While Bluetooth and Bluetooth Low Energy (BLE) have quickly become popular technologies in many building security systems, there are rising concerns over the safety and reliability of BLE-dependent systems. In this article, you’ll learn about different types of Bluetooth vulnerabilities, and how Openpath access control systems actively protect against them.
In any security environment, active attempts to breach the system or building are always top of mind. In the case of Bluetooth technology, there are a few known vulnerabilities and types of attacks, which any system running on BLE should protect against.
BLESA (Spoofing Attacks against Reconnections in Bluetooth Low Energy), presented at USENIX WOOT 2020.
BLURtooth (device impersonation, man-in-the-middle, malicious session establishment with arbitrary devices), discovered by Daniele Antonioli and Mathias Payer from École Polytechnique Fédérale de Lausanne (EPFL), Nils Ole Tippenhauer from Helmholtz Center for Information Security (CISPA), and Kasper Rasmussen from University of Oxford.
KNOB attack (Key Negotiation of Bluetooth encryption keys to listen, control, and change nearby Bluetooth communication), discovered by Daniele Antonioli (Singapore University of Technology and Design), Nils Ole Tippenhauer (CISPA Helmholtz Center for Information Security), and Kasper Rasmussen (University of Oxford), and presented at USENIX Security 2019.
Extrapolating the high-level issue from all of these attacks is the capability for an attacker to intercept, read, modify, and inject their own traffic between two devices’ communication over BLE, bypassing the cryptographic and authentication layers built in. In a traditional Bluetooth security model, the Bluetooth protocol handles the security and authenticity of either side, typically negotiating keys for future re-use to speed up communication, and these vulnerabilities unfortunately impact a host of other systems, especially as the issues are protocol-level and some have yet to be patched.
As part of a keyless door entry system, Bluetooth vulnerability could lead to major security concerns. Systems that rely on Bluetooth technology to unlock doors offer greater convenience, but without the proper protocols in place, it would be easy for someone to use one of the above Bluetooth security vulnerabilities to gain unlawful entry or compromise sensitive data.
Many of the most common Bluetooth vulnerabilities in security systems have workarounds to help organizations prevent any malicious activity. So, how does Openpath protect against the various Bluetooth Low Energy (BLE) vulnerabilities that have been released, including 0-day vulnerabilities that have not yet been patched?
Openpath understands security is challenging and that new systems are often constructed on top of imperfect, existing infrastructure that is difficult to change. With this in mind, we’ve built our architecture with the assumption that our technology will be deployed into hostile network environments and locations with pre-existing threats. We expect that all communication channels will be unreliable and insecure, vulnerable to both passive and active attackers.
Despite these factors, we’ve designed our system radically different from traditional access control systems and readers to provide secure, reliable access and communication despite many unknown threats. We use heavily scrutinized and publicly vetted cryptographic standards and a unique architecture, relative to access control, that we've built from the ground up.
In a nutshell, none of the recent Bluetooth/BLE vulnerabilities impact the security of Openpath systems. This is not to say our system is perfect; we know security concerns will come up and we are heavily active and alert in the security community to quickly respond to any threats that may arise. However, our goal is to build our technology with fundamentally sound core principles, which establishes a stronger foundation to prevent Bluetooth security vulnerabilities in the first place, which improves overall physical security across the board.
Openpath has never been susceptible to the Bluetooth attacks described above, as we’ve taken a different approach to security. When building our system, we were able to perform some Bluetooth specific attacks and understood that we could not rely on the security within the Bluetooth protocol itself for several reasons; including that if the security is every compromised, the security of the user is beholden to the protocol/manufacturers releasing software and firmware updates to devices. Additionally, some of the security features that we wanted to take advantage of in the specification were not implemented in some versions of mobile operating systems, preventing our security from being at the level we would expect.
Due to these Bluetooth vulnerability concerns, we decided to instead use a well-known and well-vetted cryptographic layer on top of BLE: Transport Layer Security, or TLS. Our communication still occurs over BLE, and while attacks like interception or sniffing can occur (which is true of any wireless protocol), the traffic is encrypted end-to-end and uses public key infrastructure to prevent active interception. Additionally, this approach solves the “initial pairing” problem, where a device that pairs to another BLE device for the first time has no way to validate whether it’s talking to the true device or another rogue device performing a man-in-the-middle attack.
Openpath uses TLS 1.2, enforced with NSA Suite B Cryptography algorithms (preventing downgrade and similar attacks) for communication. This is the same technology you use to log into online banking, but more secure as both sides authenticate each other, unlike a banking website where only the client authenticates the bank, not vice versa. We only allow well vetted, open, and modern cryptographic algorithms for all communication.
Openpath is unique among access control systems in regards to how we handle communications over BLE. Instead of relying solely on the security of BLE, which by itself is susceptible to downgrade and man-in-the-middle attacks, Openpath leverages TLS encryption on top of BLE. Communication between the mobile device and Smart Hub is encrypted end-to-end, leaving wireless eavesdroppers unable to gain any useful details as all data is encrypted, and preventing active man-in-the-middle-attackers from performing successful attacks by the use of signed certificates.
Additionally, the Openpath Reader on the unsecured side of the door is not an endpoint but is instead considered an insecure “proxy” that simply transmits pre-encrypted communication between the user’s mobile device and the Openpath access control system on the secure side of the door. This prevents the physical reader from being an attack vector as it does not store secret material, keys, or passwords, and tampering of the device can provide no benefit in the interpretation of the encrypted signals passing through.
Openpath access control solutions are designed and built to provide best-of-breed security, without compromising convenience. A traditional security audit is a smart way to address possible weaknesses in physical building security, but it’s important to consider technology and network vulnerabilities as well. While Bluetooth vulnerability is something to be aware of across all connected systems, Openpath provides peace of mind with a proactive approach to security at every level of our access control technology.