Living in the Past: Analyzing BLE IoT Devices Based on Mobile Companion Apps in Old Versions

Living in the Past: Analyzing BLE IoT Devices Based on Mobile Companion Apps in Old Versions

연구 분야: Analysis

학회: 2023 19th International Conference on Mobility, Sensing and Networking (MSN)

Bluetooth Low Energy has been a widely adopted communication technique in the consumer IoT market. Meanwhile, the security concerns of these BLE-enabled IoT devices have garnered considerable attention. Instead of investigating the device firmware directly, analyzing its companion mobile app has been proven to be an effective approach for vulnerability discovery. However, developers regularly release new versions of these apps, making it more challenging to analyze and identify vulnerabilities. As a result, this action raises the bar on launching attacks on IoT devices. In our study, we found that the earlier versions of the companion apps can still be exploited to attack IoT devices. The key insight is that these devices usually lack firmware update capabilities.In our work, we performed attacks on three BLE-enabled IoT devices by investigating the early versions of their companion apps. We observed that manufacturers merely updated the companion apps to increase the difficulty of reverse engineering through code protection techniques without addressing the vulnerabilities presented in the device firmware. We then conducted a large-scale measurement and confirmed that most BLE devices can be analyzed from their old app versions. Furthermore, we design an automated tool to help developers identify the risks and improve the security of their apps. In our study, we also discuss some mitigation solutions.