A secure authentication protocol against the co-located app attack in BLE

Raza, Ali, Khan, Safiullah ORCID: https://orcid.org/0000-0001-8342-6928 and Hwang, Seong Oun ORCID: https://orcid.org/0000-0003-4240-6255 (2020) A secure authentication protocol against the co-located app attack in BLE. IEIE Transactions on Smart Processing and Computing, 9 (5). pp. 399-404.

Published Version File not available for download. Available under License In Copyright. Download (612kB)

Abstract

Bluetooth Low Energy (BLE) is used for periodic transmission of smaller data packages called attributes. BLE remains in sleep mode at all times except when participating in a data exchange, which reduces overall energy consumption. For secure communication, BLE devices need to pair first. The pairing has two or three phases. We say two or three phases because the third phase is optional and happens only if the devices are going to bond. The second pairing phase is made using a secure pairing scheme, but the third phase remains vulnerable to an attack named the co-located application (app) attack: a malicious app gets the same level of access to the paired protected data as the legitimate app. We provide an authentication protocol to mitigate this attack. Furthermore, we analyze the security of BLE communications after bonding, with or without our proposed protocol. Moreover, we also analyze the efficiency of the proposed protocol, and conclude that our proposed scheme makes BLE communications secure against the co-located app attack and is efficient enough to be practical.