Research overview
Bluetooth Low Energy (BLE) is a wireless network technology used for short range communication. BLE devices have been deployed pervasively in all sorts of consumer-end devices such as smart phones, fitness trackers, and personal audio equipment. BLE specifications come with a wide range of protocols and cryptographic techniques to protect the security and privacy of the users of BLE devices. But flaws in both the specifications and the implementations of the specifications have led to numerous critical vulnerabilities, that could result in theft of sensitive information and remote code execution on affected devices.
Research details
BLE protocol specifications are complex; they involve numerous subprotocols and various legacy features that are often a source of security vulnerabilities. The official specification (Bluetooth Core Specification version 5.3 at the time of writing) spans around 3000 pages of technical material. The adversary model is often implicit in the specification, leading to wrong security assumptions being applied in practice, resulting in vulnerabilities in real deployed systems. Our research aims at systematically formalising this specification in a formal language that is amenable to automated verification and attack discoveries, and creating proof-of-concept exploitations on applications involving BLE.
The recent massive deployment of BLE-based contact tracing apps, such as Australia’s COVIDSafe, and contact tracing apps that rely on Google-Apple Exposure Notification (GAEN) framework, has amplified security and privacy issues affecting BLE devices. Our research has uncovered a number of critical issues affecting the COVIDSafe app and GAEN API. For example, our team has discovered a critical vulnerability in COVIDSafe in 2020 (CVE-2020-12856 -- https://nvd.nist.gov/vuln/detail/CVE-2020-12856) that could lead to information theft and remote code execution on Android phones running the app. In addition to BLE-based contact tracing apps, we have also been investigating privacy and security issues in offline-finding features in smartphones (such as Apple’s “Find My” feature) and BLE-based trackers, such as Apple AirTags and Samsung SmartTags.
