Bluetooth vulnerabilities came into the spotlight for a time at BlackHat 2018, where a group of European graduate students explored what are known as “side channel” attacks against Bluetooth. With such attacks of wireless devices, hackers look at the signal from a different “angle”--or, in this case, electromagnetic spectrum--to see if there are artifacts that present opportunity.
Bluetooth works on the same frequencies as early WiFi, at 2.4GHz, but uses a different wireless communications system. Of the graduating specifications of Bluetooth, all are backward-compatible. Bluetooth devices are paired, often using the pass codes 0000 or 1234. Once paired, two devices in a pair won’t talk with other intruders.
There is a huge and diverse number of Bluetooth devices out there, ranging from keyboards and mice, to laptops, desktops, headphones, various smartphones, and household devices. Each of these devices has a Bluetooth chipset inside. Some of the chipsets are systems-on-a-chip (SoCs), to shrink cost and power consumption, and to combine the digital circuitry and the analog radio circuitry into conveniently built design packages. Antennas are tiny at that frequency, and Bluetooth and WiFi can share the same antennas because they’re transmitting and receiving data at the same general frequency using different communications schemes.
The downfall, it turns out, is the interplay between the analog and digital sides of Bluetooth SoCs inside the chip. The power supply emits a very faint signal that changes in harmony between the two sides, analog and digital. By tracking the signal with a device called a spectrum analyzer, the aforementioned students were able to detect changes far and away from the frequency of the Bluetooth signal, at a much lower frequency where Bluetooth pairs aren’t really “looking” for information.
The frequency was the same as the SoC’s clock, at 64MHz. All computers and computing devices use clock signals as a reference to frame bits, bytes, packets and other intervals. In this case, the clock frequency was in the VHF range, just below the FM radio band. The students looked at the signal and watched it change, depending on what was going on with the digital portion of the chip--the logic side of the SOC. The signal was very faint, however.
In time, it was possible to build optimized antennas that could pick up the signal from farther than a single meter from the Bluetooth device. Eventually, the researchers said, they could pick up the signal from much farther away using highly optimized designs.
With the signal now strong and correlated to Bluetooth activity, it was only a matter of time before exposed conversations could be sniffed. Bluetooth has suffered cracking problems for more than a decade, and, once again, via some well-known algorithms, a research team was able to crack AES-128 encryption using other attacks.
As a result, certain Bluetooth devices are now vulnerable under specific circumstances.
How? You need a well-designed antenna, which is difficult to hide, somewhat close to the devices. Look around. Be careful if you see an oval-shaped dish pointing to your Bluetooth devices. The antenna could, in theory, be hidden. It’s rather unlikely, in reality, that you’ll see this attack mode pointed at your devices. But, if you’re wandering by and you see a dish, you might wonder what that dish antenna is being used to detect.
Other key attack tools include a software-defined radio (SDR) and the software to receive a signal, demodulate it and understand what it’s seeing. From there, there’s some fairly sophisticated custom coding that’s necessary to pick up the signals and make sense of them. Hackers, makers and amateur radio folks can cobble most of the materials needed for the attack easily, save portions of the custom code. But once the attack is on, everything from mouse clicks, keys depressed, settings and data relating to the paired devices can be detected.
In some schemes, Bluetooth can be used to access the files on a device, should the device even have them and if permissions are set incorrectly. This more frequently occurs between laptop/smartphone Bluetooth pairings. Should this attack scheme become popular, expect to see new and interesting attacks on device resources.
This begs the question regarding possible attacks against the other big wireless communications vehicle: WiFi devices. It’s already known that WiFi WPA and WPA2 security protocols are nearing their end of life for WiFi encryption, and newly released WPA3-protected devices won’t be widely deployed for a while. It’s unknown whether current WiFi access points will be retrofit for WPA3 encryption, or whether holes will be found in WPA3.
Today, the attack described in this article works on Bluetooth, but it’s conceivable that side channel attacks against WiFi devices may emerge, using similar methodologies.
My prediction: Wireless protocols will continue to be beaten to a pulp. The new 5G wireless landscape may also be changed, with more spectrum and a new set of challenges as new implementations come into the marketplace. I’m reminded of the aphorism that nothing is foolproof because fools are so ingenious.
