BLE security for Military Wireless Systems

Decorative dot pattern

    Assessing the use of Bluetooth technologies in close combat environments, with a focus on the network security of BLE (Bluetooth Low Energy) given how BLE is used in wireless defence systems. The main conclusion of this assessment is that it is possible to use BLE in wireless defence systems in such a way that is as secure as a wireless connection can be, especially when lower transmit powers than -7 dBm are being used. It also requires meticulous security practices being deployed by the operators as well as their stakeholders.

    Problem statement

    Defence wireless communications have rather extreme security requirements compared to most of the BLE applications that are discussed in the literature, particularly if related to weapon systems. Nothing has been written yet about secure and reliable application of BLE in a military combat context.

    Application and Impact

    We found that it is possible to use BLE in wireless defence systems in such away that is as secure as a wireless connection can be, especially when lower transmit powers than -7 dBm are being used. However, it requires meticulous security practices being deployed by the operators as well as their stakeholders.

    Other details

    Many vulnerabilities discussed in the literature turn out to be not applicable to various specific defence use cases and implementations. This is largely because those use cases are quite unique. However, as BLE is clearly a popular target with security researchers worldwide, it has gained a bad press with the superficial reader, whose impression is simply that “Bluetooth is insecure”. To fight this image is an uphill battle, and that will be the biggest challenge for the defence industry considering the deployment of BLE.

    By far most vulnerabilities discussed in the literature assume some accessibility of the adversary to the radio signal, and then break the protocol. This typically leads to various forms of Man-In-The-Middle and related attacks, and most of the time this is achieved via vulnerabilities during pairing or (re-)connecting. Pairing is probably the most vulnerable part of the operation of BLE. But with an outdoor operational range of 20 m, it will be very hard for most types of adversaries to find themselves in such a situation.

    In most cases, the relevant vulnerabilities are implementation mistakes of which there are two types: Either the chip vendor has chosen for a minimal implementation (and optional but necessary security features were left out), or the vendor has made mistakes in the actual implementation of a standardised functionality.

    Regarding the physical layer security of various defence systems it is concluded that a wireless connection is not inherently less secure than a wired connection. It all depends on signal strengths, carrier frequencies, antenna design, and quality of shielding. An outdoor range of 20 m would require a transmit power of less than -25 dBm. The flipside of using low transmit powers is that Denial-of-Service (DoS) attacks are easier to execute.