Ryan called the key exchange the only weak aspect of the BLE protocol. "The rest of the protocol is well-designed and meets best practices," he said in his email. "The way devices use the [key exchange] protocol varies, and some have security issues as a result. Some devices don't use key exchange/encryption at all. Other devices don't use the privacy protecting features properly and are easily tracked."
BLE "features encryption and in-band key exchange," Ryan wrote in his whitepaper. "Rather than relying on a well-established key exchange protocol such as one based on Elliptic Curve Diffie-Hellmann (ECDH), the Bluetooth SIG invented their own key exchange protocol. We demonstrate that this key exchange protocol has fundamental weaknesses that undermine the privacy of communication against passive eavesdroppers." His team's attack targets "the key exchange rather than the encryption itself."
Qualcomm's Linsky, who is familiar with Ryan's paper, acknowledged that Ryan is "correct in his assertion that BLE offers no eavesdropping protection in key exchange today." However, in the SIG's defense, because BLE is designed for use in all different types of devices, SIG members weren't ready to "overburden BLE radio" with heavy-duty security features from day one. "The industry is aware of those known weaknesses and attacks."
Depending on use-case scenarios for Bluetooth Smart devices, Linsky laid out that it's entirely possible to add security on an "application level." Not every cost-effective device needs to feature device-level security.
Native support for Diffie-Hellmann
However, Linsky acknowledged that the Bluetooth SIG team is working on a mechanism to "natively support" in some BLE radio the NIST-compliant algorithms, including hashing functions and Elliptic Curve Diffie-Hellmann (ECDH) key exchange.
Though ECDH is likely to incur significant additional costs in CPU, power consumption, and time relative to BLE's current key exchange, Ryan told us, "If it is implemented properly, this will be a one-time cost that's only experienced the first time a user pairs with a device."
In Linsky's mind, one of the biggest drawbacks of implementing the ECDH key exchange in software in today's BLE chips is the time it takes to calculate it in an industry-standard MCU like the 8051. "It could take a few seconds [just for key exchange]. If it takes over a second, it's perceived as just too slow." He also said that Moore's Law will help. As BLE chips start to use more powerful MCUs such as ARM Cortex M0 or higher, the processing time for key exchange could go down to 50 or 100 milliseconds.
He said he is not aware of what CSR is doing to add security to BLE chips.
According to Pai, CSR's proprietary workarounds include "out of band pairing" and "the use of full strength of AES-128 encryption, instead of reducing it to one million combinations." Bluetooth Smart is "merely a communication channel," and tasks like authenticating a car owner's mobile phone could be done by other devices inside a car.
The Bluetooth Smart security updates are on the working group's roadmap and could be expected as early as the spec's next release. But for the time being, the Bluetooth SIG is keeping mum on the schedule.
— Junko Yoshida, Chief International Correspondent, EE Times