Easy to use methods for securing the channel between mobile apps and connected consumer devices

Abstract

Bluetooth is one of the primary short range wireless communication technology available in all consumer devices. The Bluetooth Low Energy specification made this technology even suitable for battery-operated devices. Also, the features and functionality of battery-operated consumer devices are increased significantly than before. These features can be accessed over Bluetooth Low Energy. Some devices are equipped with actuators which can be operated from a remote place. These actuators may harm users if they are controlled by an malicious agent. Also, it affects user experience if the malicious agent compromises the communication link while the device is in use. Moreover, these battery-operated devices are mostly headless i.e., human machine interfaces are very limited. But Bluetooth Low Energy authentication mechanisms are highly dependent on sophisticated human machine interfaces. Initially, we evaluated state of the art solutions for encryption and authentication in Bluetooth Low Energy. It shows that Bluetooth Low Energy security concepts are defined at three different places of Bluetooth host stack. They are paring feature exchange parameters, Low Energy security modes and attribute permissions. A deep investigation were carried out on such security concepts defined in the Bluetooth core specification. As a result, we identified bottlenecks and flaws in the Bluetooth standard. The impact of such shortcomings on authentication and encryption mechanisms were clearly described in this research work. In addition to Bluetooth Low Energy security mechanisms, we invented new encryption and authentication methods suitable for headless devices. These techniques can be combined with existing Bluetooth Low Energy security concepts. In the end, a suitable security mechanism is selected based on device capability and security regulations. The same technique is implemented and tested on the device. Furthermore, an alternative solution is suggested to overcome interoperability issues found between iOS and Android smart phones. Finally, we explored threat modelling frameworks for Bluetooth Low Energy, identified security issues and provided mitigation’s for all the threats found in the system.