Tarlogic has developed a Bluetooth security assessment methodology to help companies protect millions of smart devices
Mice, keyboards, game console controllers, medical devices… Over the last few months, Tarlogic Security has detected critical vulnerabilities that would allow taking control of computers, stealing highly sensitive information or listening in on private conversations. This work has been part of the development of BSAM, the first international Bluetooth Security Assessment Methodology. This open and collaborative tool makes it possible to standardize the security tests that must be performed to analyze devices using this technology.
Bluetooth is a global standard of vital importance for the operation of millions of IoT devices used by citizens, homes, and businesses. Hence, it is essential to detect the presence of any vulnerabilities in its operation before they are successfully exploited by malicious actors.
The Bluetooth security assessment methodology is part of the continuous research work that Tarlogic has carried out in recent years and that has allowed the company to lead the strengthening of the security of the Bluetooth standard at the international level.
Therefore, BSAM is intended to be used by manufacturers, researchers, developers, and cybersecurity professionals worldwide. The main objective of the methodology is to standardize the security audits performed on IoT devices to verify that they are secure from the point of view of Bluetooth communications.
Detected vulnerabilities and malicious exploits
Throughout the development of BSAM, Tarlogic’s Innovation team used this methodology to audit multiple consumer devices that use Bluetooth technology to communicate. This research revealed that:
- 50% of gadgets such as wireless mice or game console controllers are pairable by default. This means that malicious actors can capture specific data from the devices and even impersonate them to gain access to other devices such as computers.
- 80% of IoT devices analyzed are discoverable and traceable. This poses a great risk to people’s privacy by allowing their movements and actions to be monitored.
- 90% of devices allow access to sensitive information to launch more advanced attacks.
- 20% of devices such as TVs or hands-free devices use default PIN codes to pair with other devices, such as 0000 or 1111.
These vulnerabilities in Bluetooth devices can be exploited to:
- Spoof wireless keyboards and mice to attack corporate and personal computers, take control, and steal critical information.
- Obtain medical data from devices such as sleep apnea or pulse oximetry equipment.
- Listen in on private conversations by hacking into everyday gadgets such as game console remotes, smart speakers, or Bluetooth headsets.
- Use all kinds of IoT devices to launch more sophisticated attacks against institutions, companies, managers, and citizens.
Why is it crucial to protect Bluetooth devices?
The explosion of the Internet of Things and the digitization of businesses and homes has been made possible by the use of Bluetooth technology. The number of smart devices that are present in homes and businesses is growing exponentially year after year. As a result, these devices have become a prime target for criminals wishing to attack the security and privacy of citizens and businesses.
Although the use of Bluetooth devices has spread to all areas of society and the economy, they play a fundamental role in our personal sphere, thanks to smartphones and devices such as watches or headsets. They are also of vital importance in relevant areas such as:
- Transportation. Vehicle control systems, autonomous cars, and traffic control systems use this standard.
- Homes. Millions of homes are equipped with locks, voice assistants, household appliances, or smart thermostats.
- Health. Heart rate monitors and other medical devices are essential for transmitting health information to thousands of patients continuously.
- Industry. The digitization of the industrial sector is linked to the incorporation of robots, sensors, and controllers that use Bluetooth to communicate.
Continuously verifying the security of devices using Bluetooth technology is essential to prevent hostile actors from attacking them, stealing confidential information, paralyzing the activity of companies, compromising the integrity of homes, and affecting people’s health.
How to use the Bluetooth security assessment methodology
To facilitate its use by professionals and companies around the world, the Tarlogic team has designed BSAM based on a simple, clear, and intuitive structure. This Bluetooth Security Assessment Methodology contains:
- Documentation on the Bluetooth standard.
- Controls. These are the technical verifications to be performed to analyze the security of the devices from the point of view of the Bluetooth protocol.
- Resources to facilitate the execution and evaluation of the controls.
The core of BSAM is made up of 36 controls that must be executed one by one to evaluate the security of Bluetooth communications. These controls are grouped into seven major blocks.
1. Gathering information on Bluetooth components
Professionals conducting the Bluetooth security assessment must collect public information about the device under analysis and its components. The four information-gathering controls are:
- Bluetooth driver lifecycle
- Bluetooth driver vulnerabilities
- Vulnerabilities in the host Bluetooth stack
- Known vulnerabilities in Bluetooth standard
2. Bluetooth discovery process security
These checks are used to verify that configurations are not vulnerable and that sensitive data is not exposed during this phase:
- Operating modes (BR/EDR and BLE)
- Adequate signal strength
- Generic device name
- Sensitive data exposure
- Device discovery
- Use of random MAC addresses
3. Security in the Bluetooth pairing process
It is essential to perform the analysis of the pairing configuration and modes to verify that pairing of devices without user knowledge and supervision is not allowed. Pairing is critical, hence the Bluetooth security assessment methodology includes up to 10 checks focused on this process:
- Default pairing mode
- Input and output capabilities
- Bluetooth OOB channel security
- Rejection of Legacy Pairing
- Pairing without user interaction
- Known PIN code
- Predictable Bluetooth PIN code
- Bluetooth link key deletion
- Minimum PIN code length
- Bluetooth passkey storage
4. Security in the Bluetooth authentication process
The purpose of these controls is to verify that authentication of unknown devices is not allowed, which could lead to exfiltration of private information:
- Role change before authentication.
- Mutual authentication
- Forced disconnection
5. Security in encrypted Bluetooth communications
These controls evaluate the security in the encryption process of Bluetooth communications, to check that no sensitive data is allowed to be transmitted in the clear that could lead to the exfiltration of confidential information. The three controls in this family to be checked during a Bluetooth security assessment are:
- Role change before encryption
- Use of forced encryption
- Minimum encryption key size
6. Security in Bluetooth services
When using the Bluetooth security assessment methodology, evaluators must verify that it is not possible to access services without proper credentials. To do so, they have to verify three security controls:
- Hidden Bluetooth SDP services
- Hidden Bluetooth GATT services
- Bluetooth services access control
7. Bluetooth application layer security
The latest BSAM controls analyze the security of a device’s applications exposed through Bluetooth services:
- Updating the controller firmware
- Bluetooth stack update
- Application update
- Digital signature of updates
- Replay attacks
- Bluetooth packet injection attacks
- Secure applications
Leading the securitization of the Bluetooth standard worldwide
Over the past few years, Tarlogic Security’s Innovation team has conducted pioneering research on the Bluetooth standard at the international level. As a result of this ongoing work, the cybersecurity, cyberintelligence and offensive security services company developed BlueTrust, an attack technique that makes it possible to discover trust relationships between Bluetooth devices and to infer personal information about users and companies.
The Bluetooth security assessment methodology is a new milestone in Tarlogic’s commitment to innovation and knowledge generation. BSAM will contribute to increasing the security of smart devices and protect the companies and citizens that use them.
Over more than a decade, Tarlogic Security has established itself as a national reference company, providing a wide range of services to numerous listed companies. The experience of more than 100 Tarlogic professionals and the highly specialized knowledge they accumulate are the hallmarks of a company that is already in countries around the world (Europe, the United States, and the Middle East) and is in the process of expansion.