Communication protocols have evolved from the traditional Serial and LAN ports to complex and lightweight protocols of today, such as Bluetooth Low Energy (BLE), ANT+ and ZigBee. Bluetooth Low Energy (BLE) is a popular protocol of choice for wearables which are low energy, low performance computing systems. The BLE standard specification provides for a variety of security mechanisms for channel encryption to protect data against snooping and man-in-the-middle style attacks.
In our presentation, we talk about the security assumptions made by popular mobile operating systems when they adopt the BLE specification and how this impacts their communication with wearable devices. We include vulnerability case studies to discuss how rogue mobile applications can use the same set of BLE encryption keys as the legitimate companion application, and get access to personal information or cause denial of service conditions on the wearables. We will discuss the insufficiencies of the protocols and the need for extra measures if the use cases demand confidentiality and integrity of data in transit.
We will present high level flows to correctly design secure communication channels between a phone application and the wearable device.