[论文解读] Attacks Against BLE Devices by Co-located Mobile Applications.
本文揭示了蓝牙低功耗(BLE)设备中存在一个安全漏洞,即未经授权的 Android 应用可通过利用由合法应用预先建立的绑定关系,访问配对保护的数据。研究发现,超过 60% 的被分析 BLE 适配的 Android 应用缺乏应用层安全机制,导致 BLE 设备面临数据泄露或被篡改的风险。
Bluetooth Low Energy (BLE) is a fast-growing wireless technology with a large number of potential use cases, particularly in the IoT domain. With many of these use cases, the BLE device stores sensitive user data or critical device controls, which may be accessed by an augmentative Android or iOS application. Uncontrolled access to such data could violate a user's privacy, cause a device to malfunction, or even endanger lives. The BLE specification aims to solve this with network layer security mechanisms such as pairing and bonding. Unfortunately, this doesn't take into account the fact that many applications may be co-located on the same mobile device, which introduces the possibility of unauthorised applications being able to access and modify sensitive data stored on a BLE device. In this paper, we present an attack in which an unauthorised Android application can access pairing-protected data from a BLE device by exploiting the bonding relationship previously triggered by an authorised application. We discuss possible mitigation strategies, and perform an analysis over 13,500+ BLE-enabled Android applications to identify how many of them implement such strategies to avoid this attack. Our results indicate that over 60% of these applications do not have mitigation strategies in place in the form of application-layer security, and that cryptography is sometimes implemented incorrectly in those that do. This implies that the corresponding BLE devices are potentially vulnerable to unauthorised data access by malicious applications.
研究动机与目标
- 调查共存的移动应用对 BLE 设备造成的安全风险。
- 展示未经授权的 Android 应用如何利用现有绑定关系访问 BLE 设备上的敏感数据。
- 评估 BLE 适配的 Android 应用中应用层安全机制的普遍性。
- 识别尝试缓解措施的应用中加密保护的常见实现缺陷。
- 强调尽管 BLE 具备内置的配对和绑定机制,仍存在未经授权访问数据的风险。
提出的方法
- 通过利用合法应用与 BLE 设备之间先前建立的信任关系,滥用 BLE 绑定机制。
- 逆向分析 Android 上 BLE 栈的行为,以识别绑定信息的存储方式及其对其他应用的可访问性。
- 分析超过 13,500 个 BLE 适配的 Android 应用,以检测应用层安全控制的存在与正确性。
- 识别实施安全措施的应用中加密滥用的模式。
- 使用静态和动态分析技术,评估应用是否在 BLE 数据上强制实施了适当的访问控制。
- 评估现有缓解策略在防止恶意共存应用未经授权访问方面的有效性。
实验结果
研究问题
- RQ1未经授权的 Android 应用能否通过利用现有绑定关系,访问 BLE 设备上的配对保护数据?
- RQ2BLE 适配的 Android 应用中应用层安全机制的普遍性如何?
- RQ3尝试保护 BLE 数据的应用中,加密保护的常见实现缺陷有哪些?
- RQ4当多个应用共存于同一设备时,现有 BLE 安全机制在多大程度上失效?
- RQ5由于共存应用的漏洞,BLE 设备数据暴露的实际风险范围有多大?
主要发现
- 在分析的超过 13,500 个 BLE 适配的 Android 应用中,超过 60% 的应用未实现任何应用层安全机制以防止未经授权访问。
- 在实施安全措施的应用中,大量应用错误地使用加密技术,增加了数据泄露的风险。
- 该攻击可行,因为由可信应用建立的绑定关系仍对同一设备上的其他应用保持可访问。
- 当多个应用共存于移动设备时,BLE 规范的网络层安全机制不足以应对安全威胁。
- 该漏洞使恶意应用能够在正确配对和绑定后,仍能读取或修改 BLE 设备上的敏感数据。
- 研究结果表明,BLE 生态系统中存在广泛的安全缺口,尤其在 Android 环境中更为显著。
更好的研究,从现在开始
从论文设计到论文写作,大幅缩短您的研究时间。
无需绑定信用卡
本解读由 AI 生成,并经人工编辑审核。