Robin Schroeder gave a presentation on Bluetooth technologies. They began with an introduction and background on Bluetooth, including its history and how it works. They then discussed Bluetooth Classic and how it is used for streaming audio. The presentation covered Bluetooth Low Energy in detail, including beacons, asset tracking, communication profiles, and connecting and pairing. Robin also discussed Bluetooth Mesh networking and provided examples of how it could be used. They concluded with information on Bluetooth specifications, tooling for development, and directions for further learning.
The 7 Things I Know About Cyber Security After 25 Years | April 2024
THAT_2023_BLE.pdf
1.
2.
3. ALL THINGS BLUETOOTH
LOW ENERGY
ROBIN SCHROEDER @RTSCHROEDER
THAT CONFERENCE, WISCONSIN, JULY 2023
4. Robin Schroeder
@RTSchroeder
o BS in taxonomic botany 1999
o Writing code since 1998
o Java → C# 2008
o Started with Xamarin 2015
o Bluetooth Mesh and BLE 2018
o Currently work at Mercury Marine
o Packt Technical Reviewer
o Hobbies: Guitar, Ancestry, DAR myoctocat.com
6. WHAT IS BLUETOOTH?
•A wireless technology standard using
UHF radio waves to exchange data
between devices in a piconet.
•Bluetooth SIG (Special Interest Group)
38,000+ member companies
7. HOW DOES IT WORK?
HARDWARE
• Bluetooth Chip with Antenna “Radio”
• Many can broadcast and receive
• Many run on very little power
SIGNAL
• Frequency Hopping: changing 1,600
times per second
• Short range, ~ line of sight
8. A LITTLE HISTORY
• “Short-Link” radio technology (1989) Ericksson
Mobile in Sweden for wireless headphones
• IBM wanted to integrate mobile phones with
ThinkPads (1997)
• Both companies worked together to make it an
OPEN INDUSTRY STANDARD
• Ericsson wireless headsets (1999) & phones (2001)
• IBM ThinkPads (2001)
https://en.wikipedia.org/wiki/Ericsson_T39
9. A LITTLE MORE HISTORY
• Jim Kardach (Intel, 1997) happened to be
reading a book about Viking history
• Harald Bluetooth – Danish & Norwegian King
(~958AD) and Viking raider
• May 1998 Bluetooth SIG launched
King Harald Bluetooth united the
Danish tribes into one kingdom.
Bluetooth unites communication
protocols.
10. ONE MORE THING…
• The son and successor to King Harald Bluetooth:
Sweyn Forkbeard. Gabeldorsche is German for
Forkbeard(s).
• Google used the name “Gabeldorsche” (gd for
short) for their new Bluetooth stack, available as a
developer-only option in Android 11 and 12, and
then enabled by default in Android 13.
https://en.wikipedia.org/wiki/Sweyn_Forkbeard
For details:
https://cs.android.com/android/platform/superproject/+/master:s
ystem/bt/gd/docs/architecture/architecture.md?q=Gabeldorsche
12. BLUETOOTH TECHNOLOGIES
Classic Bluetooth (BR/EDR ) 1:1
Basic Rate/Enhanced Data Rate - Wireless headsets, speakers, etc.
Bluetooth Low Energy (BLE or LE) 1:1 or 1: Many
Fitness trackers, medical equipment, beacons, asset tracking
Bluetooth Mesh Many : Many
Lighting systems, sensor monitoring, automation systems, etc.
15. BLUETOOTH CLASSIC == STREAMING
Headsets
Hearing Aids
Car Audio
BT Speakers
Video - Chromecast
16.
17. DECODING BLUETOOTH PHONE SPECS
PIXEL 6 PRO
• Bluetooth Radio & Software v5.2
• BT Classic (understood)
• BLE (aka LE)
• A2DP: Advanced Audio
Distribution Profile – for streaming
music from phone to car
• aptX HD: Qualcomm codec for
transmitting high quality audio
https://www.gsmarena.com
21. BLUETOOTH GAP
GAP = GENERIC ACCESS PROFILE
• Advertising
• Connection management
• Four device roles for BLE communications:
• Broadcaster/Observer
• Peripheral/Central
22. BLE BEACONS
• Small BLE radios can constantly emit
pings that include a link or a short
message.
• Often stationary
• Often battery powered
• GAP messages
• No connection required
• ONE-WAY Communication
24. CROWD SOURCED ASSET TRACKERS
• Small BLE radios that constantly emit
pings that include a link or a short
message.
• NOT Stationary
• Often battery powered
• GAP messages
• No connection required
• Usually, ONE-WAY Communication
25. TILE
• Used all users who had the tile app
installed.
• Those phones funnel the BLE
broadcast messages up the the cloud
along with the GPS coord of the
PHONE.
• Tile itself has no spatial awareness.
26. APPLE AIR TAGS
• Uses BLE to transmit its location to nearby iPhones
• Croudsourcing massive fleet of all iPhones running recent software
• Precision Tracking “Spatial Awareness”
• iPhone 11 and later
• Apple-designed U1 chip uses Ultra Wideband (UWB) technology
• Apple Watch series 6 & later
• AirDrop
• AirTag
27. ASSET TRACKING SECURITY
• Dec 2022 Class Action Lawsuit against Apple for negligence – Air Tags
being used for stalking
• May 2023 Apple, Google, and other industry folks started putting
together a specification for asset tracking and security.
• Apple released an Android App to help Android users detect when an
Air Tag is nearby.
28. SAMSUNG SMARTTAG (& PIXEL?)
• Leverages the network of all Samsung Galaxy
phones
• Only works with Galaxy phones
• For close range, uses BLE directly with the phone.
• Does not use UWB.
• Version 2 expected soon, using BT 5.3
• Google Pixel quietly included a UWB chip
starting in the Pixel 6 Pro. Some folks think
they will be introducing an asset tracker as
well. That, AND google is in on the spec.
29. BLUETOOTH GATT
GATT = GENERIC ATTRIBUTE PROFILE
• System of data organization and
data transfer
• A Bluetooth device (server) exposes
data as Attributes, broken down into
Services and Characteristics.
• Characteristics & Services have UUIDs
• Requires an established connection
Profile
Service 1
• Characteristic
• Properties
• Value
• Descriptor
• Characteristic
• Properties
• Value
• Descriptor
Service 2
• Characteristic
• Properties
• Value
• Descriptor
• Characteristic
• Properties
• Value
• Descriptor
30. CONNECTING, PAIRING & BONDING
• BT Connection (Classic or BLE): Two devices have agreed on
communicating in an unencrypted fashion.
Encrypted:
• Pairing: Exchanging the security keys and other information
needed to establish an encrypted conversation.
• Bonding: The keys generated during pairing need to be
stored and used in subsequent bonded connections.
• Forget a Paired Device: One of the devices deletes the
pairing key used for a bonded connection and the pairing
process needs to happen again.
33. FITNESS TRACKERS
• Bluetooth Low Energy (BLE)
• Require a connection
• No bonding (usually)
• Often, a mix of following
the spec and creating their
own custom BLE
Characteristics.
34. Bluetooth 1, 2.0, 2.1, 3
Classic
1999-2009
Bluetooth 4 & 4.2
Classic
BLE
2010-2015
Bluetooth 5 & 5.1
Classic
BLE
Mesh
2016-2019
Bluetooth 5.2 & 5.3
Classic
BLE
Mesh
LE Audio
2020-2023
35. BLE RADIO SPECS
https://blog.nordicsemi.com/getconnected/things-you-should-know-about-bluetooth-range
Bluetooth 4.0 Bluetooth 4.2 Bluetooth 5
Release Date October 2011 December 2014 December 2016
First Phone iPhone 4S Samsung Galaxy S8, iPhone X
Range (indoors) 10 - 50m ~50m 240 - 400m
Max Range (outdoors) ~100m ~100m 1,000m
Max Data Rate 1 Mbit/s ~1 Mbit/s 2 Mbit/s
Application Throughput Up to 305 kbit/s Up to 800 kbit/s Up to 1,360 kbit/s
39. BLUETOOTH MESH
Hardware Required: BLE 4.2
or 5 radio, in each device
Software Required:
Implement the Mesh
Specification
BLE devices communicating
many to many.
Security is REQUIRED.
Phones are “Configuration
Clients”: they can configure
and listen to messages in the
network.
40. MANAGED FLOOD MESH NETWORK
• Broadcast messages have a
TTL (Time to Live)
• Sequence numbers help
weed out processing repeat
messages
• Subnets allow for partitions
45. Chicago Marathon
26 Mile route
3 waves and 12 Corrals of runners
2019 – 45,956 runners finished
6.5 hours max
Runners
• pace, splits, official time and place
Organizers
• alerted of dangerous heart rates
• eliminate cheaters
Fans
• current runner position and stats
49. BLUESNARFING
• Theft of contacts, calendar
data, email and texts message
from a discoverable Bluetooth
device.
• Connect to a GATT service
which doesn’t require
authentication
50. BLUEBUGGING
By pretending to be a BT
headset, hackers use all phone
features: intercepting phone
calls, sending messages, reading
phonebooks and calendars.
51. BLE SPOOFING ATTACK (BLESA)
Exploits the reconnection process
• Authentication during device
reconnection is optional
• Authentication verification can be
skipped by the IoT device
BLESA: Spoofing Attacks against reconnections in BLE
53. TRASH CAN ATTACK
Harvesting of keys or
passwords from devices
that have been
removed from a
network.
Mesh: Key Refresh Procedure
54. MAN IN THE MIDDLE
Third party, in between
source and destination,
listening in to
communications.
BONDING
Mesh: Asymmetrical Cryptography,
Elliptic Curve Diffie-Helman (ECDH) key agreement protocol
56. BEST PLATFORM FOR WRITING
BLE HEAVY CROSS PATFIRM MOBLE APPS?
• Xamarin/ .Net MAUI
• Write the iOS and Android specific bits in the same language (C#)
• C# is a fully featured, well worn path
• iOS and Android BLE code operates on the native objects
• Multi threaded
• Lots of infrastructure, community involvement, backed by Microsoft
• All other code is shared – like the tedious bits that parse/build the byte code
60. TOOLING: BLUETOOTH FOR IOS PROFILE
https://www.bluetooth.com/blog/a-new-way-to-debug-iosbluetooth-applications/
Must reinstall
every four
days…
61. TOOLING: “SNIFFERS”
BLE PROTOCOL ANALYZER
Passively listen to Bluetooth traffic
• Adafruit Bluefruit LE Sniffer (BLE 4.0)
• Sodera LE Bluetooth Protocol Analyzer
72. SOFTWARE FOR BT MESH
Bluetooth SIG Study Guides
• Nordic Semiconductor Thingy 52 boards
• https://www.bluetooth.com/bluetooth-resources/?types=study-guide
73. HARDWARE & FIRMWARE FOR BT MESH
ZEPHYR Project
• Open Source RTOS
• Supports the BT Mesh Specification
• https://docs.zephyrproject.org/latest/getting_started/index.html