Skip to main content
SpringerLink
Log in

Man-in-the-middle attacks on Secure Simple Pairing in Bluetooth standard V5.0 and its countermeasure

  • Original Article
  • Published:
Personal and Ubiquitous Computing Aims and scope Submit manuscript

A Correction to this article was published on 11 November 2017

This article has been updated

Abstract

Bluetooth devices are widely employed in the home network systems. It is important to secure the home members’ Bluetooth devices, because they always store and transmit personal sensitive information. In the Bluetooth standard, Secure Simple Pairing (SSP) is an essential security mechanism for Bluetooth devices. We examine the security of SSP in the recent Bluetooth standard V5.0. The passkey entry association model in SSP is analyzed under the man-in-the-middle (MITM) attacks. Our contribution is twofold. (1) We demonstrate that the passkey entry association model is vulnerable to the MITM attack, once the host reuses the passkey. (2) An improved passkey entry protocol is therefore designed to fix the reusing passkey defect in the passkey entry association model. The improved passkey entry protocol can be easily adapted to the Bluetooth standard, because it only uses the basic cryptographic components existed in the Bluetooth standard. Our research results are beneficial to the security enhancement of Bluetooth devices in the home network systems.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

Change history

  • 11 November 2017

    Figure 4 contained an error. "Diffie-Hellman key" in step 1c' of Figure 4 should be changed to "Diffie-Hellman keys".

References

  1. Bluetooth Special Interest Group (SIG) (2017) https://www.bluetooth.org/en-us

  2. Hager CT, Midkiff SF (2003) An analysis of Bluetooth security vulnerabilities. In: Proceedings of IEEE Wireless Communications and Networking Conference-WCNC 2003, New Orleans, LA, USA, Volume: 3, pp. 1825–1831. IEEE Communications Society

  3. Wong FL, Stajano F, Clulow J (2007) Repairing the Bluetooth pairing protocol. In: Christianson B, Crispo B, Malcolm JA, Roe M (eds) Proceedings of the 13th International Security Protocols Workshop-Security Protocols 2005, Cambridge, UK, Lecture Notes in Computer Science, vol 4631. Springer, Berlin Heidelberg, pp 31–45

    Google Scholar 

  4. Xu JF, Zhang T, Lin D, Mao Y, Liu XN, Chen SW, Shao S, Tian B, Yi SW (2013) Pairing and authentication security technologies in low-power Bluetooth. In: Proceedings of IEEE International Conference on Green Computing and Communications-GreenCom, IEEE International Conference on Internet of Things-iThings, IEEE International Conference on Cyber, Physical and Social Computing-CPSCom, Beijing, China, pp. 1081–1085. IEEE Computer Society

  5. Mandal BK, Bhattacharyya D, Kim TH (2014) An architecture design for wireless authentication security in Bluetooth network. Int J Secur Appl 8(3):1–8

    Google Scholar 

  6. Sun DZ, Li XH (2016) Vulnerability and enhancement on Bluetooth pairing and link key generation scheme for Security Modes 2 and 3. In: Lam KY, Chi CH (eds) Proceedings of the 18th International Conference on Information and Communications Security-ICICS 2016, Singapore, Lecture Notes in Computer Science, vol 9977. Springer, Berlin Heidelberg, pp 403–417

    Google Scholar 

  7. Cope P, Campbell J, Hayajneh T (2017) An investigation of Bluetooth security vulnerabilities. In: Proceedings of the 7th Annual Computing and Communication Workshop and Conference-CCWC, Las Vegas, NV, USA, pp. 1–7. IEEE

  8. Hassan SS, Bibon SD, Hossain MS, Atiquzzaman M (2017) Security threats in Bluetooth technology. Comput Secur, https://doi.org/10.1016/j.cose.2017.03.008

  9. Specification of the Bluetooth System, Supplement to the Bluetooth Core Specification, CSSv6, Bluetooth SIG Proprietary, Publication date: Jul. 2015, https://www.bluetooth.com/specifications/adopted-specifications

  10. Specification of the Bluetooth System, Covered Core Package Version: 5.0, Master Table of Contents & Compliance Requirements, Bluetooth SIG Proprietary, Publication date: Dec. 2016, https://www.bluetooth.com/specifications/adopted-specifications

  11. Padgette J, Bahr J, Batra M, Holtmann M, Smithbey R, Chen L, Scarfone K: Guide to Bluetooth security: recommendations of the National Institute of Standards and Technology. National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Special Publication 800-121 Revision 2, May 2017, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-121r2.pdf

  12. Chang R, Shmatikov V (2007) Formal analysis of authentication in Bluetooth device pairing. In: Proceedings of LICS/ICALP Workshop on Foundations of Computer Security and Automated Reasoning for Security Protocol Analysis-FCS-ARSPA’07, pp. 45–62

  13. Suomalainen J, Valkonen J, Asokan N (2009) Security associations in personal networks: a comparative analysis. In: Proceedings of European Workshop on Security and Privacy in Ad-Hoc and Sensor Networks-ESAS’07, Cambridge, UK, Lecture Notes in Computer Science, vol 4572. Springer, Berlin Heidelberg, pp 43–57

  14. Lindell AY (2009) Comparison-based key exchange and the security of the numeric comparison mode in Bluetooth v2.1. In: Fischlin M (ed) Proceedings of the Cryptographers’ Track at the RSA Conference-CT-RSA 2009, San Francisco, CA, USA, Lecture Notes in Computer Science, vol 5473. Springer, Berlin Heidelberg, pp 66–83

    Google Scholar 

  15. Haataja K, Toivanen P (2008) Practical man-in-the-middle attacks against Bluetooth secure simple pairing. In: Proceedings of the 4th International Conference on Wireless Communications, Networking and Mobile Computing-WiCOM’08, Dalian, China, pp. 1–5. IEEE

  16. Haataja K, Toivanen P (2010) Two practical man-in-the-middle attacks on Bluetooth secure simple pairing and countermeasures. IEEE Trans Wirel Commun 9(1):384–392

    Article  Google Scholar 

  17. Phan RC-W, Mingard P (2012) Analyzing the secure simple pairing in Bluetooth v4.0. Wirel Pers Commun 64(4):719–737

    Article  Google Scholar 

  18. Barnickel J, Wang J, Meyer U (2012) Implementing an attack on Bluetooth 2.1+ secure simple pairing in passkey entry mode. In: Proceedings of 11th International Conference on Trust, Security and Privacy in Computing and Communications-TrustCom 2012, Liverpool, UK, pp. 17–24. IEEE Computer Society

  19. Albahar MA, Keijo H, Pekka T (2016) Bluetooth MITM vulnerabilities: a literature review, novel attack scenarios, novel countermeasures, and lessons learned. Int J Inf Technol Secur 8(4):25–49

    Google Scholar 

  20. Albahar MA, Keijo H, Pekka T (2016) Virtual channel based pairing: a new novel solution structure for Bluetooth pairing. Int J Inf Technol Secur 8(4):51–65

    Google Scholar 

  21. Albahar MA, Keijo H, Pekka T (2016) Towards enhancing just works Bluetooth pairing. Int J Inf Technol Secur 8(4):67–82

    Google Scholar 

  22. Gajbhiye S, Sharma M, Karmkar S, Sharma S (2016) Design, implementation and security analysis of Bluetooth pairing protocol in NS2. In: Proceedings of International Conference on Advances in Computing, Communications and Informatics-ICACCI 2016, Jaipur, India, pp. 1711–1717. IEEE

  23. Menezes A, van Oorschot P, Vanstone S (1997) Handbook of applied cryptography. CRC Press. Chapter 9

  24. Sun DZ, Zhong JD (2012) A hash-based RFID security protocol for strong privacy protection. IEEE Trans Consum Electron 58(4):1246–1252

    Article  Google Scholar 

  25. Sun DZ, Li JX, Feng ZY, Cao ZF, Xu GQ (2013) On the security and improvement of a two-factor user authentication scheme in wireless sensor networks. Pers Ubiquit Comput 17(5):895–905

    Article  Google Scholar 

  26. Yoon EJ, Kim C (2013) Advanced biometric-based user authentication scheme for wireless sensor networks. Sens Lett 11(9):1836–1843

    Article  Google Scholar 

  27. Zhu HJ, Fang CLH, Liu Y, Chen CL, Li MY, Shen XMS (2016) You can jam but you cannot hide: defending against jamming attacks for geo-location database driven spectrum sharing. IEEE J Selected Areas Commun 34(10):2723–2737

    Article  Google Scholar 

  28. Li MY, Meng Y, Liu JY, Zhu HJ, Liang XH, Liu Y, Ruan N (2016) When CSI meets public WiFi: inferring your mobile phone password via WiFi signals. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security-CCS 2016, Vienna, Austria, pp. 1068–1079. ACM

  29. Kim C, Shin D, Yang CN (2017) Self-embedding fragile watermarking scheme to restoration of a tampered image using AMBTC. Pers Ubiquit Comput, Online First. https://doi.org/10.1007/s00779-017-1061-x

Download references

Acknowledgements

The work of Dr. Da-Zhi Sun was funded in part by China Scholarship Council and in part by the Open Project of Shanghai Key Laboratory of Trustworthy Computing under Grant No. 07dz22304201402. The authors would like to thank the editor and the reviewers for their valuable suggestions and comments.

Author information

Authors and Affiliations

  1. Tianjin Key Laboratory of Advanced Networking (TANK), School of Computer Science and Technology, Tianjin University, No. 135, Yaguan Road, Tianjin Haihe Education Park, Tianjin, 300350, China

    Da-Zhi Sun

  2. State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, 100093, China

    Da-Zhi Sun

  3. Institute of Cybersecurity and Cryptology, School of Computing and Information Technology, University of Wollongong, Wollongong, NSW, 2522, Australia

    Da-Zhi Sun, Yi Mu & Willy Susilo

Authors
  1. Da-Zhi Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yi Mu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Willy Susilo
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Da-Zhi Sun.

Additional information

The original version of this article was revised: Figure 4 contained an error. “Diffie-Hellman key” in step 1c’ of Figure 4 should be changed to “Diffie-Hellman keys”.

An erratum to this article is available at https://doi.org/10.1007/s00779-017-1085-2.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Sun, DZ., Mu, Y. & Susilo, W. Man-in-the-middle attacks on Secure Simple Pairing in Bluetooth standard V5.0 and its countermeasure. Pers Ubiquit Comput 22, 55–67 (2018). https://doi.org/10.1007/s00779-017-1081-6

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00779-017-1081-6

Keywords

Search

Navigation