BLEWhisperer: Exploiting BLE Advertisements for Data Exfiltration

Autor: Gangwal, Ankit, Singh, Shubham, Spolaor, Riccardo, Srivastava, Abhijeet
Rok vydání: 2022
Předmět:
Zdroj: 27th European Symposium on Research in Computer Security (ESORICS '22), Copenhagen, Denmark, September 26-30, 2022
Druh dokumentu: Working Paper
Popis: Bluetooth technology has enabled short-range wireless communication for billions of devices. Bluetooth Low-Energy (BLE) variant aims at improving power consumption on battery-constrained devices. BLE-enabled devices broadcast information (e.g., as beacons) to nearby devices via advertisements. Unfortunately, such functionality can become a double-edged sword at the hands of attackers. In this paper, we primarily show how an attacker can exploit BLE advertisements to exfiltrate information from BLE-enable devices. In particular, our attack establishes a communication medium between two devices without requiring any prior authentication or pairing. We develop a proof-of-concept attack framework on the Android ecosystem and assess its performance via a thorough set of experiments. Our results indicate that such an exfiltration attack is indeed possible though with a limited data rate. Nevertheless, we also demonstrate potential use cases and enhancements to our attack that can further its severeness. Finally, we discuss possible countermeasures to prevent such an attack.
Comment: 20 pages, 8 figures, 1 table
Databáze: arXiv