, NIDS evasion methods, and how NIDSs detect intrusions. Additionally, we introduce new evasion methods, present test results for confirming attack outcomes based on server ...
Comments
Information & Contributors
Information
Published In
July 2024
1987 pages
ISBN:9798400704826
DOI:10.1145/3634737
- Chair:
- Jianying Zhou,
- Co-chair:
- Tony Q. S. Quek,
- Program Chairs:
- Debin Gao,
- Alvaro Cardenas
Copyright © 2024 Copyright is held by the owner/author(s). Publication rights licensed to ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 01 July 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
Conference
ASIA CCS '24
Sponsor:
ASIA CCS '24: 19th ACM Asia Conference on Computer and Communications Security
July 1 - 5, 2024
Singapore, Singapore
Acceptance Rates
Overall Acceptance Rate 418 of 2,322 submissions, 18%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 98Total Downloads
- Downloads (Last 12 months)98
- Downloads (Last 6 weeks)17
Reflects downloads up to 06 Jan 2025
Other Metrics
Citations
Cited By
View allView Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in