Yeming Li,Hailong Lin,Jiamei Lv,Yi Gao,Wei Dong

DOI: https://doi.org/10.1109/infocom52122.2024.10621247

2024-01-01

Abstract:In recent years, Bluetooth Low Energy (BLE) has become one of the most wildly used wireless protocols and it is common that users carry one or more BLE devices. With the extensive deployment of BLE devices, there is a significant privacy risk if these BLE devices can be tracked. However, the common wisdom suggests that the risk of BLE location tracking is negligible. The reason is that researchers believe there are no stable BLE fingerprints that are stable across different scenarios (e.g., temperatures) for different BLE devices with the same model. In this paper, we introduce a novel physical-layer fingerprint named Transient Dynamic Fingerprint (TDF), which originated from the negative feedback control process of the frequency synthesizer. Because of the hardware imperfection, the dynamic features of the frequency synthesizer are different, making TDF unique among different devices, even with the same model. Furthermore, TDF keeps stable under different thermal conditions. Based on TDF, we propose BTrack, a practical BLE device tracking system and evaluate its tracking performance in different environments. The results show BTrack works well once BLE beacons are effectively received. The identification accuracy is 35.38%-57.41% higher than the existing method, and stable over temperatures, distances, and locations.

Wahhab Albazrqaoe,Jun Huang,Guoliang Xing

DOI: https://doi.org/10.1109/tnet.2018.2880970

2019-01-01

IEEE/ACM Transactions on Networking

Abstract:With the prevalence of personal Bluetooth devices, potential breach of user privacy has been an increasing concern. To date, sniffing Bluetooth traffic has been widely considered an extremely intricate task due to Bluetooth's indiscoverable mode, vendor-dependent adaptive hopping behavior, and the interference in the open 2.4 GHz band. In this paper, we present BlueEar-a practical Bluetooth traffic sniffer. BlueEar features a novel dual-radio architecture where two Bluetooth-compliant radios coordinate with each other on learning the hopping sequence of indiscoverable Bluetooth networks, predicting adaptive hopping behavior, and mitigating the impacts of RF interference. We built a prototype of BlueEar to sniff on Bluetooth classic traffic. Experiment results show that BlueEar can maintain a packet capture rate higher than 90% consistently in real-world environments, where the target Bluetooth network exhibits diverse hopping behaviors in the presence of dynamic interference from coexisting 802.11 devices. In addition, we discuss the privacy implications of the BlueEar system, and present a practical countermeasure that effectively reduces the packet capture rate of the sniffer to 20%. The proposed countermeasure can be easily implemented on Bluetooth master devices while requiring no modification to slave devices such as keyboards and headsets.

Wahhab Albazrqaoe,Jun Huang,Guoliang Xing

DOI: https://doi.org/10.1145/2906388.2906403

2016-01-01

Abstract:With the prevalence of personal Bluetooth devices, potential breach of user privacy has been an increasing concern. To date, sniffing Bluetooth traffic has been widely considered an extremely intricate task due to Bluetooth's indiscoverable mode, vendor-dependent adaptive hopping behavior, and the interference in the open 2.4 GHz band. In this paper, we present BlueEar -a practical Bluetooth traffic sniffer. BlueEar features a novel dual-radio architecture where two Bluetooth-compliant radios coordinate with each other on learning the hopping sequence of indiscoverable Bluetooth networks, predicting adaptive hopping behavior, and mitigating the impacts of RF interference. Experiment results show that BlueEar can maintain a packet capture rate higher than 90% consistently in real-world environments, where the target Bluetooth network exhibits diverse hopping behaviors in the presence of dynamic interference from coexisting Wi-Fi devices. In addition, we discuss the privacy implications of the BlueEar system, and present a practical countermeasure that effectively reduces the packet capture rate of the sniffer to 20%. The proposed countermeasure can be easily implemented on the Bluetooth master device while requiring no modification to slave devices like keyboards and headsets.

Jianliang Wu,Yuhong Nan,Vireshwar Kumar,Mathias Payer,Dongyan Xu

2020-01-01

Abstract:Many IoT devices are equipped with Bluetooth Low Energy (BLE) to support communication in an energy-efficient manner. Unfortunately, BLE is prone to spoofing attacks where an attacker can impersonate a benign BLE device and feed malicious data to its users. Defending against spoofing attacks is extremely difficult as security patches to mitigate them may not be adopted across vendors promptly; not to mention the millions of legacy BLE devices with limited I/O capabilities that do not support firmware updates. As a first line of defense against spoofing attacks, we propose BlueShield, a legacy-friendly, non-intrusive monitoring system. BlueShield is motivated by the observation that all spoofing attacks result in anomalies in certain cyber-physical features of the advertising packets containing the BLE device’s identity. BlueShield leverages these features to detect anomalous packets generated by an attacker. More importantly, the unique design of BlueShield makes it robust against an advanced attacker with the capability to mimic all features. BlueShield can be deployed on low-cost off-the-shelf platforms, and does not require any modification in the BLE device or its user. Our evaluation with nine common BLE devices deployed in a real-world office environment validates that BlueShield can effectively detect spoofing attacks at a very low false positive and false negative rate.

Namin Hou,Yushi Cheng,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/ICCCS61882.2024.10603286

2024-01-01

Abstract:The advancement of Fifth-Generation (5G) technology has greatly enriched individuals' access to a broad array of convenient services, offering significant benefits in mobile communications, autonomous driving, smart homes, and the Internet of Things. However, with the increase in the number of network access devices, large and frequent data interactions have brought potential security risks to wireless networks, which are related to user privacy security, traffic safety, and even social security. Malicious intrusions targeting wireless communications have resulted in significant disruptions and incurred substantial losses. Presently, user identities in wireless communications rely on software-based data identifiers, which can be forged easily. This paper proposes a hardware-level device authentication mechanism that uses the intrinsic hardware characteristics of the transmitter (shown as impairments in the radio signal of the transmission link) for identity authentication. The resulting fingerprint is naturally distinctive and highly resistant to counterfeiting attempts. We use 5 devices across different models and 10 devices of the same model for experimental evaluation. Then we apply machine learning algorithms to construct a fingerprint database and device authentication, achieving an average of 82.4% precision, 89.9% recall, and 85.9% F1-score, which can help to safeguard the security of 5G communication.

Rene Francisco Santana-Cruz,Martin Moreno-Guzman,César Enrique Rojas-López,Ricardo Vázquez-Morán,Rubén Vázquez-Medina

DOI: https://doi.org/10.3390/s24051482

IF: 3.9

2024-02-25

Sensors

Abstract:The proliferation of radio frequency (RF) devices in contemporary society, especially in the fields of smart homes, Internet of Things (IoT) gadgets, and smartphones, underscores the urgent need for robust identification methods to strengthen cybersecurity. This paper delves into the realms of RF fingerprint (RFF) based on applying the Jensen-Shannon divergence (JSD) to the statistical distribution of noise in RF signals to identify Bluetooth devices. Thus, through a detailed case study, Bluetooth RF noise taken at 5 Gsps from different devices is explored. A noise model is considered to extract a unique, universal, permanent, permanent, collectable, and robust statistical RFF that identifies each Bluetooth device. Then, the different JSD noise signals provided by Bluetooth devices are contrasted with the statistical RFF of all devices and a membership resolution is declared. The study shows that this way of identifying Bluetooth devices based on RFF allows one to discern between devices of the same make and model, achieving 99.5% identification effectiveness. By leveraging statistical RFFs extracted from noise in RF signals emitted by devices, this research not only contributes to the advancement of the field of implicit device authentication systems based on wireless communication but also provides valuable insights into the practical implementation of RF identification techniques, which could be useful in forensic processes.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Xinfeng Li,Chenshu Wu,Xiaoyuan Wang,Ming Gu,Xiang-Yang Li,Dong Xuan

DOI: https://doi.org/10.48550/arXiv.1308.2950

2013-11-23

Abstract:Traditionally, Bluetooth has been deemed unsuitable for sustaining a large-scale multi-hop network. There are two main reasons: severe frequency channel collisions under a large-scale network and high complexity of designing an efficient formation protocol. In this work, we reconsider this viewpoint from a practical usability perspective and aim to realize the buried potential of Bluetooth. Firstly, we find that the collision probability under a low-overhead network is fairly small, which is acceptable for practical applications. Secondly, we propose BlueSky, a complete system solution to provide necessary networking functionalities for Bluetooth. In BlueSky, we develop a connection maintenance mechanism for mitigating the influence of collisions and a network formation protocol for reliable packet transmissions. We implement BlueSky on Windows Mobile using 100 commercial smartphones. Comprehensive usability evaluations demonstrate the negligible overheads of BlueSky and its good network performance. In particular, 90%-95% of the whole 100 nodes can participate in the communication smoothly.

Networking and Internet Architecture

Guillaume Celosia,Mathieu Cunche

DOI: https://doi.org/10.1145/3338507.3358617

2019-01-01

Abstract:Bluetooth Low Energy (BLE) is a short range wireless technology included in many consumer devices such as smartphones, earphones and wristbands. As part of the Attribute (ATT) protocol, discoverable BLE devices expose a data structure called Generic Attribute (GATT) profile that describes supported features using concepts of services and characteristics. This profile can be accessed by any device in range and can expose users to privacy issues. In this paper, we discuss how the GATT profile can be used to create a fingerprint that can be exploited to circumvent anti-tracking features of the BLE standard (i.e. MAC address randomization). Leveraging a dataset of more than 13000 profiles, we analyze the potential of this fingerprint and show that it can be used to uniquely identify a number of devices. We also shed light on several issues where GATT profiles can be mined to infer sensitive information that can impact privacy of users. Finally, we suggest solutions to mitigate those issues.

Hidayet Aksu,A. Selcuk Uluagac,Elizabeth S. Bentley

DOI: https://doi.org/10.1109/TSUSC.2018.2808455

2018-09-27

Abstract:With wearable devices such as smartwatches on the rise in the consumer electronics market, securing these wearables is vital. However, the current security mechanisms only focus on validating the user not the device itself. Indeed, wearables can be (1) unauthorized wearable devices with correct credentials accessing valuable systems and networks, (2) passive insiders or outsider wearable devices, or (3) information-leaking wearables devices. Fingerprinting via machine learning can provide necessary cyber threat intelligence to address all these cyber attacks. In this work, we introduce a wearable fingerprinting technique focusing on Bluetooth classic protocol, which is a common protocol used by the wearables and other IoT devices. Specifically, we propose a non-intrusive wearable device identification framework which utilizes 20 different Machine Learning (ML) algorithms in the training phase of the classification process and selects the best performing algorithm for the testing phase. Furthermore, we evaluate the performance of proposed wearable fingerprinting technique on real wearable devices, including various off-the-shelf smartwatches. Our evaluation demonstrates the feasibility of the proposed technique to provide reliable cyber threat intelligence. Specifically, our detailed accuracy results show on average 98.5%, 98.3% precision and recall for identifying wearables using the Bluetooth classic protocol.

Cryptography and Security

Liang A-le

2009-01-01

Abstract:The recent family health care system requires high-reliability,low-latency and flexibility for wireless transmitting.Here we present a family health care system based on the Bluetooth HID profile technology.With the help of strong BLUELAB4.01 development environment and its low-layer stack library,we established a communication protocol and related data packets between the Bluetooth module and the Host IC to realize the fast and reliable data transmitting from sensor or keyboard to the Host.In the article,we deeply discussed the realization of Bluetooth functions,and how to achieve the balance of low-latency and long power life.The experiment results concluded the actual currency cost with the different sniff interval parameters.

Jiska Classen,Matthias Hollick

DOI: https://doi.org/10.1145/3317549.3319727

2019-05-02

Abstract:Bluetooth is among the dominant standards for wireless short-range communication with multi-billion Bluetooth devices shipped each year. Basic Bluetooth analysis inside consumer hardware such as smartphones can be accomplished observing the Host Controller Interface (HCI) between the operating system's driver and the Bluetooth chip. However, the HCI does not provide insights to tasks running inside a Bluetooth chip or Link Layer (LL) packets exchanged over the air. As of today, consumer hardware internal behavior can only be observed with external, and often expensive tools, that need to be present during initial device pairing. In this paper, we leverage standard smartphones for on-device Bluetooth analysis and reverse engineer a diagnostic protocol that resides inside Broadcom chips. Diagnostic features include sniffing lower layers such as LL for Classic Bluetooth and Bluetooth Low Energy (BLE), transmission and reception statistics, test mode, and memory peek and poke.

Networking and Internet Architecture

Lili Song,Zhenzhen Gao,Jian Huang,Boliang Han

DOI: https://doi.org/10.1109/WCNC55385.2023.10118789

2023-01-01

Abstract:The physical layer (PHY) security technology based on radio frequency (RF) fingerprint can effectively solve the secure access problem of wireless devices. The hardware impairments of the devices can be used to generate the unique RF fingerprint to identify different wireless devices. Fingerprint extraction as a key step in the process of identification faces the challenges of ensuring the identification accuracy with reduced sample dimension and low testing and training time. To address the above problems, we propose a lightweight RF fingerprint extraction scheme to extract the physical layer attributes and effectively reduce the data dimension and time consumption. Based on the proposed RF fingerprint, the Bayesian classifier is used to identify the wireless devices. Furthermore, a joint judgment strategy is proposed to improve the identification accuracy by using multiple segments of one signal frame. The experimental result shows that, compared to the existing RF fingerprint identification schemes, the proposed RF fingerprint identification scheme obtains the best identification accuracy with lower time and data consumption.

Tengxiang Zhang,Nicholas Becker,Yuntao Wang,Yuan Zhou,Yuanchun Shi

DOI: https://doi.org/10.1109/SMARTCOMP.2017.7946990

2017-01-01

Abstract:Radio-Frequency Identification (RFID) systems are becoming increasingly used within smart environments. In this paper, we propose BitID, a passive Ultra-High Frequency (UHF) RFID based sensing technique that can easily be made using off-the-shelf tags. BitID can be added to everyday objects to enable sensing and control capabilities. With a simple shorting mechanism, BitID is able to differentiate between two states of the object to which it is attached (for example, whether a door is open or closed). We explain the working principle of BitID, and demonstrate how to build and apply it to target objects. We also show that by using a three- layered system architecture, BitID can be used for various applications, including event detection, energy monitoring, fitness tracking, human behavior tracking and control.

Artis Rušiņš,Krišjānis Nesenbergs,Deniss Tiščenko,Pēteris Paikens

2024-02-09

Abstract:This paper presents an experimental study on radio frequency (RF) fingerprinting of Bluetooth Classic devices. Our research aims to provide a practical evaluation of the possibilities for RF fingerprinting of everyday Bluetooth connected devices that may cause privacy risks. We have built an experimental setup for recording Bluetooth connection in a radio frequency isolated environment using commercially available SDR (software defined radio) systems, extracted fingerprints of the Bluetooth radio data in the form of carrier frequency offset and scaling factor from 6 different devices, and performed k-nearest neighbors (kNN) classification achieving 84\% accuracy. The experiment demonstrates that no matter what privacy measures are being taken in the protocol layer, the physical layer leaks significant information about the device to unauthorized listeners. In the context of the ever-growing Bluetooth device market, this research serves as a clarion call for device manufacturers, regulators, and end-users to acknowledge the privacy risks posed by RF fingerprinting and lays a foundation for more sizeable Bluetooth fingerprinting analysis research.

Signal Processing,Networking and Internet Architecture

AlbazrqaoeWahhab,HuangJun,XingGuoliang

2019-01-01

Abstract:With the prevalence of personal Bluetooth devices, potential breach of user privacy has been an increasing concern. To date, sniffing Bluetooth traffic has been widely considered an extremely intri...

Deliang Yang,Guoliang Xing,Jun Huang,Xiangmao Chang,Xiaofan Jiang

DOI: https://doi.org/10.1109/IoTDI49375.2020.00009

2020-01-01

Abstract:Recent years have witnessed the increasing penetration of wireless charging base stations in the workplace and public areas, such as airports and cafeteria. Such an emerging wireless charging infrastructure has presented opportunities for new indoor localization and identification services for mobile users. In this paper, we present QID, the first system that can identify a Qi-compliant mobile device during wireless charging in real-time. QID extracts features from the clock oscillator and control scheme of the power receiver and employs light-weight algorithms to classify the device. QID adopts 2-dimensional motion unit to emulate a variety of multi-coil designs of Qi, which allows for fine-grained device fingerprinting. Our results show that QID achieves high recognition accuracy. With the prevalence of public wireless charging stations, our results also have important implications for mobile user privacy.

Changzhan Gu,Zhiguang Fan,Shaoyuan Zheng,Jiangtao Huangfu,Lixin Ran

DOI: https://doi.org/10.2529/piers061129101136

2007-01-01

Abstract:RFID (Radio Frequency Identification) is now attracting many interests for its bright future in commercial and daily use. For the low-frequency (LF, typically 125KHz) and the high-frequency (HF, typically 13.6MHz) RFIDs, the Readers have already come into our daily life out of their matured technologies, while the ultra-high frequency (UHF) RFID Readers are still in the process for the reliability and functionality. This paper represents a systematic design of a UHF RFID reader. Received backscatter modulation waves (carrier wave frequency 915 MHz) are directly demodulated to baseband signals using the Zero IF technology. The reader is designed as a quadrature (I/Q) one, which can avoid null points of the received signals [41 and enhance the demodulation sensitivity.

Jiliang Wang,Feng Hu,Ye Zhou,Yunhao Liu,Hanyi Zhang,Zhe Liu

DOI: https://doi.org/10.1145/3386901.3389025

2020-01-01

Abstract:Today's smart devices like fitness tracker, smartwatch, etc., often employ Bluetooth Low Energy (BLE) for data transmission. Such devices thus become our information portal, e.g., SMS message and notifications are delivered to those devices through BLE. In this study, we present BlueDoor, which can obtain unauthorized information from smart devices via BLE vulnerability. We thoroughly examine the BLE protocol, and leverage its intrinsic properties designed for low-cost embedded and wearable devices to bypass the encryption and authentication in BLE. By mimicking a low capacity device to downgrade the process of encryption key negotiation and authentication, BlueDoor can enforce a new key with the peripheral BLE device and pass the authentication without user participation. As a result, BlueDoor can extract BLE packets as well as read/write stored data on BLE devices. We show that BlueDoor works well on the fundamental design tradeoff of using BLE on diverse embedded and wearable devices, and thus can be generalized to various BLE devices. We implement the BlueDoor design and examine its performance on 15 COTS BLE enabled smart devices, including fitness trackers, smartwatch, smart bulb, etc. The results show that BlueDoor can break the information flow and obtain different types of information (e.g., SMS message, notifications) delivered to BLE devices. In addition to privacy threats, this further means traditional operations such as using SMS for verification in widely adopted authentication, are insecure.

Xikai Sun,Fan Dang

DOI: https://doi.org/10.1109/icpads60453.2023.00135

2023-01-01

Abstract:With the increasing popularity of industrial networks, driven by the development of the Internet of Things, cloud computing, and big data, there are still security threats when it comes to using wireless communication technologies, including BLE, in these networks. This is primarily due to the heterogeneity and resource limitations of the devices. To address the issues of device cloning and enhance BLE device access authentication, a device authentication mechanism based on physical features can be employed. By leveraging the uniqueness and nonreplicability of physical attributes, such as fingerprints, this mechanism effectively mitigates attacks. Therefore, this paper proposes a BLE device authentication scheme called FingerBLE, which relies on the physical fingerprints of devices at the physical-layer. In terms of system design, this article also introduces a fingerprint database authentication mechanism that utilizes the aforementioned fingerprints for node recognition and legitimacy authentication. Experimental results demonstrate that FingerBLE is capable of successfully extracting corresponding device fingerprints and accurately identifying nodes across a wide range of tests.

Li Lu,Runzhe Wang,Jing Ding,Wubin Mao,Wei Chen,Hongzi Zhu

DOI: https://doi.org/10.1109/ifipnetworking.2015.7145328

2015-01-01

Abstract:In recent past, the rapid developing of mobile internet inspires the widespread use of WiFi (IEEE 802.11) technology. In WiFi, the access control of a terminal to the router remains a significant challenge because the PIN (password) and MAC address are easy to guess and forge. In this paper, we present FastID - a practical system that identifies WiFi terminals in real-time by fingerprinting their clocks. Previous approaches of clock fingerprinting require tens of minutes or even hours for clock data collection, and thus cannot be applied into real-time WiFi terminal identification. Even worse, unstable wireless communications and unknown status of terminals' OSes may further degrade the accuracy of fingerprint computation. In comparison, FastID performs fast clock fingerprinting based on the timestamps carried by terminals' ICMP packets. Moreover, FastID employs simple but efficient techniques to remove outliers of collected clock data and differentiate terminals based on the similarity of their distributions, making it suitable for fast terminals identification. FastID is implemented on an off-the-shelf commercial WiFi router and extensively evaluated based on 10 commodity WiFi terminals. Experimental results show that FastID is able to identify terminals with high accuracy and low cost within several seconds.