Today, we use smartphones as multi-purpose devices that communicate with their environment to implement context-aware services, including asset tracking, indoor localization, contact tracing, or access control. As a de-facto standard, Bluetooth is available in virtually every smartphone to provide short-range wireless communication. Importantly, many Bluetooth-driven applications such as Phone as a Key (PaaK) for vehicles and buildings require proximity of legitimate devices, which must be protected against unauthorized access. In earlier access control systems, attackers were able to violate proximity-verification through relay station attacks. However, the vulnerability of Bluetooth against such attacks was yet unclear as existing relay attack strategies are not applicable or can be defeated through wireless distance measurement.
In this paper, we design and implement an analog physical-layer relay attack based on low-cost off-the-shelf radio hardware to simultaneously increase the wireless communication range and manipulate distance measurements. Using our setup, we successfully demonstrate relay attacks against Bluetooth-based access control of a car (Tesla Model 3) and a smart lock (Nuki Smart Lock 2.0). Further, we show that our attack can arbitrarily manipulate Multi-Carrier Phase-based Ranging (MCPR) while relaying signals over 90 m.
We propose Breathe-to-Pair (B2P), a protocol for pairing and shared-key generation for wearable devices that leverages the wearer’s respiration activity to ensure that the devices are part of the same body-area network. We assume that the devices exploit different types of sensors to extract and process the respiration signal. We illustrate B2P for the case of two devices that use respiratory inductance plethysmography (RIP) and accelerometer sensors, respectively. Allowing for different types of sensors in pairing allows us to include wearable devices that use a variety of different sensors. In practice, this form of sensor variety creates a number of challenges that limit the ability of the shared-key establishment algorithm to generate matching keys. The two main obstacles are the lack of synchronization across the devices and the need for correct noise-induced mismatches between the generated key bit-strings.
B2P addresses the synchronization challenge by utilizing Change Point Detection (CPD) to detect abrupt changes in the respiration signal and consider their occurrences as synchronizing points. Any potential mismatches are handled by optimal quantization and encoding of the respiration signal in order to maximize the mismatch correction rate and minimize the message overheads. Extensive evaluation on a dataset collected from 30 volunteers demonstrates that our protocol can generate a secure 256-bit key every 2.85 seconds (around one breathing cycle). Particular attention is given to secure B2P against device impersonation attacks.
Demo & Posters
In 2021 OpenHaystack on macOS was the first step into liberating Apple’s Find My technology to be integrated into any Bluetooth-capable device. By using custom firmware for microchips like the ESP32, it was possible to build custom trackable accessories similar to an Apple AirTag in size and functionality.
OpenHaystack Mobile is a cross-platform mobile application that runs on Android and iOS. It extends previous work, which was tied to macOS, to be available to more users. It provides BLE-based location tracking functionality based on Apple’s Find My network. Our app is built cross-platform capable by using the Flutter framework for the user interface and the cryptographic operations. The user experience is improved compared to a desktop-based app because it allows tracking lost valuables anywhere. Furthermore, the app allows to directly route users to lost devices with smartphone navigation apps like Google Maps.