Bluetooth Security: Did You Leave Your IoT Door Unlocked?
Security experts and cybercriminals continue to uncover Bluetooth security vulnerabilities.
The Internet of Things can be great, but making it great takes thought, and sometimes action. Let’s start by considering this non-technical scenario. A good friend has permitted you to use a fabulous beach house. In the past, the friend would leave the keys with the bartender at a boardwalk bar about a quarter mile from the house. You both know the owner and felt that was OK. Up until recently, you’d go to the bar, and the bartender would hand you the keys. But that all stopped after your friend’s house was burglarized two summers ago. Maybe one of the many employees at the bar was to blame. Many of them were seasonal employees. It would have been all-too-easy for any of them to make a copy of the keys. So after hiring a locksmith to rekey the house, the next strategy was to put a realtor’s lockbox on the side to hold the keys. Some months later, your friend stumbles across a YouTube video showing that such a lockbox can be picked in minutes. So much for that strategy. But before the lockbox is removed, your friend realized that, lo and behold, someone broke into the house again. After rekeying the house again, your friend offers you a key copy. You decline. You don’t want to face the possibility of being suspected if the house is ransacked again. But your friend is generous and undeterred, and settles on a new solution. The bar has since created a service for homeowners looking to provide short-term access to their property to friends, family or short-term renters. In this scheme, there are several small internet-connected lockers, each containing keys to different properties. The homeowners can change the access codes to the lockers on a weekly basis, and since only the person accessing the specific locker knows which house the keys inside unlock, there are multiple layers of security. The people using the house felt safe, the homeowners felt much better, and the bar got exposure (and patrons) from the people coming in to get the keys from the lockers, not to mention a small fee for the locker service. Wins all around.
And while the Internet of Things scenario in the above hypothetical example was the most satisfactory, we have all heard the warnings about IoT security and the “greatly expanded attack vectors” these devices create. We might think this is hyperbole; overstated warnings by overly cautious security professionals. It isn’t. Ask the people in the SUV attacked through the Bluetooth Low Energy tire valve. Ask the casino high-rollers whose data was breached thanks to vulnerabilities of a Bluetooth Low Energy thermometer in the aquarium. These are not fictional crime stories from paperbacks you pick up at the airport; they are genuine examples of very real Bluetooth security vulnerabilities.
Last week, we learned about weaknesses in Bluetooth 5.0. For those who have been paying attention to the evolving landscape, Bluetooth Low Energy 4.0 was extremely vulnerable, and Bluetooth Low Energy 4.1 was only marginally better, where the susceptibilities were both known and relatively easy to exploit. Think of it as knowing a patron at the bar with a photographic memory (or just a smartphone) who can snap a high-res picture of the key as the bartender is handing it to the renter, and make a perfect copy of that key just using that image. The worst part is neither the bartender or renter have any idea their key was just copied — they are both convinced it is safe. BLE 5.0 fixed this problem, but six months ago, Bluetooth security researchers revealed the new 5.0 fix itself had vulnerabilities. Providers are taking steps to remediate this, but there are likely millions of deployed devices in use that have this vulnerability. Moreover, there are probably 1,000 times more devices out there with BLE 4.0 or 4.1 in use that remain exposed. Z-wave devices have their own, different issues.
There is a way to safeguard against such vulnerabilities, but it takes planning to devise multiple layers of complementary security protections. In some ways, this concept is like the example of keys stored in the locker where the code to access the locker is changed frequently, and the house associated with the keys is only known to the person accessing the locker. There are ways to establish protocol and network-agnostic encryption that can ride on top or underneath BLE, MQTT, Z-wave or other alternatives. Again, the more thorough security is a natural step, and the additional safeguard goes a long way.
In security, nothing should ever be viewed as impenetrable. Just like BLE 5.0, as soon as you think you are entirely safe, you hear someone else has figured out how to compromise that approach. But consider that hacking is often a function of penetrating the most vulnerable target, where it is the hacker’s path of least resistance. A little extra precaution can make it much more tedious to hack you instead of the person or the company next door. If you are responsible for protecting the cars, the clients, the capital equipment, or anything within your organization or your client’s use of your products, whether those are garage door openers, fitness trackers or even insulin pumps, do you want to be the one with the less-protected options? Probably not. The latest revelations are just another chapter, but the message remains the same. The actions that result from these revelations are up to everyone. The Internet of Things will not reach its full potential unless people can trust it in the most basic ways.