Bluetooth Low Energy (BLE) has become an integral component of billions of smart devices worldwide, but it also faces various challenges from different attack methods.
In this talk, I will discuss examples of how wireless bit streams can escape and affect reality, covering security risks from shallow to deep levels on different protocol layers of BLE products and discussing the unique attack surface of BLE protocol.
The first topic is “Money Thief”. I will talk about a vulnerability in QR code payments that not only allows attackers to directly transfer funds from users during payment, leaving the merchant without any payment, but also allows attackers to modify the QR code amount. Both the merchant and the user suffer losses while the attacker invisibly takes the money.
The second topic is “Unlock Everything”. Unlocking is an impulse carved into the hacker’s DNA. Starting from analyzing smart devices that establish private protocols based on the Generic Attribute Profile (GATT) protocol layer, I will demonstrate how to restore the validity period of unlock commands to override locks and how to bypass laptop lockscreens. Then, I will introduce design flaws in the BLE Controller and use them to demonstrate movie-level hacker behaviors, such as opening and driving a car several miles away.Regarding the technical details of the BLE Controller layer here, I will submit a white paper. This demonstration will showcase similar issues in three car models and blur the boundary between virtual and security.
Lastly, I will introduce a BLE security detection tool that can reproduce the attacks in our case and provide security researchers with research and communication capabilities, as well as manufacturers with the ability to test the security of their BLE products. Let us make our intelligent lives more secure!