BlueMaster: Bypassing and Fixing Bluetooth-based Proximity Authentication

Presented at Black Hat Europe 2019, Dec. 5, 2019, 2:15 p.m. (50 minutes).

Bluetooth enabled devices can indirectly check the proximity of other connected devices, and this proximity check can be used as an authentication means. Thanks to the widespread use of Bluetooth, popular software vendors such as Google and Microsoft offer this device proximity authentication method in their operating systems, namely, Android and Windows 10. On one hand, Google's Android supports a feature called Android Smart Lock, which allows a user to register 'trusted' Bluetooth devices, and then utilize the presence of such trusted devices as an alternative to passcode. On the other hand, Microsoft Windows uses this proof-of-device-proximity in a reverse way. Windows 10 introduces Dynamic Lock, which automatically 'locks' the device if any of the paired Smartphone moves away, to block access to the computer while the user is unattended.

In this talk, we present the security pitfalls of Bluetooth-based proximity authentication. We analyzed implementations of Android Smart Lock and Windows Dynamic Lock and demonstrated new attacks on these implementations. Based on our analysis, we discovered three new attacks that allow attackers to bypass device proximity authentication. From Android Smart Lock, attackers may bypass a security check that prevents a basic MAC spoofing attack. From Windows Dynamic Lock, attackers may alter the MAC address and device class to spoof a paired smartphone, and it is also vulnerable to a proximity spoofing attack.

Our analysis result shows that the vulnerabilities are originated from accepting untrusted data from Bluetooth for authentication. Additionally, regarding the proximity checking, it turned out that none of both is secure; Android ignores device proximity, and Windows is susceptible to signal amplification attack.

Finally, we discuss potential countermeasures and inherent weaknesses of proximity checking in Bluetooth, as well as how to analyze the security of the Bluetooth-based device and proximity authentication method. Our countermeasure includes several ideas on how to accept only trusted data from Bluetooth for authentication methods. Furthermore, we will release a detection tool for the problems we found.


Presenters:

  • Youngman Jung - Engineer, Samsung Electronics
    Youngman Jung received his B.S. degree in Mathematics and Computer Engineering and his M.S. degree in Electronic and Computer Engineering, Sungkyunkwan University, Korea, in 2012 and 2014, respectively. Since 2014, he has worked with Samsung Electronics, Korea. His current research interests include authentication between devices such as smart phones and wearable devices, and how to protect the privacy in the devices.
  • Junbum Shin - Principal Engineer, Samsung Electronics
    Junbum Shin received a PhD degree in computer science from the Korea Advanced Institute of Science and Technology (KAIST) in 2003. He is currently a principal engineer with Samsung Research. His research interests include security protocol, privacy protection, system and software security, and cryptography.
  • Yeongjin Jang - Assistant Professor, Oregon State University
    Dr. Yeongjin Jang is an assistant professor of Computer Science and studies Cybersecurity. He hacks CPU, OS, iPhone, IoT devices, and anything that is operated by computers. He is interested in trustworthy computing, vulnerability discovery and analysis, side-channel attack and defense, developing new exploit primitives, mobile security, practical applied cryptography, jailbreaking, and building defense mechanisms. He holds BS degree in Computer Science from KAIST, and MS and PhD degrees in Computer Science from Georgia Institute of Technology.

Links:

Similar Presentations: