OASIS: An intrusion detection system embedded in bluetooth low energy controllers

Cayre, Romain; Nicomette, Vincent; Auriol, Guillaume; Kaaniche, Mohamed; Francillon, Aurélien
ASIACCS 2024, 19th ACM Asia Conference on Computer and Communications Security, 1-5 July 2024, Singapore, Singapore

Bluetooth Low Energy has established itself as one of the central protocols of the Internet of Things. Its many features (mobility, low energy consumption) make it an attractive protocol for smart devices. However, numerous critical vulnerabilities affecting BLE have been made public in recent years, some of which are linked to the protocol's design itself. The impossibility of correcting these vulnerabilities without affecting the specification requires the development of effective intrusion detection systems, enabling the detection and prevention of these threats. Unfortunately, the protocol relies on peer-to-peer communications and introduces many complex and dynamic mechanisms (e.g., channel hopping), making monitoring complex, costly and limited. Existing intrusion detection approaches lack flexibility, are limited in scope and introduce high deployment costs. In this paper, we explore a novel approach consisting in embedding an intrusion detection system directly within BLE controllers. This strategic position tackles these challenges by enabling a more advanced analysis and instrumentation of the protocol and opens the way to new defensive applications. We propose OASIS, a framework for injecting detection heuristics into controllers' firmwares in a generic way without affecting the normal operation of the protocol stack. It can be deployed in various contexts during the life cycle of a device, from the chip manufacturer to a software developer making use of proprietary components, or even in a full black box context by a security analyst to harden a commercial product. We describe its modular architecture and present its implementation within five of the most popular BLE chips from three different manufacturers, deployed in billions of devices and embedding heterogeneous protocol stacks. We present five modules for critical low-level protocol attack detection. We show that OASIS has a low impact on the controller performance (power, timing, memory) and evaluate its usage in a real-world setting.

Digital Security
Eurecom Ref:
© ACM, 2024. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in ASIACCS 2024, 19th ACM Asia Conference on Computer and Communications Security, 1-5 July 2024, Singapore, Singapore https://doi.org/10.1145/3634737.364500

PERMALINK : https://www.eurecom.fr/publication/7624