Kuo Bluetooth Pairing

7/31/2019 Kuo Bluetooth Pairing

1/36

1

Low-cost Manufacturing, Usability, and Security:

An Analysis of Bluetooth Simple Pairing andWi-Fi Protected Setup

Cynthia Kuo Carnegie Mellon University

Jesse Walker Intel Corporation

Adrian Perrig Carnegie Mellon University


2/36

2

Device Introduction

Goal: Establish authenticationcredentials between two devices that

have not yet done so Terminology

Introduction = setup = pairing


3/36

3

Device Introduction

Bluetooth Wi-Fi

Pair two devices in amaster/slave relationship

Enroll one device intoan existing network,assuming initial network

setup completed


4/36

4

Overview

Define secure and usable deviceintroduction

Summarize setup methods in BluetoothSimple Pairing and Wi-Fi ProtectedSetup

Discuss potential causes of poorsecurity and usability

Recommend improvements


5/36

5

Device 1

Device 2

Secure Introduction Criteria

1. Conforms to standard model

In-band

Channel

Active Attacker

Out-of-band Channel

(e.g., Cable, NFC)


6/36

6

Secure Introduction Criteria

1. Conforms to standard model

Accepted by cryptographers

2. Provides high level of security No more than 2-30 probability of success 280 cryptographic operations required through 2010

Assume attackers can perform 250 operations

3. Preserves simplicity Easier to find and correct vulnerabilities in

simpler systems


7/367

Usable Introduction Criteria

1. Verifies in-band connection betweendevices

2. Handles errors User experience interoperability better

application design and better support

3. Maintains a consistent userexperience across devices

Learning


8/368

Overview



Discuss potential causes of poorsecurity and usability



9/369

Setup Methods

Bluetooth Wi-Fi

Copy Passkey Entry PIN

Compare NumericComparison

-

Auto Just Works Push ButtonConfiguration

Out-of-band Out-of-band Out-of-band


10/3610

Evaluating Each Setup Model

Secure

Usable

[Overall]3. Simplicity

Probability of attack success2. Security

Out-of-band channel1. Standard model

[Overall]3. Consistent UX

Error handling2. Error handling

Connection verification1. Connection verification


11/3611

Copy Setup Methods

Out-of-band channel Visual & Human

Probability of attack success > 2-20 (6) / > 2-14 (4); > 2-27 (8)

Connection verification ? (Implementation issue)

Error handling Start over / ?


12/3612

Compare Setup Method

Out-of-band channel Visual & Human

Probability of attack success > 2-20

Connection verification ?

Error handling Start over

Bluetooth only


13/3613

Auto Setup Methods

Out-of-band channel None

Probability of attack success Very likely




14/3614

Out-of-Band Setup Method

Out-of-band channel Out-of-band channel

Probability of attack success Depends on channel




15/3615

Overview



Discuss causes of poor security andusability



16/3616


Secure

Usable







[Overall]

Probability of attack success

Out-of-band channel

[Overall]

Error handling

Connection verification


17/3617

Preserving Simplicity

Complex systems harder to fullyanalyze for vulnerabilities

Each setup mode has its own issues

Multiple setup modes per device leadsto many possible setup combinations


18/3618

Combinations of Setup Methods

Bluetooth Wi-Fi

Possiblecombinationsbetween any twodevices

120

Possiblecombinations perdevice

15

Pairing models4 3 Pairing models

7 Possiblecombinations perdevice

28 Possiblecombinationsbetween any twodevices


19/3619

Interactive Complexity

Difficult to consider all the potentialsystem states during design,

implementation, and evaluation Difficult to handle so many different

possible situations (especially a rare

situation or error)


20/3620

Reducing Complexity

Reduce number of combinations byprioritizing setup models

Reduce number of setup models


21/3621

Auto Setup Methods

Works if No other devices in setup mode

in wireless range

No errors

Never secure againstmalicious device within range Active attacker must be

physically present

Bluetooth Just Works andWi-Fi Push Button Configurationsupported for low-cost manufacturing

Devices withno screens


22/36

22

Combinations of Setup Methods

Bluetooth Wi-Fi

Possiblecombinationsbetween any twodevices

120

Possiblecombinations perdevice

15

Pairing models4 3 Pairing models



3 Pairing models



2 Pairing models




23/36

23


Secure

Usable







[Overall]

Probability of attack success

Out-of-band channel

[Overall]

Error handling

Connection verification


24/36

24

Issues in UX Consistency

Wording

User interaction flow Setup initiation Device or user?

Entering and exitingsetup mode

Basic checks Wireless enabled?

Timeout values forPINs

Prioritization of setupmethods

Connectionverification

Error handling Recovery

Messages Technical support

Documentation

Absent from specifications:


25/36

25

Importance of Consistency

Fewer setup methods improvesconsistency

Rewards learning

Raises quality of error handling,documentation, and technical support Cross-vendor, cross-product

Reduces confusion about level of securityassurance

Minimizes implementation work


26/36

26

Overview



Discuss causes of poor security andusability



27/36

27

In-band Setup Copy: Bluetooth Passkey Entry or Wi-Fi PIN Static Copy: PIN entry using a PIN on a sticker Compare: Bluetooth Numeric Comparison Auto: Bluetooth Just Works or Wi-Fi Push Button Configuration

Copy orCompare

Copy orCompare

Copy orCompare

Copy Static Copy Static Copy

Compare Compare Copy Auto Auto

Auto Copy Auto Auto

Static Copy Static Copy Static Copy

Auto Auto

Auto


28/36

28

P(Attack Success): In-band

2-14 2-27

First time only (2-20 2-27)No real security (no out-of-band channel)

At least 2 buttonsOut-of-band capability (visual & human)


29/36

29

P(Attack Success): Out-of-band

Only mode capable of attack success probability ~ 2-30

Assumes that selected out-of-band method is a good one Assumes same setup mode can be used for all devices


30/36

30

Recommendations

1. Common denominator of hardware features At least 2 buttons

Out-of-band capability


31/36

31

Usability: Feedback Capability

Screens used to confirm setup ordisplay error messages

Applies to in-band and out-of-band

Good

Passable

None


32/36

32

Example: LED / One Button

Plantronics Discovery 640 Bluetooth Headset User Guide


33/36

33

Recommendations

1. Common denominator of hardware features At least 2 buttons

Out-of-band capability

Screen on at least one device (both preferable)2. Common user experience

Common menu options, wording, userinteraction flow, error logging

Promotes Consistency across devices and protocols

Interoperability of user interfaces

Error handling and recovery


34/36

34

Selected Related Work

Usability evaluation of different pairingschemes (Uzun et al.)

Setup in HomePlug (Newman et al.)

Interactive complexity (Leveson) Importance of consistency (Endsley et al.)

Schemes for exchanging authentication

credentials using demonstrative identification Resurrecting Duckling (Stajano et al.) Talking to Strangers (Balfanz et al.)

Seeing-Is-Believing (McCune et al.)


35/36

35

Conclusion

Networking relies on interoperability

For security applications, UI should not

be product differentiator Standardization of certain UX aspects

can benefit technology in the same way

as protocol standardization


36/36

Thank you!

Questions? Comments?

[email protected]
mailto:[email protected]:[email protected]

Documents

Kuo Bluetooth Pairing