An Improved Authentication Scheme for BLE Devices with no I/O Capabilities
Bluetooth Low Energy (BLE) devices have become very popular because of their Low energy consumption and hence a prolonged battery life. They are being used in smart wearable devices, smart home automation system, beacons and many more areas. BLE uses pairing mechanisms to achieve a level of peer entity authentication as well as encryption. Although, there are a set of pairing mechanisms available but BLE devices having no keyboard or display mechanism (and hence using the Just Works pairing) are still vulnerable. In this paper, we propose and implement, a light-weight digital certificate based authentication mechanism for the BLE devices making use of Just Works model. The proposed model is an add-on to the already existing pairing mechanism and therefore can be easily incorporated in the existing BLE stack. To counter the existing Man-in-The-Middle attack scenario in Just Works pairing (device spoofing), our proposed model allows the client and peripheral to make use of the popular Public Key Infrastructure (PKI) to establish peer entity authentication and a secure cryptographic tunnel for communication. We have also developed a lightweight BLE profiled digital certificate containing the bare minimum fields required for resource constrained devices, which significantly reduces the memory (about 90% reduction) and energy consumption. We have experimentally evaluated the energy consumption of the device using the proposed pairing mechanism to demonstrate that the model can be easily deployed with less changes to the power requirements of the chips. The model has been formally verified using automatic verification tool for protocol testing.
READ FULL TEXT