Difference between revisions of "BLE-Berry Project"

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search
Line 15: Line 15:


The STRIDE method was used to categorize the discovered Threats, as shown in the following table.
The STRIDE method was used to categorize the discovered Threats, as shown in the following table.
STRIDE  
STRIDE separates the Threats in the following six categories:
* Spoofing
* Spoofing
* Tampering
* Tampering
Line 26: Line 26:
[[File:BLE Berry Project STRIDE3.png|600px]]
[[File:BLE Berry Project STRIDE3.png|600px]]


=== Step 1 ===
=== Threat Vectors ===


==== Step 1.2 ====
==== Sniffing / Eavesdropping ====


Enter these commands in the shell
Sniffing or eavesdropping is performed with BLE by scanning the Radio for messages. This results in an information disclosure, but can be countered if encryption is used to provide confidentiality. The BLE standard itself provides AES-CCM encryption with message authentication by a key created with the usage of P256 ECDH. The commercial market provides some affordable USB Sniffing Accessories, which output pacap files that can be analyzed with [https://www.wireshark.org/ wireshark]:
[https://greatscottgadgets.com/ubertoothone/ Ubertooth One]
[https://www.nordicsemi.com/Products/Development-tools/nrf-sniffer-for-bluetooth-le NordicRF Sniffer]
[https://www.adafruit.com/product/2269 Adafruit Bluefruit LE Sniffer]


echo foo
==== Radio Jamming ====
echo bar


==== Spoofing ====
==== IRK Stealing ====
==== Battery Draining Attacks ====
==== DoS due to Spoofed Connection ====
==== Fuzzing ====
==== Downgrade Attacks ====
==== Bruteforcing Legacy Pairing Encryption Key ====
==== DoS due to Key replacement ====
==== Machine in the Middle ====
=== Step 2 ===
=== Step 2 ===



Revision as of 19:19, 2 October 2023

Summary

This Project is the result of a master’s thesis that created a Threat Model of the Bluetooth Low Energy (BLE) Standard and developing a tool called BLE Berry to enable easier BLE Development and to perform basic pentesting operations.


Threat Model

The Threat Model was performed by analyzing the BLE portion of the BLE Standard and gathering further information's from numerous white papers and scientific papers. The gathered Threats and Vulnerabilities got mapped to the Layer/Protocol they are performed on, as shown in the figure below.

BLE Berry Project Threat Model.png

Some of the Threats have use other Threats as an entry vector, e.g., a machine-in-the-middle attack relies on address spoofing and can benefit from Radio Jamming. The dependencies of the Threat is shown in the figure below.

BLE Berry Project Threat Dependencies.png

The STRIDE method was used to categorize the discovered Threats, as shown in the following table. STRIDE separates the Threats in the following six categories:

  • Spoofing
  • Tampering
  • Repudiation
  • Information disclosure
  • Denial of Service
  • Elevation of Privilege


BLE Berry Project STRIDE3.png

Threat Vectors

Sniffing / Eavesdropping

Sniffing or eavesdropping is performed with BLE by scanning the Radio for messages. This results in an information disclosure, but can be countered if encryption is used to provide confidentiality. The BLE standard itself provides AES-CCM encryption with message authentication by a key created with the usage of P256 ECDH. The commercial market provides some affordable USB Sniffing Accessories, which output pacap files that can be analyzed with wireshark: Ubertooth One NordicRF Sniffer Adafruit Bluefruit LE Sniffer

Radio Jamming

Spoofing

IRK Stealing

Battery Draining Attacks

DoS due to Spoofed Connection

Fuzzing

Downgrade Attacks

Bruteforcing Legacy Pairing Encryption Key

DoS due to Key replacement

Machine in the Middle

Step 2

Make sure to read

  • War and Peace
  • Lord of the Rings
  • The Baroque Cycle

Used Hardware

Device to be used with this documentation Maybe another device to be used with this documentation

Courses

References