VaktBLE: A Benevolent Man-in-the-Middle Bridge to Guard against Malevolent BLE Connections (ACSAC 2024 Prepublication)

In this paper, we conceptualize, design and evaluate VaktBLE, a novel framework to defend BLE peripherals against low-level BLE attacks. VaktBLE presents a novel, efficient and (almost) deterministic technique to silently hijack the connection between a potentially malicious BLE central and the target peripheral to be protected. This creates a benevolent man-in-the-middle (MiTM) bridge that allows us to validate each packet sent by the BLE central. For validation, we implement a flexible and extensible framework to detect a variety of attacks due to packets that are invalid, out-of-order or flooded. An appealing capability of VaktBLE is that it can validate all packets down to the link layer, thus allowing us to defend against complex BLE attacks that bypass state-of-the art binary patching frameworks. We have implemented VaktBLE and evaluated it with 25 state-of-the-art BLE attack vectors from offensive tools such as SweynTooth, CyRC and BLEDiff. Our evaluation shows that VaktBLE effectively detects all these attacks and the VaktBLE MitM bridge incurs only 10𝑚𝑠 overhead. Moreover, we have evaluated the capability and robustness of VaktBLE against several adaptive attacks including fuzzing-based attacks. We also show the extensibility of VaktBLE to counteract protocol-level attacks and rogue peripherals. Our evaluation reveals that VaktBLE not only stops fuzzing-based attacks with high effectiveness (97.5%), but VaktBLE also does not incur false positives when attacks are randomly mixed with benign connection attempts.

Annual Computer Security Applications Conference (ACSAC 2024) (Prepublication)