Introduction of speaker

Dr. Jiska Classen conducts research on wireless and mobile security. She started her own research group Cybersecurity - Mobile & Security at HPI in July 2023. Her research focuses on next-generation wireless security, security and privacy of mobile devices, and reverse engineering of wireless firmware. Before joining HPI, she worked at TU Darmstadt, where she was also part of the international research team SEEMOO (secure mobile networking lab). She has spoken at Black Hat USA, DEF CON, RECon, and other conferences.

Dr. Classen's previous work on Bluetooth security analysis tools uncovered remote code execution and cryptographic vulnerabilities in many mobile devices. Recently, her team discovered vulnerabilities in ultra-wideband distance measurement and reverse-engineered Apple's AirTag communication protocol.

Wireless Security

Today's mobile devices use many wireless protocols, including Wi-Fi, Bluetooth, NFC, Ultra Wide Band (UWB), and Thread. These protocols all use different hardware, frequencies and software stacks, so wireless and mobile security are closely related. The Dolev-Yao Model shows that an attacker can overhear, modify, and send anything on a wireless channel [4]. Attackers are only stopped when using cryptographic methods. Other options for wireless attackers include using a bigger antenna to enhance the range or overlay a signal over a sent signal and attempt to flip single bits in the message. Software-defined radios (SDR) make it easy to overhear wireless signals these days. Wireless signals travel at the speed of light, and we can measure the distance precisely. Due to the cubic propagation of signals, a receiver can triangulate and figure out the transmitter’s location. This is helpful when building secure access systems.

WebSDR allows you to view wireless transmissions without a software-defined radio. Figure 1 shows a large range of live wireless transmissions that can be viewed separated by wavelength. The longer the wavelength, the farther the signal travels. Depending on weather conditions and antennas, longer ranges are also possible. Some signals contain audio, and some are data, but both can be decoded. Amateur radio requires a license to send signals, but anyone can listen in because it is meant to be public. Pauses within a signal can mean that someone else is transmitting or someone is answering the signal.

Figure 1: WebSDR to view wireless transmissions [11]

The most common wireless attacks focus on the cryptography used or target specific implementations, both of which require different methods for testing and discovery. Cryptographic attacks try to identify flaws in pairing or session management to get data. Attacks on implementations, such as packet parsing attacks, target parser code within the firmware or operating system to compromise the component and possibly gain code execution.

Cryptographic Attacks

Wireless trust models are used to allow two parties that have never communicated before to communicate securely over an insecure medium. When using trust on first use (e.g. Bluetooth), the two devices are paired once and during the pairing there may be a PIN comparison or a similar mechanism to prevent man-in-the-middle attacks. Another option is to have the same key for all users, such as Wi-Fi WPA2. Since all users joining the network have the same key, leaking it could weaken the security of the entire network. The third option for wireless trust models is user-specific keys, such as the eduroam network or cellular SIM cards. Here, each user who wants to join the network is supplied with a unique key.

There are many limitations to cryptography, especially regarding the fallacy of security when using it. Users may make mistakes when using cryptographic methods, like not comparing the PIN on first usage or losing their keys. Even the best processes do not provide solutions for incorrect utilization. This can be seen directly in data, as human error is the cause of around 88 to 95 percent of cybersecurity breaches [9].

Insecurities of network protocols

The realm of security challenges affecting our everyday devices, such as Bluetooth-enabled gadgets and Wi-Fi networks, is very complex, with a diverse range of cryptographic implementations and an ongoing battle against security exploits. Bluetooth is highly vulnerable to various attacks, especially during the session setup and pairing process. Over the last five years, many of the exploits found are inherent weaknesses in the design of the cryptographic framework of the Bluetooth protocol, revealing a concerning trend of exploits found in protocols previously thought to be secure [2].

Wi-Fi and cellular networks have vulnerabilities due to outdated encryption standards, like 2G and 3G. Despite newer and more secure protocols in 4G and 5G, there are practical difficulties in phasing out older technologies, such as battery constraints or using 2G for emergency phone calls. These decisions and considerations are the reason for new phones to still connect to cell towers via old protocols by for example jamming signals and therefore letting them remain a security liability.

Securing Bluetooth by layering encryption

To alleviate the security issues faced by insecure Bluetooth connections, devices like the Apple Watch and its paired iPhone implement an intricate multi-layer encryption approach to safeguard sensitive data [1] [7]. Basic Bluetooth encryption is combined with a VPN and another encryption layer similar to iMessage. This layered encryption strategy emphasizes the need for robust security measures beyond the standard offerings, especially when handling health data. It is commonly used to strengthen the security of a system, but does not make attacks impossible, just more expensive to execute and therefore less profitable.

In practice, such approaches must balance the need for security with the need for energy efficiency on mobile and wearable platforms. The advent of 5G cellular networks offers improved security features but has also raised concerns about battery consumption. Engineers and developers face the ongoing challenge of balancing robust security protocols with the practical limitations of device hardware.

InternalBlue

InternalBlue is an innovative tool that enables researchers to modify the firmware of Bluetooth chips in commonly used devices like smartphones and Raspberry Pis, making Bluetooth security more accessible and cost-effective [6]. Figure 2 shows the spike in vulnerability discovery after the release of the program in 2018, highlighting the framework's impact on the field.

Figure 2: Bluetooth vulnerabilities from the year 2002 to 2022 including the release of InternalBlue [3]

Remote Code Execution through Malicious Packets

Aside from traditional cryptographic attacks, wireless security must also defend against attacks on the implementation of a protocol. Typically, the wireless stack is implemented on a separate co-processor running its own code separate from the main application processor. Attackers can target this specific chip and exploit vulnerabilities within its programming.

A possible attack vector is the packet parsing routine used by the co-processor to decode received messages. This kind of attack falls under the category of binary exploitation and in some cases can be used to gain remote code execution on the co-processor [8].

Once exploited, attackers could use this co-processor to eavesdrop on phone calls, inject new packets, e.g. to inject keystrokes of a Bluetooth keyboard or intercept encrypted traffic.  Additionally to governments using these exploits for surveillance, there is a risk that human rights activists and journalists could be especially targeted. Therefore, security research and ethical reporting are important to ensure safe communication for everyone. 

Pre-authentication vulnerabilities can be exploited before two devices authenticate to each other. This makes them particularly dangerous because they can be executed without any prior relationship between the devices. Remote exploits are used to send malicious packets over the internet to target devices. This expands the attack surface and allows attacks to be launched from anywhere in the world.

Real-world Example: Shannon Attack

One attack combines security flaws in a popular hardware component used in Google and Samsung phones to connect to cellular networks. It falls into the category of packet parsing attacks. The packets are transmitted over the internet and attackers can remotely gain code execution on the victim’s phone by simply making a Voice over LTE (VoLTE) call.

The affected Shannon baseband chip, which is responsible for parsing certain cellular packets, lacked mitigations available in modern mobile operating systems and, due to programming errors, allowed attackers to compromise it by crafting a malicious VoLTE packet. An important aspect of this exploit was its potential to allow for 0-click attacks. This type of attack does not require the victim to interact with the device to be exploited. Packets sent over a pre-authenticated connection were used to trigger the exploit, making the attack more difficult to detect. Despite its complexity, the development of similar exploits can be quite quick. Recent attacks on the Linux Wi-Fi stack were developed within months using fuzzing techniques [10].

Attacking Wireless Hardware

Known attacks mostly target one single technology or component in victim devices. When looking at the physical layer of certain wireless protocols, they share similarities that may offer new attack surfaces. One example are the Wi-Fi and Bluetooth protocols, both transmitting data over the 2.4 GHz band. As such, both protocols must work around each other. Bluetooth does this by blacklisting certain frequencies and Wi-Fi by rescheduling packets to avoid traffic. In modern hardware, the components responsible for Wi-Fi and Bluetooth often share a communication link to work together [1]. Implementations range from simply locking out the other chip during transmission to sharing buffers between Wi-Fi and Bluetooth hardware. The latter configuration allows an attack that modifies the Bluetooth chip's firmware to write instructions to shared memory for the Wi-Fi chip to execute code and crash the component. This attack could allow attackers to jump the gap between components in an exploit chain to gain more privileges after compromising the Bluetooth hardware.

Detecting and mitigating this kind of attack requires knowledge of the existing connection between components. Modern devices may contain multiple wireless components that are connected in hardware. Over the lifetime of the product or during development, updates may remove the features making use of these connections, but components could potentially still talk to each other through these channels. Attackers armed with this knowledge could use undocumented or inactive interfaces to move between components thought to be isolated from another.

Signal-Based Relay and Boosting Attacks

The Bluetooth protocol and NFC are susceptible to signal-based relay attacks where the signal received by the antenna is relayed from another location to the victim device.

Researchers at TU Darmstadt built nfcgateto relay NFC communication over the internet between two Android devices [5]. They demonstrated their system by paying for a meal at their university's dining hall from another city. A possible mitigation for this kind of attack would be a plausibility check on the time between the security challenge and the response. This way, implausible delays caused by the internet would give away the attack and the reader could reject the authentication.

A similar attack is also being used by car thieves to unlock cars using wireless key fobs. The fob must be close to the vehicle to unlock the doors, but by amplifying the signal to reach beyond this range, the car can be unlocked without the key. More recent technologies such as Ultrawide-Band (UWB) support fine and secure ranging and could make this kind of attack harder to execute. Researchers have also identified problems with early versions of UWB which allow for similar range-boosting attacks.

Summary

Wireless security is important because an attacker can overhear, modify, and send anything on a wireless channel. Attacks can target the protocol and cryptography in use or focus on implementations of the protocol. Cryptographic attacks occur mostly due to the insecurities in network protocols. To prevent this, devices use a multi-layer encryption approach to protect sensitive data. InternalBlue allows researchers to modify the firmware of Bluetooth chips, leading to an increase in vulnerability discoveries in 2018. Targeting the implementation of a particular protocol, e.g. the packet parsing routine, can allow attackers to compromise a device’s co-processor and gain remote code execution. Such attacks have been found in practice. Wireless communication also presents additional security challenges due to its inherent ability to work without physical proximity between participants and can be vulnerable against range boosting or relaying.

References

[1]     Apple Support. 2024.000Z. Systemsicherheit bei watchOS (June 2024.000Z). Retrieved June 25, 2024.247Z from ​support.apple.com​/​de-de/​guide/​security/​secc7d85209d/​web.

[2]     Bluetooth® Technology Website. 2024. Reporting Security Vulnerabilities | Bluetooth® Technology Website (June 2024). Retrieved June 18, 2024 from ​www.bluetooth.com​/​learn-about%20-bluetooth/​key-attributes/​bluetooth-security/​reporting-security/​.

[3]     Jiska Classen. 2024. Wireless Security. Lecture Series on HPI Research SoSe 2024.

[4]     D. Dolev and A. Yao. 1983. On the security of public key protocols. IEEE Trans. Inform. Theory 29, 2, 198–208. DOI: doi.org/10.1109/TIT.1983.1056650.

[5]     GitHub. 2024. nfcgate/nfcgate: An NFC research toolkit application for Android (June 2024). Retrieved June 18, 2024 from ​github.com​/​nfcgate/​nfcgate.

[6]     GitHub. 2024. seemoo-lab/internalblue: Bluetooth experimentation framework for Broadcom and Cypress chips (June 2024). Retrieved June 19, 2024 from ​github.com​/​seemoo-lab/​internalblue.

[7]     Dennis Heinze, Jiska Classen, and Felix Rohrbach. 2020. MagicPairing. In WiSec'20. Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks : July 8-20, 2020, Linz (Virtual Event), Austria. The Association for Computing Machinery, New York, New York, 111–121. DOI: doi.org/10.1145/3395351.3399343.

[8]     Jan Ruge, Jiska Classen, Francesco Gringoli, and Matthias Hollick. 2020. Frankenstein: Advanced Wireless Fuzzing to Exploit New Bluetooth Escalation Targets. In 29th USENIX Conference on Security Symposium (SEC'20). August 12 - 14, 2020. USENIX Association, Berkeley, CA, 19–36.

[9]     Security Today. 2024. Just Why Are So Many Cyber Breaches Due to Human Error? -- Security Today (June 2024). Retrieved June 18, 2024 from ​securitytoday.com​/​articles/​2022/​07/​30/​just-why-are-so-many-cyber-breaches-due-to-human-error.aspx.

[10]   Sönke Huster, Matthias Hollick, and Jiska Classen. 2023. To Boldly Go Where No Fuzzer Has Gone Before: Finding Bugs in Linux' Wireless Stacks through VirtIO Devices. 2375-1207, 28. DOI: doi.org/10.1109/SP54263.2024.00024.

[11]   2014. websdr.org (October 2014). Retrieved June 18, 2024 from ​websdr.org​/​.