Security and Privacy Threats for Bluetooth Low Energy in IoT and Wearable Devices: A Comprehensive Survey

Tags

Top Highlights

• The replay attack is particularly dangerous because the attacker can easily sniff the communication of BLE central and peripheral devices

• It has a simplified protocol stack, which is to blame for many of its security and privacy flaws

• All of these personal and industrial devices simplify our lives and increase our productivity, but they also expand the attack surface of these systems

• BLE is widely used in health care applications, its security and privacy risks could be fatal

• insecure pairing, inappropriate authentication, and poor protocol implementation (e.g., lack of suitable cryptography) expose BLE devices to eavesdropping, pin cracking, Man-In-The-Middle (MITM), and other attacks

• vulnerabilities cause a smuggle of personal data, unlocking smart locks, misinterpretation of the message, battery drain for IoT devices

• objective of this paper is to identify important security and privacy risks for BLE, to classify those threats, and to make recommendations on how to mitigate those attacks

• BLE fitness bands [141] and health devices [142] are collecting a lot of personal data, but there is not any standard for BLE applications on collecting and sharing our data

• Attacker can very easily access a lot of personal data, read the various health sensor data

• Arney [145] provided a overview of different types of BLE threats in medical devices. Their survey showed that medical devices were most vulnerable to MITM attack and also pointed out the link layer vulnerability in implementing BLE in medical devices

• All transmitted data should be encrypted by the AES-128 algorithm

• Manufacturers should avoid the Just works pairing method

• The users are recommended to use a secured, private environment to connect with their IoT devices

• Users should turn Bluetooth off when it is not necessary

• Users should not keep their devices in always discoverable mode

• Users should try to apply security updates from trusted manufactures as soon as possible

• The idea of using a server to connect with an IoT device rather than connecting with individual device directly may enhance device management and users privacy significantly

• In BLE, there is a tradeoff between performance, security, and privacy concerns over low energy consumption

• vast number of IoT devices available in the market have not implemented these security mechanisms properly

• led to a wide range of security threats