(EN) When encryption is not enough: Attacking Wearable - Mobile communication over BLE with Eliza Chelleng & Sumanth Naropanth

Communication protocols have evolved from the traditional Serial and LAN ports to complex and lightweight protocols of today, such as Bluetooth Low Energy (BLE), ANT+ and ZigBee. Bluetooth Low Energy (BLE) is a popular protocol of choice for wearables which are low energy, low performance computing systems. The BLE standard specification provides for a variety of security mechanisms for channel encryption to protect data against snooping and man-in-the-middle style attacks.

In our presentation, we talk about the security assumptions made by popular mobile operating systems when they adopt the BLE specification and how this impacts their communication with wearable devices. We include vulnerability case studies to discuss how rogue mobile applications can use the same set of BLE encryption keys as the legitimate companion application, and get access to personal information or cause denial of service conditions on the wearables. We will discuss the insufficiencies of the protocols and the need for extra measures if the use cases demand confidentiality and integrity of data in transit.

We will present high level flows to correctly design secure communication channels between a phone application and the wearable device.
Nous présenterons le flux de données qui circulent entre un téléphone et un appreil mobile tel qu'il devrait être sécurisé.

About Sumanth Naropanth @snaropanth

Sumanth Naropanth is a security researcher and a business leader with expertise in multiple information security domains. He has over a decade of experience in the industry, building security teams, and leading security assessment and development efforts for mobile platforms, wearables, IoT platforms and operating systems. Sumanth currently manages a security assessment team for the New Devices Group at Intel, where he and his team work on head-worn and wrist-worn wearables. He has presented his work at several security conferences, including Black Hat Europe, Shakacon and AppSec USA. He holds a Masters degree in Computer Science/Computer Security from Columbia University.

About Eliza Chelleng

Eliza works as a Security Researcher at Intel for New Devices Group and performs security assessment of wearables. Her place of interest is Mobile Application and device security. She holds a Master Degree in Computer Applications from Tezpur University, Assam, India and has been involved in security research work since 2015.

About Kavya Racharia (Co-writer)

Kavya Racharla is a senior security researcher and lead for Intel’s New Devices Group. She worked for Oracle and Qualcomm’s security teams before she started her current job at Intel. She has a Masters in Information Security from the Johns Hopkins University and a passion for Security.