Skip to main content
SpringerLink
Log in

Side-Channel Analysis for the Re-Keying Protocol of Bluetooth Low Energy

  • Regular Paper
  • Published:
Journal of Computer Science and Technology Aims and scope Submit manuscript

Abstract

In the era of the Internet of Things, Bluetooth low energy (BLE/BTLE) plays an important role as a well-known wireless communication technology. While the security and privacy of BLE have been analyzed and fixed several times, the threat of side-channel attacks to BLE devices is still not well understood. In this work, we highlight a side-channel threat to the re-keying protocol of BLE. This protocol uses a fixed long term key for generating session keys, and the leakage of the long term key could render the encryption of all the following (and previous) connections useless. Our attack exploits the side-channel leakage of the re-keying protocol when it is implemented on embedded devices. In particular, we present successful correlation electromagnetic analysis and deep learning based profiled analysis that recover long term keys of BLE devices. We evaluate our attack on an ARM Cortex-M4 processor (Nordic Semiconductor nRF52840) running Nimble, a popular open-source BLE stack. Our results demonstrate that the long term key can be recovered within only a small amount of electromagnetic traces. Further, we summarize the features and limitations of our attack, and suggest a range of countermeasures to prevent it.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

References

  1. Portal S T S. Bluetooth low energy (BLE) enabled de vices market volume worldwide, from 2013 to 2020 (in million units). Technical Report, Statista Research Department, 2018. https://www.statista.com/statistics/750569/worldwide-bluetooth-low-energy-device-market-volume/, Sept. 2023.

  2. Rose A, Ramsey B. Picking bluetooth low energy locks from a quarter mile away. In Proc. the DEF CON 24 Hacking Conf., Aug. 2016.

  3. Ryan M. Bluetooth: With low energy comes low security. In Proc. the 7th USENIX Workshop on Offensive Technologies, Aug. 2013, Article No. 4. https://doi.org/10.5555/2534748.2534754.

  4. Zhang Y, Weng J, Dey R, Jin Y E, Lin Z Q, Fu X W. Breaking secure pairing of Bluetooth low energy using downgrade attacks. In Proc. the 29th USENIX Conference on Security Symposium, Aug. 2020, Article No. 3.

  5. Antonioli D, Tippenhauer N O, Rasmussen K. Key negotiation downgrade attacks on Bluetooth and Bluetooth low energy. ACM Trans. Privacy and Security, 2020, 23(3): Article No. 14. https://doi.org/10.1145/3394497.

  6. Wu J L, Nan Y H, Kumar V et al. BLESA: Spoofing attacks against reconnections in Bluetooth low energy. In Proc. the 14th USENIX Conference on Offensive Technologies, Aug. 2020, Article No. 8.

  7. Biham E, Neumann L. Breaking the Bluetooth pairing—The fixed coordinate invalid curve attack. In Proc. the 26th International Conference on Selected Areas in Cryptography, Aug. 2019, pp.250–273. https://doi.org/10.1007/978-3-030-38471-5_11.

  8. Haataja K, Toivanen P. Two practical man-in-the-middle attacks on Bluetooth secure simple pairing and countermeasures. IEEE Trans. Wireless Communications, 2010, 9(1): 384–392. https://doi.org/10.1109/TWC.2010.01.090935.

    Article  Google Scholar 

  9. Murphy S. The advanced encryption standard (AES). Information Security Technical Report, 1999, 4(4): 12–17. https://doi.org/10.1016/S1363-4127(99)80083-1.

    Article  Google Scholar 

  10. Kocher P, Jaffe J, Jun B. Differential power analysis. In Proc. the 19th Annual International Cryptology Conference, Aug. 1999, pp.388–397. https://doi.org/10.1007/3-540-48405-1_25.

  11. Dehbaoui A, Lomné V, Maurine P, Torres L, Robert M. Enhancing electromagnetic attacks using spectral coherence based cartography. In Proc. the 17th IFIP International Conference on Very Large Scale Integration, Oct. 2009, pp.11–16. https://doi.org/10.1109/VLSISOC.2009.6041323.

  12. Gierlichs B, Batina L, Tuyls P et al. Mutual information analysis. In Proc. the 10th International Workshop on Cryptographic Hardware and Embedded Systems, Aug. 2008, pp.426–442. https://doi.org/10.1007/978-3-540-85053-3_27.

  13. Timon B. Non-profiled deep learning-based side-channel attacks with sensitivity analysis. IACR Trans. Cryptographic Hardware and Embedded Systems, 2019, 2019(2): 107–131. https://doi.org/10.13154/tches.v2019.i2.107-131.

    Article  Google Scholar 

  14. Chari S, Rao J R, Rohatgi P. Template attacks. In Proc. the 4th International Workshop on Cryptographic Hardware and Embedded Systems, Aug. 2002, pp.13–28. https://doi.org/10.1007/3-540-36400-5_3.

  15. Schindler W, Lemke K, Paar C. A stochastic model for differential side channel cryptanalysis. In Proc. the 7th International Workshop on Cryptographic Hardware and Embedded Systems, Sept. 2005, pp.30–46. https://doi.org/10.1007/11545262_3.

  16. Hospodar G, Gierlichs B, De Mulder E, Verbauwhede I, Vandewalle J. Machine learning in side-channel analysis: A first study. Journal of Cryptographic Engineering, 2011, 1(4): 293–302. https://doi.org/10.1007/s13389-011-0023-x.

    Article  Google Scholar 

  17. Lerman L, Bontempi G, Markowitch O. Side channel attack: An approach based on machine learning. In Proc. the 2nd International Workshop on Constructive Side-Channel Analysis and Secure Design, Feb. 2011, pp.29–41.

  18. Maghrebi H, Portigliatti T, Prouff E. Breaking cryptographic implementations using deep learning techniques. In Proc. the 6th International Conference on Security, Privacy, and Applied Cryptography Engineering, Dec. 2016, pp.3–26. https://doi.org/10.1007/978-3-319-49445-6_1.

  19. Cagli E, Dumas C, Prouff E. Convolutional neural networks with data augmentation against jitter-based countermeasures. In Proc. the 19th International Conference on Cryptographic Hardware and Embedded Systems, Sept. 2017, pp.45–68. https://doi.org/10.1007/978-3-319-66787-4_3.

  20. Das D, Golder A, Danial J, Ghosh S, Raychowdhury A, Sen S. X-DeepSCA: Cross-device deep learning side channel attack. In Proc. the 56th Annual Design Automation Conference, Jun. 2019, Article No. 134. https://doi.org/10.1145/3316781.3317934.

  21. Wang R Z, Wang H Y, Dubrova E. Far field EM sidechannel attack on AES using deep learning. In Proc. the 4th ACM Workshop on Attacks and Solutions in Hardware Security, Nov. 2020, pp.35–44. https://doi.org/10.1145/3411504.3421214.

  22. Yu W, Chen J. Deep learning-assisted and combined attack: A novel side-channel attack. Electronics Letters, 2018, 54(19): 1114–1116. https://doi.org/10.1049/el.2018.5411.

    Article  Google Scholar 

  23. Wang H Y, Dubrova E. Tandem deep learning side-channel attack against FPGA implementation of AES. In Proc. the 2020 IEEE International Symposium on Smart Electronic Systems, Dec. 2020, pp.147–150. https://doi.org/10.1109/iSES50453.2020.00041.

  24. Zaid G, Bossuet L, Habrard A, Venelli A. Methodology for efficient CNN architectures in profiling attacks. IACR Trans. Cryptographic Hardware and Embedded Systems, 2020, 2020(1): 1–36. https://doi.org/10.13154/tches.v2020.i1.1-36.

    Article  Google Scholar 

  25. Bhasin S, Chattopadhyay A, Heuser A, Jap D, Picek S, Shrivastwa R R. Mind the portability: A warriors guide through realistic profiled side-channel analysis. In Proc. the 27th Annual Network and Distributed System Security Symposium, Feb. 2020. https://doi.org/10.14722/ndss.2020.24390.

  26. Gandolfi K, Mourtel C, Olivier F. Electromagnetic analysis: Concrete results. In Proc. the 3rd International Workshop on Cryptographic Hardware and Embedded Systems, May 2001, pp.251–261. https://doi.org/10.1007/3-540-44709-1_21.

  27. Camurati G, Poeplau S, Muench M, Hayes T, Francillon A. Screaming channels: When electromagnetic side channels meet radio transceivers. In Proc. the 2018 ACM SIGSAC Conference on Computer and Communications Security, Oct. 2018, pp.163–177. https://doi.org/10.1145/3243734.3243802.

  28. Camurati G, Francillon A, Standaert F X. Understanding screaming channels: From a detailed analysis to improved attacks. IACR Trans. Cryptographic Hardware and Embedded Systems, 2020, 2020(3): 358–401. https://doi.org/10.13154/tches.v2020.i3.358-401.

    Article  Google Scholar 

  29. James G, Witten D, Hastie T, Tibshirani R. An Introduction to Statistical Learning: With Applications in R. Springer, 2013. https://doi.org/10.1007/978-1-4614-7138-7.

  30. Picek S, Heuser A, Jovic A, Bhasin S, Regazzoni F. The curse of class imbalance and conflicting metrics with machine learning for side-channel evaluations. IACR Trans. Cryptographic Hardware and Embedded Systems, 2018, 2019(1): 209–237. https://doi.org/10.13154/tches.v2019.i1.209-237.

    Article  Google Scholar 

  31. Mangard S, Oswald E, Popp T. Power Analysis Attacks: Revealing the Secrets of Smart Cards. Springer, 2007. https://doi.org/10.1007/978-0-387-38162-6.

  32. Kim H S, Hong S, Lim J. A fast and provably secure higher-order masking of AES S-box. In Proc. the 13th International Workshop on Cryptographic Hardware and Embedded Systems, Sept 28.–Oct. 1, 2011, pp.95–107. https://doi.org/10.1007/978-3-642-23951-9_7.

  33. Longo J, De Mulder E, Page D et al. SoC it to EM: Electromagnetic side-channel attacks on a complex system-onchip. In Proc. the 17th International Workshop on Cryptographic Hardware and Embedded Systems, Sept. 2015, pp.620–640. https://doi.org/10.1007/978-3-662-48324-4_31.

Download references

Author information

Authors and Affiliations

  1. School of Electronic Information and Electrical Engineering, Shanghai Jiao Tong University, Shanghai, 200240, China

    Pei Cao, Chi Zhang, Xiang-Jun Lu, Hai-Ning Lu & Da-Wu Gu

Authors
  1. Pei Cao
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Chi Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Xiang-Jun Lu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Hai-Ning Lu
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Da-Wu Gu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Da-Wu Gu.

Supplementary Information

ESM 1

(PDF 595 kb)

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Cao, P., Zhang, C., Lu, XJ. et al. Side-Channel Analysis for the Re-Keying Protocol of Bluetooth Low Energy. J. Comput. Sci. Technol. 38, 1132–1148 (2023). https://doi.org/10.1007/s11390-022-1229-3

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11390-022-1229-3

Keywords

Search

Navigation