CAPTURINGBLUETOOTHTRAFFICINTHEWILD:PRACTICAL
SYSTEMSANDPRIVACYIMPLICATIONS
By
WahhabAlbazrqaoe
ADISSERTATION
Submittedto
MichiganStateUniversity
inpartialoftherequirements
forthedegreeof
ComputerScience-DoctorofPhilosophy
2018
ABSTRACT
CAPTURINGBLUETOOTHTRAFFICINTHEWILD:PRACTICALSYSTEMSAND
PRIVACYIMPLICATIONS
By
WahhabAlbazrqaoe
Bluetoothwirelesstechnologyistodaypresentinbillionsofsmartphones,mobilede-
vices,andportableelectronics.WiththeprevalenceofpersonalBluetoothdevices,aprac-
ticalBluetoothtrafsnifferisofincreasinginterestduetothefollowing.First,ithasbeen
reportedthatatrafsnifferisanessential,day-to-daytoolforBluetoothengineersand
applicationsdevelopers[4][14];andsecond,asthecommunicationbetweenBluetooth
devicesisprivacy-sensitiveinnature,exploringthepossibilityofBluetoothtrafsniff-
inginpracticalsettingsshedslightsintopotentialuserprivacyleakage.Todate,snif
Bluetoothtrafhasbeenwidelyconsideredanextremelyintricatetaskduetowideband
spreadspectrumofBluetooth,pseudo-randomfrequencyhoppingadoptedbyBluetooth
atbaseband,andtheinterferenceintheopen2.4GHzband.
Thisthesisaddressesthesechallengesbyintroducingnoveltrafsniffersthatcapture
Bluetoothpacketsinpracticalenvironments.Inparticular,wepresentthefollowingsys-
tems.(i)BlueEar,thepracticalBluetoothtrafsnifsystemonlyusinggeneral,
inexpensivewirelessplatforms.BlueEarfeaturesanoveldual-radioarchitecturewhere
twoinexpensive,Bluetooth-compliantradioscoordinatewitheachothertoeavesdropon
hoppingsubchannelsinindiscoverablemode.Statisticmodelsandlightweightmachine
learningtoolsareintegratedtolearntheadaptivehoppingbehaviorofthetarget.Our
resultsshowthatBlueEarmaintainsapacketcaptureratehigherthan90%consistently
indynamicsettings.Inaddition,wediscusstheimplicationsoftheBlueEarapproachon
BluetoothLEsnifandpresentapracticalcountermeasurethateffectivelyreducesthe
packetcapturerateofsnifferby70%,whichcanbeeasilyimplementedontheBluetooth
masterwhilerequiringnotoslavedeviceslikekeyboardsandheadsets.
And
(ii)BlueFunnel
,thelow-power,widebandtrafsnifferthatmonitorsBluetooth
spectruminparallelandcapturespacketinrealtime.BlueFunneltacklesthechallenge
ofwidebandspreadspectrumbasedonlowspeed,lowcostADC(2Msamples/sec)to
subsampleBluetoothspectrum.Further,itleveragesasuiteofnovelsignalprocessing
algorithmstodemodulateBluetoothsignalinrealtime.WeimplementBlueFunnelpro-
totypebasedonUSRP2devices.,weemploytwoUSRR2devices,eachis
equippedwithSBXdaughterboard,tobuildacustomizedsoftwareradioplatform.The
customizedSDRplatformisinterfacedtothecontroller,whichimplementsthedigital
signalprocessingalgorithmsonapersonallaptop.Weevaluatethesystemperformance
basedonpacketcaptureratesinavarietyofinterferenceconditions,mainlyintroduce
bythe802.11-basedWLANs.BlueFunnelmaintainsgoodlevelsofpacketcapturerates
inallsettings.Further,weintroducetwoscenariosofattacksagainstBluetooth,where
BlueFunnelsuccessfullyrevealssensitiveinformationaboutthetargetlink.
ACKNOWLEDGMENTS
Theworkpresentedinthisthesiswouldnothavebeenpossiblewithoutthehelpand
supportofalargegroupofpeopletowhomIowealotofgratitude.Firstandforemost,I
amreallythankfulformyadvisorDr.GuoliangXingwhohasgivenmethistremendous
opportunitytocomeandworkwithhim.Formorethanyears,hehassupportedme
andworkedwithme.Frommyearlydays,despitemyunfamiliaritywithresearch,he
encouragedmetotacklerealresearchproblemsandperformhighqualityresearch.Iam
deeplyindebtedtoDr.Xingandhopetobeasgoodanadvisorwhenguidingmyown
students.
IamalsoreallygratefulforJunHuangwhowaslikeasecondadvisortome.Hehas
supportedmeandguidedmethroughalotproblems.Hisdecisiontoworkwithmeon
problemsrelatedtoBluetoothandWiFihaschangedandshapedmyentirePhDcareer.I
trulyadmireandrespecthim.
IwouldliketothankmysponsorIraqicultureofatWashingtonD.C.whooffered
methisopportunityandsupportedmethroughallofmyPh.D.journey.
IwouldliketothankDr.EricTorngandDr.Abdol-HosseinEsfahanian,fromthe
departmentofComputerScienceandEngineering,fortheirhelpandsupport.Iwould
liketothankDennisPhillipsforhisvaluablediscussions,comments,andadvisesabout
electronicdevices.Dennisalsohelpedmetoprintelectroniccircuitsboards,whereI
learnedhowtodesignprintedcircuits.Ihadgreatpleasureofworkingcloselyandrun
iv
discussionswithstudentsatgraduateschoolAlirezaAmeli,HusainKhalifeh,QiuChen,
andMohammadMahdiMoazzami.
Iwouldliketoexpressmyearnestgratitudetomyfamily,myparents,mywifeZainab
Alkaabi,andmychildren,allofwhommadecountlessestosupportmeandgive
methebestpossibleopportunityforeducation.Theyhavealwayssupporting,encourag-
ing,lovingme.
v
TABLEOFCONTENTS
LISTOFFIGURES
......................................
ix
KEYTOABBREVIATIONS
.................................
xii
Chapter1Introduction
.................................
1
1.1Challenges......................................2
1.2Contributions....................................3
1.2.1TheBlueEarBluetoothSniffer.......................3
1.2.2TheBlueFunnelTrafSniffer.......................4
1.3OrganizationofThesis...............................5
Chapter2Background
.................................
6
2.1BluetoothBackground...............................6
2.1.1BluetoothPHYlayer............................6
2.1.2PhysicalChannelAccess..........................7
2.1.2.1BluetoothClassicHoppingProtocol..............8
2.1.2.2BluetoothLEHoppingProtocol................10
2.1.3BluetoothNetwork.............................11
2.1.4Encryption..................................12
2.1.4.1BluetoothLEEncryption....................12
2.1.4.2BluetoothClassic.........................13
Chapter3ReviewofRelatedWork
..........................
14
3.1SnifonBluetoothTraf............................14
3.1.1Narrowbandsniffers............................14
3.1.2Widebandsniffers..............................16
3.2CrackingBluetoothEncryption..........................17
3.3PotentialPrivacyLeakage.............................18
Chapter4BlueEar:APracticalBluetoothTrafSnifSystemBasedon
BluetoothCompliantRadios
.......................
20
4.1Introduction.....................................20
4.2BlueEarOverview..................................22
4.2.1ObjectivesandChallenges.........................22
4.2.2SystemArchitecture............................23
4.3DesignofBlueEar..................................26
4.3.1ClockAcquisition..............................26
4.3.1.1BruteForceClockAcquisition.................26
4.3.1.2ProbabilisticClockMatching(PCM)..............28
4.3.1.3AcceleratingClockAcquisition.................29
4.3.2Subchannel.........................31
vi
4.3.2.1Packet-based.....................32
4.3.2.2SpectrumSensing-based...............34
4.3.2.3Hybrid.........................35
4.3.3SelectiveJamming.............................37
4.4Implementation...................................39
4.4.1Ubertooth-EndImplementation......................40
4.4.2ControllerImplementation........................41
4.5BlueEarPerformance................................42
4.5.1ExperimentalMethodology........................43
4.5.2SynchronizationDelay...........................44
4.5.2.1DelaybasedonPCMalgorithm................45
4.5.2.2DelaybasedonMLalgorithm.................45
4.5.3FastVaryingSpectrumContext......................47
4.5.4HiddenandExposedInterference....................48
4.5.5CrowdedSpectrum.............................51
4.5.6AmbientInterference............................52
4.6ImplicationsofBlueEar...............................52
4.6.1ImplicationsonBluetoothLEPrivacy..................52
4.6.2ImpactsonPrivacyBreach.........................54
4.6.2.1EavesdroppingonDataTraf.................55
4.6.2.2EavesdroppingonAudioTraf................56
4.6.3PracticalCountermeasure.........................57
4.7SummaryofChapter................................58
Chapter5BlueFunnel:EnablingLow-Power,WidebandSnifofBluetooth
Traf
.....................................
59
5.1Introduction.....................................59
5.2BlueFunnelDesign.................................61
5.2.1ObjectivesandChallenges.........................61
5.2.2Systemarchitecture.............................63
5.2.2.1Analoganddownconversion............63
5.2.2.2Packetdetectionanddemodulation...............64
5.3Design........................................65
5.3.1BluetoothDemodulator..........................65
5.3.1.1DemodulatingBluetoothLEsignal...............66
5.3.1.2DemodulatingBluetoothClassicsignals...........68
5.4Implementation...................................71
5.5SystemPerformance................................73
5.5.1ExperimentalMethodology........................73
5.5.2Evaluation..................................74
5.5.2.1PacketCaptureRateinControlledSettings..........74
5.5.2.2PacketCaptureRateinPracticalEnvironment........75
5.6AttackScenarios...................................76
5.6.1SnifonPairingPhaseofBluetoothLE................77
5.6.2SnifonBluetoothMouseTraf...................78
vii
5.7SummaryofChapter................................80
Chapter6ConclusionandFutureWork
.......................
81
6.1Contributions....................................81
6.2Futurework,andConclusion...........................83
BIBLIOGRAPHY
.......................................
85
viii
LISTOFFIGURES
Figure2.1:
AnillustrativeepresentsBluetoothClassicsubchannelsthatoverlapwith
802.11-basedchannelsintheopen2.4GHzISMband.
.............7
Figure2.2:
BluetoothmodulatedsignalbasedonGFSKmodulationscheme.Thee
isadoptedfrom[51].
...............................8
Figure2.3:
Anillustrativeexampleoffrequencyhoppingchannelaccessscheme.
.....9
Figure2.4:
Anillustrativeexampleofadaptivefrequencyhoppingundertheeffectof
802.11-basedinterferenceinthe2.4GHzband.
.................10
Figure3.1:
NarrowbandsniffersutilizeBluetooth-compliantradiostocaptureBluetooth
packets.Thisepresentsthreesamplesincluding(a)Ubertoothone,(b)
TexasInstrumentCC2540USBDongleBluetoothLEsniffer,and(c)Bluefruit
BluetoothLEsniffer.
...............................15
Figure3.2:
WidebandsniffersutilizespecializedwidebandradiostomonitorBluetooth
spectruminparallel.Thisepresentstwosamplesincluding(a)Frontline
Sodorawidebandsniffer,and(b)EllisysBluetoothExplorer.
..........16
Figure4.1:
Thedual-radioarchitectureofBlueEar.Componentsinthegrayareacomprise
astandard-complianthopselectionkernel.
...................24
Figure4.2:
Anillustrativeexampleofbruteforcesearchforclockacquisition.
.......27
Figure4.3:
Theeffectofsubchannelremappingonbruteforcesearchbasedonthesame
exampleshowninFig.4.2.
............................28
Figure4.4:
EstimationofapiconetclockbasedontheMLalgorithmandlossfunction
L
(
c
i
)=
d
i
.
.....................................31
Figure4.5:
Runningexamplesofpacket-basedsubchannelfordataandvoice
trafunderindifferentspectrumcontexts.Thepacket-basedcalcu-
latesaprobabilityscorebasedonEq.(4.1)todeterminesubchannelstatus.A
subchannelisasbadiftheprobabilityscoreisbelowthepr
threshold.
.....................................33
Figure4.6:
Probabilitydensitiesofinterferencepowermeasuredoncleananddirtysub-
channels.
.....................................34
ix
Figure4.7:
Time-domainillustrationofrun-timetrainingofthespectrumsensing-based
.
.....................................36
Figure4.8:
BlueEarprototypethatconsistsoftwoUbertooths[31].
.............39
Figure4.9:
Clockacquisitiondelaywhensnifdataandaudiotrafindifferentspec-
trumcontexts(characterizedbythepercentageofbadsubchannelsatthetar-
getpiconet).
....................................44
Figure4.10:
ClockacquisitiondelaybasedontheMLalgorithm,whichisevaluatedindif-
ferentspectrumcontexts(characterizedbythepercentageofbadsubchannels
atthetargetpiconet).
...............................46
Figure4.11:
Subchannelaccuracyinfastvaryingspectrumcontext.
......47
Figure4.12:
Packetcapturerateinfastvaryingspectrumcontext.
..............48
Figure4.13:
Thegainofselectivejammingunderhiddeninterference.
...........48
Figure4.14:
Packetcaptureratesincrowdedspectrumcharacterizedbythepercentageof
badsubchannelsatthetargetpiconet.
......................49
Figure4.15:
Packetcaptureratesunderexposedinterferencecondition.
...........49
Figure4.16:
Subchannelaccuracyincrowdedspectrumcharacterizedbythe
percentageofbadsubchannelsatthetargetpiconet.
..............50
Figure4.17:
Subchannelaccuracyunderexposedinterferencecondition.
...51
Figure4.18:
Packetcaptureratesundertheambientinterference:(a)differentlocations
inanofbuilding(interferenceofalarge-scale802.11-basedWLANs);(b)
differentdistances.
................................51
Figure4.19:
Seriousnessofprivacyleakageevaluated:(a)standard;and(b)countermeasure.
55
Figure4.20:
AudioqualityobservedbyBlueEar(withoutcountermeasure).
.........56
Figure4.21:
Audioqualityasthetargetimplementscountermeasure.
............57
Figure4.22:
BlueEarpktcapturerates:standardandcountermeasure.
...........58
Figure5.1:
BlueFunnelsystemarchitecture.
.........................63
Figure5.2:
FrequencydownconversionofBluetoothsignal.
................64
x
Figure5.3:
Bluetoothreal-timecomplexsignal.
.......................65
Figure5.4:
AnillustrativeexamplewherethecenterfrequencyofBluetoothtransmitter
andBlueFunnelarematched.
..........................66
Figure5.5:
AnillustrativeexamplewherethecenterfrequencyofBluetoothLEtransmit-
terandBlueFunnelarenotmatched.
......................67
Figure5.6:
AnillustrativeexamplewherethecenterfrequencyofBluetoothClassictrans-
mitterandBlueFunnelarenotmatched.
....................69
Figure5.7:
AprototypeofBlueFunnelsniffer,wherewebuiltacustomizedSoftwareDe-
Radio(SDR)platformbasedontwoUSRP2devicesasshownin(a).The
softwarecomponents,includingpacketheaderdetectorandBluetoothsignal
demodulator,areimplementedontheLinux-basedLenovoT530laptopas
shownin(b).TheUSRP2devicesaresynchronizedviaaMIMO-Cableand
eachUSRP2isconnectedtothehost(Lenovolaptop)viaGigabitEthernetcable.
72
Figure5.8:
PacketcapturerateachievedbyBlueFunnelundervariousinterferencecon-
ditionsinacontrolledsetting.
..........................74
Figure5.9:
PacketcapturerateachievedbyBlueFunnelatdifferentfromthetarget.
....75
Figure5.10:
PacketcapturerateachievedbyBlueFunnelatdifferentlocationsinof
Building.
.....................................76
Figure5.11:
BluetoothLEencryptionestablishmentparameters(markedwithred).
....77
Figure5.12:
MousecoordinatesobtainedfromcapturedBluetoothpackets.
.........79
xi
KEYTOABBREVIATIONS
AP
AccessPoint
AES
AdvancedEncryptionStandard
ADC
AnalogtoDigitalConverter
CCM
CipherblockChainingMessageauthentication
FCC
FederalCommunicationsCommission
FEC
ForwardErrorCorrection
ISM
Industrial,andMedical
CSR
CambridgeSiliconRadio
CRC
CyclicRedundancyCheck
DK
DevelopmentKit
DMA
DirectMemoryAccess
RAM
RandomAccessMemory
dBi
Decibelsrelativetoanisotropicantenna
dBm
Decibel(referencedtomilliwatts)
EDIV
Encrypted
GB
GigaByte
MB
MegaByte
KB
KiloByte
PHY
PhysicalLayer
SS
SpectrumSensingbased
SSD
SolidStateDrive
SVM
SupportVectorMachine
PCM
ProbabilisticClockMatching
ML
MaximumLikelihood
LE
LowEnergy
xii
LNA
LowNoise
log
Logarithm
Msamples
Millionsamples
MSymbols
MillionSymbols
Mbps
MegaBitPerSecond
MOS
MeanOpinionScore
MIMO
MultipleInputandMultipleOutput
PSNR
PeakSignaltoNoiseRatio
SDR
SoftwareRadio
GFSK
GaussianFrequency-ShiftKeying
DPSK
DifferentialPhase-ShiftKeying
OFDM
OrthogonalFrequencyDivisionMultiplexing
FP
FalsePositive
FN
FalseNegative
RF
RadioFrequency
PC
PersonalComputer
PIN
PersonalNumber
Pkt
Packet-based
WLAN
WirelessLocalAreaNetwork
STK
ShortTermsKey
LTK
LongTermsKey
USRP
UniversalSoftwareRadioPeripheral
UHD
USRPHardwareDriver
USB
UniversalSerialBus
10K
10000US$
SKDm
SessionKeyforMaster
IVm
InitializationVectorforMaster

sec
MicroSecond
msec
Millisecond
xiii
Chapter1
Introduction
RecentyearshavewitnessedthephenomenalpenetrationrateofBluetoothtechnologyin
ourdailylives.About4billionBluetoothunitsareexpectedtobeshippedworldwidein
2018[15].Duetoit'sattractivefeatures,suchaslowcostandlowpowerconsumption,
Bluetoothhasbecomethedefactowirelessconnectivityforwirelessaccessories,smart
devicesincludingsmartphones,wearablesincludingsmartwatchesandtrackers,
sensor-basedhealthcaresystems[57],consumerelectronicdevices,in-cartelematicsys-
temslikeAndroidAuto[18]andCarPlay[5],andmanyotherapplications.
WiththewidespreaduseofBluetoothtechnology,includingBluetoothClassicand
BluetoothLowEnergy(LE)
1
,snifBluetoothtrafcbecomesofincreasinginterestdue
tothefollowing.First,apassiveBluetoothtrafsniffer/analyzerhasbecomeoneof
theessential,day-to-daytoolforBluetoothengineersandapplicationdevelopers,asre-
portedby[4][14].Second,asthecommunicationsbetweenBluetoothdevicesareprivacy-
sensitiveinnature,anin-depthstudyonBluetooth'sresiliencetotrafsnifandpo-
tentialprivacyleakagesbecomeimperative.
Inthefollowing,wediscussthechallengesofsnifBluetoothtrafandintroduce
ourcontributionstotacklethechallenges.
1
Inthisthesis,weuseBluetoothLEtorefertoBluetoothLowEnergyunlessotherwise
1
1.1Challenges
SnifBluetoothtrafhasbeenconsideredanextremelyintricatetaskduetothefol-
lowing,
(
i)
WidebandSpreadSpectrum.
Bluetoothoperatesinthefree2.4GHzbandandde-
severalsubchannelsthatspreadover80MHzofthespectrum.Therefore,
asnifferwouldneedawidebandradiotomonitortheentirespectrumandcap-
tureallBluetoothpacketsinrealtime.However,thiswidebandradiosolutionis
challengingbecauseitrequiresahigh-speed(abouttwicethespectrum,according
toNyquist-Shannonrate)analog-to-digital-converters(ADCs)tocaptureBluetooth
signal.TheseADCsarecostly,powerhungry,andrequirehighcomputationalpower
systemtosupportsuchhighsamplerate.
(
ii)
Pseudo-randomfrequencyhopping.
AsBluetoothoccupiesonesubchannel,thatis1-2
MHz,atatimefordataexchange,asniffercouldemployalow-power,off-the-shelf
Bluetooth-compliantradiotocapturedatapackets.Atthebaseband,however,Blue-
toothadoptsfrequencyhoppingspreadspectrum,whichisachallengeforthiskind
ofsniffers.Thatis,frequencyhoppingsequenceisknowntolegitimateBluetoothde-
vicesbutnototherparties.Therefore,asniffercanlistenonanarbitrarysubchannel,
andcapturepacketsthatarerandomlytransmittedonthatsubchannel.However,
thenumberofpacketscapturedinthiswayrepresentsatinyportionofthetraf
Moreover,Bluetoothsessionsmaylastforaveryshortperiodoftimeandinvolve
onlytensofpackets.
2
(
iii)
Interferenceinthecrowded2.4GHzband.
Whencoexistingwithotherwirelessde-
vicesinthecrawdad2.4GHzband,Bluetoothmayexperiencevariousinterference
conditions,includinghiddenandexposedinterference,from802.11-basedWLANs
andotherambientradios.Therefore,Bluetoothadoptsadaptivefrequencyscheme
toadaptspectrumutilizationandimproveperformance.Totacklethesechallenges,
asnifneedstolearnadaptivefrequencyhoppingbehavior,andprovidesome
mechanismtonulltheinterferenceinthecaseofcollisionwithBluetoothpacketsin
realtime.
1.2Contributions
ThisthesistacklesthechallengesofsnifBluetoothtrafinpracticalenvironment.
Thecontributionsofthethesisaresummarizedasfollows.
1.2.1TheBlueEarBluetoothSniffer
Wepresentthedesign,implementation,andevaluationof
BlueEar
Œthepractical
Bluetoothtrafsnifferthatconsistsonlyofinexpensive,Bluetooth-compliantradios.
BlueEarfeaturesanovel
dual-radioarchitecture
,wheretworadiosŒnamedas
scout
and
snooper
Œcoordinatewitheachotheronlearningthehoppingsequenceofindiscover-
ableBluetooth,predictingadaptivehoppingbehavior,andhandlingcomplexinterference
conditions.WeimplementedaprototypeofBlueEarforsnifthetrafofBluetooth
Classic,whichoffersenhanceddataratesandamorecomplexhoppingprotocolthan
BluetoothLE.TheprototypeemploystwoUbertooths[31]toimplementthescoutand
thesnooper,andinterfacesthemtoacontrollerrunningonaLinuxlaptop.Extensive
3
experimentsresultsshowthatBlueEarcanmaintainapacketcaptureratehigherthan
90%consistentlyinpracticalenvironments,wherethetargetBluetoothnetworkexhibits
diversehoppingbehaviorsinthepresenceofinterferencefromcoexisting802.11-based
WLANs.Further,wediscussprivacyimplicationsofBlueEaronBluetoothsystemand
proposeapracticalcountermeasureapproachthateffectivelyreducestheaveragepacket
capturerateofasnifferto20%.
1.2.2TheBlueFunnelTrafSniffer
Weintroducethedesign,implementation,andevaluationof
BlueFunnel
Œalow-power,
widebandtrafsnifferthatmonitorsBluetoothspectruminparallelandcapturespacket
inrealtime.BlueFunnelleverageslowspeedADCtosubsampleBluetoothspectrum,
whichaddressesthechallengeofhigh-speedADC.Inparticular,BlueFunnelconsistsof
twomaincomponents,including,
(i)
asoftwareradio(SDR),thatintegratesa
widebandradio,andalow-speedADC.TheADCisusedtosubsampleBluetoothspec-
trumbasedon2Msamples/sec,whichisbelowtheNyquist-Shannonrate;and
(ii)
a
controller,thatimplementsdigitalsignalprocessingpackages,whichareresponsiblefor
detecting,demodulating,andanalyzingBluetoothpacketsinrealtime.Weimplement
BlueFunnelprototypebasedonUSRP2devices.,weutilizetwoUSRR2de-
vices,eachisequippedwithSBXdaughterboard,tobuildacustomizedsoftwareradio
platform.ThecustomizedSDRplatformisinterfacedtothecontroller,whichimplements
thedigitalsignalprocessingalgorithmsonapersonallaptop.Weevaluatethesystem
performancebasedonpacketcaptureratesinvarietyofsettings.,weeval-
uatedthesysteminacontrolledsetting,whereweintentionallyintroduce802.11-based
trafasaformofinterferenceonoverlappedBluetoothsubchannels.WetestBlueFunnel
4
whenthereisnointerference,25%and50%ofthesubchannelsareinterferedwith802.11-
basedtrafrespectively.Moreover,weevaluatethesysteminanofbuilding,where
dynamicinterferenceconditionsareintroducedbyenterprise802.11-basedWLANs.In
allsettings,BlueFunnelmaintainsgoodlevelsofpacketcapturerates.Further,weintro-
ducetwoscenariosofattacksagainstBluetooth,whereBlueFunnelsuccessfullyreveals
sensitiveinformationaboutthetargetlink.
1.3OrganizationofThesis
Therestofthisthesisisorganizedasfollows.Chapter2introducesthebasiccharac-
teristicsofBluetoothsystem,anddiscussesthechallengesofsnifBluetoothtraf
Chapter3providesareviewofrelatedworks.Chapter4presentsBlueEar,theprac-
ticalsystemthatconsistsofonlyinexpensive,Bluetooth-compliantoff-the-shelfradios.
Chapter5introducesBlueFunnel,anovellow-power,widebandBluetoothtrafsniffer.
Chapter6concludesthisthesisanddiscussesfuturework.
5
Chapter2
Background
Inthischapter,wepresentthebackgroundforthethesisincludingthebasiccharacteristics
ofBluetoothbaseband.
2.1BluetoothBackground
Inthissection,weintroduceageneralbackgroundaboutBluetoothphysicallayer,includ-
ingmodulationscheme,frequencyhoppingprotocol,encryptiontechniquesadoptedby
Bluetoothsystem,includingBluetoothClassicandBluetoothLE.
2.1.1BluetoothPHYlayer
Bluetoothoperatesinthefree
2
.
4
GHzISMband.Bluetoothclassic
79
adjacent
subchannels,whereeachsubchanneloccupies1MHzofbandwidth,asillustratedinFig.
2.1.Ontheotherhand,BluetoothLE
40
adjacentsubchannels,whereeachsub-
channeloccupies
2
MHzofbandwidth.Bluetoothsubchannelsoccupyabout
80
MHzof
thespectrumstartingfrom
2402
MHzupto
2480
MHz.
Atthebaseband,Bluetoothadoptsthesymboltransmissionrateof
1
MillionSym-
bols/sec,whereeachsymbolismodulatedbasedonGaussianFrequency-ShiftKeying
(GFSK)modulationscheme.Thetransmittedsignalcanbedescribedasacosinewave
6
Figure2.1:
AnillustrativeepresentsBluetoothClassicsubchannelsthatoverlapwith802.11-
basedchannelsintheopen2.4GHzISMband.
[53],
x
(
t
)=
Acos
(
2ˇ
(
f
c
+

)
t
)
(2.1)
where
f
c
isthecarrierfrequency,

isafrequencyshiftintroducedbytheGFSKmod-
ulation,and
0<<0
.
5
represents'
1
',while
-
0
.
5<<0
represents'
0
',asdepictedin
Fig.2.2.ThereisaspecialcaseforBluetoothClassictoenhancedatarates,whereDiffer-
entialPhase-ShiftKeying(DPSK)modulationschemeisalsosupported.However,this
modulationisbeyondthescopeofthisthesisandmaybeconsideredasafuturework.
2.1.2PhysicalChannelAccess
Atthebaseband,Bluetoothutilizes
frequencyhoppingspreadspectrum
toaccesssubchan-
nels.Thatis,thecarrierfrequency
f
c
isswitchedeveryaperiodoftime.Inthefollowing,
weintroduceageneraldescriptionaboutthehoppingprotocolsofBluetoothClassicand
BluetoothLE,respectively.
7
Figure2.2:
BluetoothmodulatedsignalbasedonGFSKmodulationscheme.Theeis
adoptedfrom[51].
2.1.2.1BluetoothClassicHoppingProtocol
InBluetoothClassic,thecarrierfrequency
f
c
isswitchedevery
625
sec,resultingina
maximumhoppingrateof1600hops/sec,asdepictedinFig.2.3.Thecarrierfrequency
iscalculatedas
f
c
=
2402
+
k
MHz,where
k
=
0
,
1
,
2
,...,
78
isthesubchannelindex.Now
thequestionishowtocalculate
k
?Thesubchannelindexiscalculatedintwodifferent
waysbasedonthetwophysicalchannelbyBluetoothClassic.,there
aretwotypesofphysicalchannelfordatacommunication,including,
(
i)
Basicchannel
.Ineachhopofthebasicchannel,thesubchannelindexiscalculated
by
H
(
A
,
c
)
,where
H
(

)
denotesthebasichopselectionkernelbytheBlue-
toothstandard[47],
A
isthepiconetaddress(i.e.theMACaddressofthepiconet
8
Figure2.3:
Anillustrativeexampleoffrequencyhoppingchannelaccessscheme.
master),and
c
isthepiconetclock.InBluetoothClassic,thepiconetclockisa27-bit
logiccounterthattickseveryhop.Becausepiconetclockwrapsaroundevery
2
27
ticks,thebasicchannelrepeatsitselfevery134,217,728hops,whichtakesapproxi-
mately24hours.Inotherwords,thebasicchannelcanbecharacterizedbya
basic
hoppingsequence
anda
hoppingphase
.Thebasichoppingsequence,whichisdeter-
minedbythepiconetaddress,iscomposedof
2
27
subchannelindices
f
i
0
,...,
i
2
27
-
1
g
,
where
i
c
=
H
(
A
,
c
)
.Thehoppingphase,whichisdeterminedbythepiconetclock,is
theindexofthecurrenthop.
(
ii)
Adaptedchannel
.Operatinginthefree2.4GHzISMband,Bluetoothmaycoexistwith
otherwirelessdevicesonoverlappedfrequencies.Therefore,Bluetoothperforms
adaptivehoppingwherethebasicchannelisfrequentlytoadaptspectrum
use.Theadaptationisguidedbya
subchannelmap
,whichsubchannelsas
goodandbadbasedoninterferenceconditions.Whenthesubchannelselectedina
hopisbad,a
remap
functioniscalledtocomputeapseudo-randomindex
i
based
onpiconetaddressandclock.Thebadsubchannelisthenreplacedbythe
i
-thgood
subchannel.
9
Figure2.4:
Anillustrativeexampleofadaptivefrequencyhoppingundertheeffectof802.11-
basedinterferenceinthe2.4GHzband.
Fig.2.4showsanillustrativeexampleofadaptivefrequencyhopping,whereBlue-
toothavoidsinterferedsubchannels(gray).Althoughadaptivehoppingisthe
defacto
schemeusedbyoff-the-shelfBluetoothdevices,theBluetoothstandarddoesnotspecify
theimplementationofsubchannelresultingindifferentadaptivehopping
behaviorsacrossdevicesmanufacturedbydifferentvendors.
2.1.2.2BluetoothLEHoppingProtocol
BluetoothLEtwotypesofphysicalchannel,namely
(i)advertisement
,and
(ii)con-
nection
.Foradvertisement,therearethreesubchannels,namely37,38,and39,where
BluetoothLEoperatesinaconnectionlessmode.Thatis,BluetoothLEutilizestheadver-
tisementsubchannelstobroadcastinformationforotherBluetoothLEdevices.Further,
thethreesubchannelsmaybeusedtoinitiateconnections.Forconnectionstate,Bluetooth
LEutilizestheremaining37subchannelstoestablishdataconnectionsbetweenBluetooth
LEdevices.TheconnectionstateofBluetoothLEisbasedonconnectionevents,
whereaneventrepresentsashortsessiontoexchangedatapackets.Foreachevent,Blue-
toothLEswitchestoanewsubchannel.
10
SimilartoBluetoothClassic,BluetoothLEa
basic
and
adaptive
hoppingschemes.
Forthebasicchannelhopping,thecarrierfrequency
f
c
iscalculatedas
f
c
=
2402
+
2k
MHz,where
k
=
0
,
1
,
2
,...,
39
isthesubchannelindex.Theindexiscalculatedbasedon
K
(
c
i
,
inc
)
,where
K
(
.
)
isthehopselectionkernel,and
c
i
istheindexofcurrentsubchannel.
Thesubchannelindex
c
i
isinitializedtozerofortheconnectionevent.Therefore,
thehoppingsequencerepeatswhenevertheindexbecomes
c
i
=
0
[46].Duringpairing
phase(i.e.connectionestablishment),themasterconnectionpa-
rameters.Thisincludes
(i)
connectionintervalŒamultipleof
1
.
25ms
rangingfrom
7
.
5ms
to
4
.
0s
thattheeventlifetime;
(ii)
transmissionwindowsizeŒamultipleof
1
.
25ms
thatthesizeoftransmitwindow,i.e.packetsize;and
(iii)
hopincrement
inc
Œa
randomvaluerangesfrom5to16.
Theadaptivechannelisbasedona
subchannelmap
thattheconnec-
tionsubchannelsintogoodandbad.Whenabadsubchannelisselectedbytheselection
kernel
K
(
c
,
inc
)
,aremappingprocedureisinvokedtocalculatea
remappedindex
.Themas-
termaintainsthesubchannelmapanditslave(s)aboutanyupdates[46].
2.1.3BluetoothNetwork
Bluetoothnetworksemployamaster-slavestructurecalleda
piconet
.Thedevicethathas
theleastcomputationandpowerconstraintsisusuallyselectedasthemastertomanage
communication.Otherdevicesareslaves.BluetoothpiconetsusetheMACaddressofthe
masterdeviceasthe
piconetaddress
.Alldevicesfromthesamepiconetaresynchronized
tothe
piconetclock
Œaclocksignalgeneratedbythemaster.
Indiscoverablemode.
Whenestablishingthepiconet,Bluetoothdevicesauthenticate
eachotherthrougha
pairing
process.Toenhanceprivacy,Bluetoothpiconetscanbeput
11
inindiscoverablemodetohidekeytechnicalparametersfromunpaireddevices.These
parametersŒincludingpiconetaddress,piconetclock,andsubchannelmapŒdetermines
hoppingbehavior.Althoughrecentstudyhasdemonstratedthepossibilityofextract-
ingpiconetaddressfrompacketpreambles[49],aBluetoothpacketsniffercannothop
followingthetargetunlessitacquiresallhiddenparameters.
2.1.4Encryption
2.1.4.1BluetoothLEEncryption
Topreserveuser'sprivacy,BluetoothLEemploysAESencryptionŒapopularsymmetric-
keyencryptionalgorithm.Thismeansthepiconetmasterandslave(s)mustsharethe
sameencryptionkey,thatisknownasLongTermKey(LTK),toestablishencryption
session.KeydistributionmechanismofBluetoothLEisdifferentfromthatadoptedby
BluetoothClassic;thisisbecauseofcomputationalandstoragelimitationsoflowpower
BluetoothLEslaves.UnlikeBluetoothClassic,whichemploysSecureSimplePairing
(SSP)forkeyagreement,aBluetoothLEmastergeneratesanddistributesLTKasen-
cryptedmessage,basedonatemporarykeyakaShortTermKey(STK),tootherslaves.
NowtodecrypttheLTK,allpiconetparticipantsneedstoregeneratetheSTK.Bluetooth
LEslavesbaseonsomeseedsandrandomnumbersprovidedbythemasterdevice.Un-
fortunately,theseseedsaresentovertheairasplaintext.Asaresult,aneavesdropper,
whocancapturepairingphaseofBluetoothLE,maybeabletodetermineLTKand,hence,
compromiseBluetoothLEprivacy[6][7][8][12][36][43][45].
12
2.1.4.2BluetoothClassic
AscommunicationofBluetoothdevicesisprivacy-sensitiveinnature,BluetoothClassic
employs
E
0
Œasymmetric-keystreamcipheralgorithmŒtoencryptuser'sdata.Unfortu-
nately,recentstudieshaverevealedmanycriticalofthisencryptionscheme[55][56]
[13][38].Inparticular,itisshownthatBluetoothissubjecttoseveralpracticalattacksthat
cancircumvent,compromise,orevencrackthelink-layerencryption,leadingtopotential
userprivacybreach[13][56].
13
Chapter3
ReviewofRelatedWork
Despitethewell-documentedofBluetoothencryption,snifBluetoothtrafhas
beenwidelyconsideredanextremelyintricatetask.Thismainlyduetowidebandspread
spectrum,pseudo-randomfrequencyhoppingemployedbyBluetoothatbaseband,and
presenceofinterferenceintheopen2.4GHzband,whichismainlyintroducedby802.11-
basedWLANs.Inthischapter,wereviewrelatedworkfromtheliterature,whichincludes
Bluetoothsniffers,cryptanalysisofBluetoothencryption,andpotentialprivacyleakage
inthelightofsuccessfultrafsnif
3.1SnifonBluetoothTraf
Inthissection,wereviewBluetoothtrafsniffers,highlighttheirdrawbacks,andcom-
pareourpracticalsystems,namelyBlueEarandBlueFunnel,thataddress
thechallengesandimprovetrafsnifperformance.Bluetoothtrafsnifferscanbe
categorizedintotwomainclassesincluding:
3.1.1Narrowbandsniffers
TosniffonBluetoothtrafnarrowbandsniffersemployBluetooth-compliantradiosto
captureBluetoothtrafFig.3.1presentssamplesofnarrowbandBluetoothsniffers.
14
(a)Ubertoothone.
(b)TexasIns.CC2540Dongle.
(c)BluefruitBluetoothLESniffer.
Figure3.1:
NarrowbandsniffersutilizeBluetooth-compliantradiostocaptureBluetoothpackets.
Thisepresentsthreesamplesincluding(a)Ubertoothone,(b)TexasInstrumentCC2540USB
DongleBluetoothLEsniffer,and(c)BluefruitBluetoothLEsniffer.
ThereexistseveralproprietaryandopensourcesystemsforsnifBluetoothtrafFor
example,theeofafewBluetoothchipsetsallowtheradiotoreportpacket-level
diagnosisbyworkinginsnifmode[1][24][33].However,thesnifdevicemust
pairwiththetarget,whichmakesitincapableofpassivesnif
Recently,severalproprietarylow-costBluetoothpacketsniffers[23][44][2][34]have
beenproposedbasedoninexpensive,BluetoothcompliantBluetoothplatform.Similarly,
lowcost,opensourcesniffers[31][44]havebeendevelopedbasedonUbertooth[31]
Œanopen-sourceBluetoothdevelopmentplatform.In[50],atrafsnifferisdevel-
opedbasedonGNURadio/USRPplatform.However,existinglow-costsniffers,includ-
ingUbertooth-basedone,areexclusivelydesignedforsnifBluetoothtrafinbasic
hoppingmode.Inthecrowded2.4GHzband,Bluetoothrarelyhopsinbasichopping
modebecauseoftheinterferencefromcoexistingwirelessdevices,especiallythepreva-
lent802.11basedWLANs[17][28][54][20].Asaresult,existinglow-costsnifferssuffer
prohibitivelypoorsnifperformanceinpracticeduetothemispredictionofadaptive
hoppingbehavior,aswellasexcessivepacketcorruptionscausedbyinterference.
15
(a)SodorawidebandSniffer.
(b)BluetoothExplorer.
Figure3.2:
WidebandsniffersutilizespecializedwidebandradiostomonitorBluetoothspectrum
inparallel.Thisepresentstwosamplesincluding(a)FrontlineSodorawidebandsniffer,and
(b)EllisysBluetoothExplorer.
ComparedwithexistingUbertooth-basedsystems,BlueEarisdesignedforsnif
Bluetoothtrafinpracticalenvironmentswhereboththesnifferandthetargetmaysuf-
ferfromintensiveinterferencefromcoexistingwirelessdevices.Toachievethisgoal,we
addressthekeychallengesposedbytheindiscoverablemodeofBluetooth,thevendor-
dependentadaptivehoppingbehavior,andthedifinmaintainingconsistentsniff-
ingperformanceinthecrowded2.4GHzband.Inaddition,weidentifyvariouscritical
issuesinUbertoothethatdegradeitsperformanceduringfrequency
hopping,andpresentsolutionstoaddresstheseWenotethatalthoughourproto-
typeisdevelopedbasedonUbertooth,thedesignofBlueEarisplatform-independent
andcanbeeasilyportedtoothersystems.
3.1.2Widebandsniffers
WidebandtrafsniffersemployawidebandradiostomonitortheentireBluetoothspec-
trumatthesametime.Fig.3.2showsexamplesofwidebandBluetoothsniffers.There
areafewproprietaryBluetoothsniffersdesignedfortestingandprotocolanalysis[27]
16
[14].Thesesniffersutilizespecializedradiostomonitorallsubchannelsinparallelwhich
makesthemextremelycostlyandpowerhungry.Forinstance,protocolanalyzersman-
ufacturedbyTeledyne[27]cost$10kto$25Kperunit.Moreover,thesesniffersrequire
explicitpairingwiththetargetBluetooth,whichmakesitimpossibletosniffonBluetooth
trafpassively.
Incomparisonwiththeabovesystems,BlueFunnelisdesignedasapassivetrafsnif-
ferthatisbasedonwideband,low-power,inexpensivedevicesalongwithasuitofdigital
signalprocessingmethodstocaptureBluetoothtrafinthewild.Moreover,BlueFunnel
incursnodelayandnopacketlossasitrequiresnostatisticallearningphase.
3.2CrackingBluetoothEncryption
BluetoothClassic
employs
E
0
Œatwo-levelstreamcipherbasedon128-bitlinkkeyŒto
encryptpacketpayloads.Thelinkkeyisestablishedthrough
pairing
,whereBluetooth
devicesauthenticateeachotherusingasecretPIN.Intheliterature,studieshaverevealed
manycriticalofthisencryptionscheme[55][56][13][38][37][40][11].
Inparticular,severalstudieson
E
0
cryptanalysishaveshownthatthe128-bitlinkkey
of
E
0
isconsiderablyweakerthanwhatisoriginallyintended[55][56][37].Theencryp-
tionkeycanbecrackedwith
2
27
onlineoperationsand
2
21
.
1
ofoperationsinsteadof
2
128
.,giventheheadersof
2
22
.
7
Bluetoothpackets,theattacktakesafewsec-
ondstorestorethetargetencryptionkey.SuchattackisimplementedonasinglecorePC
andrequires4MBRAMofmemory.Furthermore,theeffectivesecurityofthelinkkey
willfurtherdegradewhenapacketsnifferisemployedbytheattacker.
17
3.3PotentialPrivacyLeakage
InthelightofsuccessfultrafsnifweexplorepotentialprivacyleakagesofBlue-
toothsystem,including,
(i)CrackingBluetoothencryption.
Bluetoothclassicemploys
E
0
Œatwo-levelstreamcipher
basedon128-bitlinkkeyŒtoencryptpacketpayloads.Recentstudieson
E
0
cryptanal-
ysisshowsthatthe128-bitlinkkeyof
E
0
isconsiderablyweakerthanwhatisoriginally
intended[55][56][37].Theencryptionkeycanbecrackedwith
2
27
onlineoperationsand
2
21
.
1
ofoperationsinsteadof
2
128
.,giventheheadersof
2
22
.
7
Bluetooth
packets,theattacktakesafewsecondstorestorethetargetencryptionkey.Therefore,the
effectivesecurityofthelinkkeywillfurtherdegradewhenapacketsnifferisemployed
bytheattacker.Moreover,duetocomputationandpowerconstraints,manyBluetooth
peripheralsincludingmostBluetoothmicemanufacturedbymajorvendors,likeLog-
itech[29],donotsupportencryption,leadingtouserprivacybreach.
(ii)Privacyleakagebasedonpatterns.
WithoutthepainofcrackingBluetoothencryp-
tion,previousstudiesdemonstratethepossibilityofBluetoothprivacybreachbyobserv-
ingtrafpatterns.Forinstance,thetrafpatternofpopulartrackersisfoundto
bestronglycorrelatedwiththeuser'sactivity,makingitpossibletotrackusergaitand
identity.Asaresult,apassivetrafsniffercanuncoverimportantprivateinformation
abouttheuser,evenwithoutdecryptingpacketpayloads[13].
(iii)Leakageofencryptionkey.
BluetoothLEemploysAES-CCMblockcipherŒapopular
symmetric-keyencryptionalgorithmŒtodecryptpacketspayload.Toestablishanen-
cryptedsession,thepiconetmastersharesaLongTermKey(LTK)withslave(s).The
keydistributionmechanismofBluetoothLEisdifferentfromthatadoptedbyBluetooth
18
Classic,duetocomputationalandstoragelimitationsoflowpowerslaves.Inpractice,
themastergeneratesanddistributesLTKasencryptedmessagestootherslaves.The
masterencryptsLTKbasedonatemporarykeythatisknownasShortTermKey(STK).
Unfortunately,BluetoothLEsendsSTKovertheairasplaintext.Therefore,asuccess-
fuleavesdroppingonBluetoothLEpairingphasecouldpotentiallyleadtodetermining
LTK;and,hence,compromiseBluetoothLEprivacy[8][12][36].Furthermore,astudyon
privacyofZigBeenetwork[43]demonstratesthefeasibilityofcircumventingAES-CCM
encryptionwithouttheneedtoknowlinkencryptionkey.Although,thestudyconsiders
ZigBeeencryption,theproposedmethodscanalsobeappliedtoBluetoothLEasboth
ZigBeeandBluetoothLEemploytheAES-CCMblockcipher.
19
Chapter4
BlueEar:APracticalBluetoothTraf
SnifSystemBasedonBluetooth
CompliantRadios
4.1Introduction
Inthischapter,weexplorethefeasibilityandprivacyimplicationsofsnifBluetooth
trafinpracticalenvironments.UnlikepriorBluetoothtrafsniffersthatrelyonspe-
cializedpower-hungrywidebandradios,oursnifsystemconsistsofonlycommodity
Bluetooth-compliantradios.Ourmajorcontributionistwo-fold.
TheBlueEarsystem.
Wepresentthedesign,implementation,andevaluationof
BlueEar
ŒthepracticalBluetoothtrafsnifferthatconsistsonlyofinexpensive,Bluetooth-
compliantradios.BlueEarfeaturesanovel
dual-radioarchitecture
,wheretworadiosŒ
namedas
scout
and
snooper
Œcoordinatewitheachotheronlearningthehoppingsequence
ofindiscoverableBluetooth,predictingadaptivehoppingbehavior,andhandlingcom-
plexinterferenceconditions.,thescouthopsoverallBluetoothsubchannels
tosurveyinterferenceconditionsandmonitorsthetarget'spackettransmissions.Byfus-
ingthesemeasurements,BlueEarusesaprobabilisticclockmatchingalgorithmtodeter-
20
minethebasichoppingsequence,andthenintegratesstatisticalmodelsandalightweight
machinelearningalgorithmtopredicttheadaptivehoppingbehavior,whichallowsthe
snoopertohopfollowingthetarget.Tomaintainreliablesnifperformanceincomplex
interferenceconditions,thescoutrunsaselectivejammingalgorithm,whichmanipulates
thehoppingofthetargettomitigatetheimpactsofinterference.Wehaveimplemented
aprototypeofBlueEarforsnifthetrafofBluetoothClassic,whichoffersenhanced
dataratesandamorecomplexhoppingprotocolthanBluetoothLE.Ourprototypecan
beexpendedtosniffonBluetoothLEtrafTheprototypeemploystwoUbertooths[31]
toimplementthescoutandthesnooper,andinterfacesthemtoacontrollerrunningon
aLinuxlaptop.WeidentifycriticalissuesinUbertoothethatseverelydegrades
itsperformanceduringfrequencyhopping,andpresentnovelsolutionstoaddressthese
ExtensiveexperimentsresultsshowthatBlueEarcanmaintainapacketcapture
ratehigherthan90%consistentlyinpracticalenvironments,wherethetargetBluetooth
networkexhibitsdiversehoppingbehaviorsinthepresenceofinterferencefromcoexist-
ing802.11basedWLANs.
Privacyimplications.
WediscusstheimplicationoftheBlueEarsystemonBluetooth
privacy.Moreover,weevaluatetheperformanceofBlueEarwheneavesdroppingonau-
diotrafwhichisknowntobeextremelysensitivetopacketloss.Weshowthatthe
packetcapturerateachievedbyBlueEartranslatestoahighaudioqualitywithamean
opinionscore(MOS)of3.5,whichistranslatedinto˚Fair'and˚Good'fromthelistener's
perspective.Furthermore,wepresentapracticalcountermeasure,thatcanbeeasilyim-
plementedintheuser-spacedriveroftheBluetoothmasterdevice,whilerequiringno
toexistingslavedeviceslikekeyboardsandheadsets.Thecountermeasure
21
effectivelyreducesthepacketcapturerateofthesnifferto20%,anddegradestheMOSof
eavesdroppedaudioto1.5,whichisbetween˚Bad'and˚Poor'.
Therestofthechapterisorganizedasfollows.Wepresentsystemoverviewandar-
chitectureinsection4.2.Insection4.3,wediscussBlueEarsystemdesignindetail.Eval-
uationofBlueEarsystemperformanceispresentedinsection4.5.Wediscusstheimpacts
ofBlueEaronprivacybreachforBluetoothsystem,includingBluetoothLE,insection4.6.
Section4.7concludesthechapter.
4.2BlueEarOverview
4.2.1ObjectivesandChallenges
WestudyBluetoothprivacybyexploringthefeasibilityofsnifBluetoothtrafin
practicalenvironments.Tothisend,BlueEarisdesignedasa
passive
trafsnifferthat
leveragesgeneral,inexpensivewirelessplatformtocaptureBluetoothpacketswithout
pairingwiththetargetpiconet.Toachievethisgoal,wetacklethefollowingchallenges.
(
i)
Secrethoppingphase
.Inindiscoverablemode,thepiconetclockthatindicatesthe
hoppingphaseishiddenfromBlueEar.Inadaptivehoppingmode,determiningthe
hoppingphaseisparticularlychallengingbecausethebasichoppingsequenceofthe
targetissubjecttofrequent
(
ii)
Vendor-dependentadaptivehopping
.TheadaptivehoppingofBluetoothisguidedby
asubchannelmap,whichsubchannelsasgoodandbadbasedondynamic
interferenceconditions.However,theBluetoothstandarddoesnotspecifytheim-
plementationofsubchannelresultinginvendor-dependentimplemen-
22
tation,whereBluetoothchipsetsmanufacturedbydifferentvendorsmayhopover
differentsubchannelseveninthesamespectrumcontext.
(
iii)
Interferenceinthecrowded2.4GHzband
.Whencoexistingwithotherwirelessde-
vices,BlueEarmayexperiencehiddenandexposedinterference.WhenanRFsignal
thatinterfereswiththetargetistooweaktobemeasuredatBlueEar,thespectrum
contextsobservedbyBlueEarandthetargetmaydiffer,makingitdiftopre-
dictadaptivehoppingbehavior.WhenanRFsourceinterfereswiththetargetbut
BlueEar,degradationofsnifperformancemayoccur.Whileautho-
rizeddevicescanmaintainpacketreceptionperformancebycoordinatingtheirhop-
ping,designedasapassivesniffer,BlueEarcannotcoordinatewiththetarget,which
mayleadtosubstantialpacketcorruptions.
4.2.2SystemArchitecture
Insteadofusingspecializedradiotomonitorallsubchannelsinparallel,BlueEartackles
theabovechallengesbasedonasimple
dual-radioarchitecture
thatconsistsoftwoinex-
pensive,Bluetooth-compliantradios.ThetworadiosŒnamedas
scout
and
snooper
Œare
interfacedtoacontroller,whichemploysasuiteofnovelalgorithmstocoordinatethe
tworadios,gluingthemasapowerfulpassivetrafsniffer.Fig.4.1illustratesthear-
chitectureofBlueEar.,theworkingofBlueEarcanbedividedintothe
followingsteps.
(
i)
T
Whenmultiplepiconetscoexistinthesameenvironment,BlueEar
separatestheirtrafbasedonthepiconetaddressofcapturedpackets.
cally,thepreambleofeachBluetoothpacketcarriesasynchronizationword,which
23
Figure4.1:
Thedual-radioarchitectureofBlueEar.Componentsinthegrayareacomprisea
standard-complianthopselectionkernel.
isderivedfromthepiconetaddressusinganencodingfunctionbythestan-
dard[47].BlueEaremploysthebruteforcealgorithmproposedin[49]toextractpi-
conetaddressfromthesynchronizationword,andthenoutthepacketswhose
piconetaddressmismatchesthetargetpiconetaddressbytheBlueEaruser.
(
ii)
Basicchannelacquisition.
Toacquirethebasicchannelofthetargetpiconet,thescout
listensonanarbitrarysubchanneltomonitorthetarget'spackettransmissions.Af-
terextractingpiconetaddressfrompacketpreamble,BlueEarderivestheentireba-
sichoppingsequence,andthenreversesthepiconetclockusinganinterferencere-
silient,probabilisticclockmatchingalgorithm.,thereceivingtimesof
capturedpacketsarecomparedwiththebasichoppingsequenceatdifferenthop-
24
pingphases,untilacorrectphaseisfound.Theacquiredpiconetaddressandclock
arethenfedtoastandard-compliantbasichopselectionkerneltocomputethebasic
channel.
(
iii)
Adaptedchannelacquisition.
Toacquiretheadaptedchannel,BlueEarneedstopredict
howthetargetreactsindynamicspectrumcontext.Tothisend,thescouthopsover
allsubchannelsontheacquiredbasicchanneltosurveyinterferenceconditions,and
monitorspackettransmissionstoinferthetarget'ssubchannelutilization.Byfus-
ingthesemeasurements,BlueEartrainsasubchannelatrun-time,which
accuratelyderivesthetarget'ssubchannelmapdespitevendor-dependentadaptive
hoppingbehaviorandthepossibledisparitybetweenthespectrumcontextsofthe
scoutandthetarget.Thesubchannelmapisthenfedtoastandard-compliantadap-
tivehopselectionkernelforcomputingtheadaptedchannel.
(
iv)
Interferenceavoidance.
Thesnooperhopsfollowingthetargetontheadaptedchan-
neltosnifftrafBlueEarhandlescomplexinterferenceinthecrowded2.4GHz
bandusingaselectivejammingalgorithm.,alossdetectorisemployed
tomonitorthesnifngperformanceofallsubchannels.Whensubstantialpacketcor-
ruptionsaredetectedonasubchannel
i
,thescoutdeliberatelygeneratesinterference
on
i
whilethetargetvisits
i
duringhopping.Becauseofadaptivehopping,thetarget
willbedrivenawayfromlossysubchannelswhereBlueEarobservespoorsnif
performance.Theobjectiveistomanipulatethetarget'shoppingtoenforceimplicit
coordination.
25
4.3DesignofBlueEar
Inthissection,wepresentthedesignofkeyBlueEarcomponentsindetail.
4.3.1ClockAcquisition
Inthefollowing,wesometerminologyandpresentkeyconceptsofclockacquisi-
tion.
1Basichoppingsequence

=(
i
0
,..,
i
c
,..,
i
N
)
isann-tupleofintegers
i
2
f
0
,..,
78
g
thatrepresentssubchannelindex,
c
referstothepiconetclock,i.e.hoppingphase,
and
N
=
2
27
-
1
.
2Observedhoppingpattern
P
=
f
p
0
,
p
1
,..,
p
n
g
isasetofcapturedpackets,
whereapacketisbasedonsystemtime-stampatreceptiontime.
Next,weintroduceourbasicideaofreversingthepiconetclock,whichinvolvesthree
fundamentalalgorithms,including,reversingthepiconetclockwhenthetargethops
inthebasicmode;second,wepresentaprobabilisticmatchingapproachtodetermine
thepiconetclockinthepresenceofinterference.And,weintroduceamaximum-
likelihood(ML)basedalgorithm,whichacceleratesclockacquisitionand
reducesclockacquisitiondelay.
4.3.1.1BruteForceClockAcquisition
Becausetheentirehoppingsequence

isknownafterthepiconetaddressisextracted
frompacketpreamble[49],itispossibletoreversethepiconetclock
c
throughasimple
bruteforcesearch,whichcomparesanobservedhoppingpatternwiththeentirehopping
sequenceatallphasestosearchforamatch.Fig.4.2showsanillustrativeexample.
26
Figure4.2:
Anillustrativeexampleofbruteforcesearchforclockacquisition.
Atthebeginning,thescoutlistensonasinglesubchanneltomonitorthetarget'spacket
transmissions.AsshowninFig.4.2,thescoutlistensonsubchannel2wherethreepackets
arecaptured,which
P
.Thereceivingtimesofthesepacketscomposeahopping
patternthatdescribeshowthetargetvisitsthemonitoredsubchannel.AsshowninFig.
4.2(c)and(d),BlueEarthencomparestheobservedhoppingpatternwiththeentirebasic
hoppingsequenceatallphases.Amatchisfoundatclock34.
Beforecapturingasufnumberofpackets,theobservedhoppingpatternmay
happentomatchthebasichoppingsequenceatmultipleclockvalues,resultinginclock
ambiguity.Becausethebasichoppingsequenceispseudo-random,probabilitythatan
observedhoppingpatternthatcomprises
n
packetsmatchesthebasichoppingsequence
atanarbitraryclockcanbecomputedas
1
79
n
.Therefore,clockambiguitydecreasesasthe
numberofcapturedpacketsincreases.
27
Figure4.3:
Theeffectofsubchannelremappingonbruteforcesearchbasedonthesameexample
showninFig.4.2.
4.3.1.2ProbabilisticClockMatching(PCM)
Inthecrowded2.4GHzband,Bluetoothdevicesrarelyhopinthebasicmodebecause
oftheimpactsofinterferencefromcoexistingwirelessdevices[17][28][54][20].To
adaptspectrumuse,Bluetooththebasicchannelbyremappingbadsubchan-
nelssubjectedtointerferencewithpseudo-randomlyselectedgoodsubchannels.Since
theadaptedchannelmaydifferfromthebasicchannelinvariousphases,thehopping
patternobservedbythescoutmaymismatchthebasichoppingsequenceevenatthe
correctclock.Fig.4.3illustratestheimpactofsubchannelremappingusingthesameex-
ampleshowninFig.4.2.Asillustratedinthee,bruteforcesearchmayfailtoa
perfectmatchduetothepackettransmittedontheremappedsubchannel.
Toacquirethepiconetclock
c
inthepresenceofinterference,BlueEarleveragesthe
28
followingkeyobservation.Whencomparinganobservedhoppingpattern
P
withthe
basichoppingsequence

atthecorrectclock,theratioofmismatchesshouldequalthe
ratioofremappedsubchannels.AsrequiredbyFCC,BluetoothClassicmustuseatleast
20subchannelsforfrequencyhopping[47].Therefore,theratioofremappedsubchannels
isatmost
59
79
.Hence,iftheratioofmismatchesataclock
c
islargerthan
59
79
,
then
c
islikelyanincorrectclock.
Drivenbytheaboveobservation,BlueEaremploysaprobabilisticclockmatching
(PCM)algorithmforclockacquisition.Insteadofseekingaperfectlymatchedclock,
BlueEardeterminesthecorrectclockbyeliminatingincorrectclocksbasedonthenumber
ofmismatches.Aclockisasincorrectifthe95%intervalofitsmis-
matchratioexceeds
59
79
.,let

bethebasichoppingsequence,
P
=
f
p
0
,..,
p
n
g
beasetofobservedpackets,and
C
=
f
c
0
,
c
1
,..
c
j
g
and
D
=
f
d
0
,
d
1
,..
d
j
g
bethesetsofclock
candidatesandthecorrespondingmismatchesnumbers,respectively.Whencomparing
P
with

,thePCMalgorithmreturns
C
and
D
,where
d
i
isthenumberofmismatchesat
clockcandidate
c
i
.If
c
i
isthecorrectclock,theratioofmismatches

=
d
i
n
,
n
=
j
P
j
,should
beclosetotheratioofunusedsubchannels.Basedonthecentrallimittheory,thedistri-
butionof
p
n
(
d
i
n
-

)
shouldapproachnormalitywhen
n
isreasonablylarge.The95%
intervalof

canbeestimatedas
d
i
n

2
˙
p
n
,where
˙
2
isthevariance.Therefore,
clock
c
i
isdeterminedasincorrectif
d
i
n
-
2
˙
p
n

59
79
.Whenanewpacketiscaptured,the
algorithmupdatesthemismatchratiosforremainingclockcandidates.
4.3.1.3AcceleratingClockAcquisition
ThePCMalgorithmacquiresthecorrectclockbygraduallyeliminatingincorrectcandi-
dates;thismayincursometimedelaywhilewaitingfornewpacketstobecaptured.To
29
reduceclockacquisitiondelay,BlueEarresortstoestimatethepiconetclock.Thatis,given
asetofobservedpackets
P
,theMLalgorithmderivesseveralsubsets
P
1
,..,
P
z
ˆ
P
,andin-
vokesthePCMalgorithmtoobtaincorrespondingsetsofclockcandidates
C
1
,..,
C
z
.From
thelatersets,thealgorithmprobabilitydistributionofcandidatesanda
candidatethatmaximizesthedistributionfunction.Inparticular,thealgorithmproceeds
withthefollowingsteps.
Step1:
Input
:
P
=
f
p
0
,..,
p
n
g
and
C
=
f
c
0
,..,
c
j
g
,and
b<n
Step2:
acounter
a
=
1
,
Step3:
Findthesubset
P
a
ˆ
P
,
P
a
=
f
p
a
,..,
p
b
g
Step4:
InvokethePCMalgorithmwith
P
a
andobtains
C
a
Step5:
Subtract
q
fromallelementsin
C
a
.Intuitively,if
c
wasthepiconetclockatthetime
oftransmitting
p
0
,then
c
+
q
mustbethepiconetclockatthetimeoftransmitting
p
a
,where
q
isthenumberofclockticksbetween
p
0
and
p
a
.
Step6:
Finds
C
 
C
[
C
a
Step7:
Increments
a
and
b
,while
b<n
,goto
Step3
BlueEarevaluatesoptimalityoftheMLestimatorbasedonsome
lossfunctionL
,which
weasfollows:
L
(
c
i
)=
d
i
,where
c
i
isanapproximationforthepiconetclock
c
,and
d
i
isthenumberofmismatchesatclock
c
i
asearlier.AccordingtothePCMalgo-
rithm,aclockcandidate
c
i
,thatisalignedwithhighmismatches
d
i
,ismostlikelytobe
eliminatedfrom
C
assufnumberofpacketsareoverheard.Basedonthisobserva-
tion,theMLestimator
c
winner
isconsideredifitisalignedwiththeminimummismatches
number
d
m
;otherwise,theMLalgorithmwaitsfornewpacketstobecaptured.
30
Figure4.4:
EstimationofapiconetclockbasedontheMLalgorithmandlossfunction
L
(
c
i
)=
d
i
.
Fig.4.4showsanexampleofMLalgorithm,wherethealgorithmsuccessfullyidenti-
thepiconetclockbasedonasetof20observedpackets.Inthise,itisclearthat
thewinnercandidatealignswiththeminimumvalueofthelossfunction
L
.
4.3.2Subchannel
TheadaptivehoppingofBluetoothisguidedbyasubchannelmapthatsubchan-
nelsasgoodandbadbasedondynamicinterferenceconditions.Toacquiretheadapted
channel,BlueEaremploysasubchannel,whichinfershowthetarget
subchannels.Thesubchannelmustmeetthefollowingrequirements.

Accuracy
.Whenasubchannelisthesnoopermayhoptoawrong
subchanneldifferentfromtheoneusedbythetarget.Poorsubchannel
accuracymayresultinsubstantialpacketmisses.

Responsiveness
.Indynamicspectrumcontexts,thesubchannelmustbe
responsivetothechangeofinterferenceconditions.
Inthefollowing,wepresenttwocomplementarysubchannelalgorithms,
anddiscusstheiradvantagesandlimitationsinachievingtheabovegoals.Wethendis-
31
cusshowBlueEarintegratesthetwoalgorithmsforsubchannel
4.3.2.1Packet-based
Design.
AsBluetoothonlytransmitsongoodsubchannels,itispossibletoinferthestatus
ofasubchannelbasedonits
packetrate
,whichindicateshowfrequentlythetargettrans-
mitsonasubchannel.Tomeasurepacketrates,thescouthopsoverall79subchannels
ontheacquiredbasicchanneltomonitorthetarget'spackettransmissions.Foreachsub-
channel
i
,BlueEarcomputesitspacketrateas
r
i
=
q
i
v
i
,where
q
i
isthenumberofpackets
receivedon
i
,and
v
i
isthenumberoftimesthescoutvisits
i
.Whenasubchannelisclas-
asbadbythetarget,thepacketratemeasuredbythescoutwillbesubstantially
lowerthanthatofgoodsubchannels.
Akeychallengetoachieveaccuratepacket-basedisthatpacketratesdif-
feracrossdifferentapplications(
e
.
g
.,datatransfer,audio,andkeystroking,
etc.),andmayvarywithtimedependingonthetrafdynamicsinthetargetpiconet.To
addressthischallenge,weleveragethefactthat,asrequiredbyFCC,BluetoothClassic
usesatleast20subchannelsforfrequencyhopping[47].Asaresult,the20subchannels
thathavethehighestpacketratescanbeusedasareferencetoestimatethecurrentpacket
rateofthetargetpiconet.Drivenbythisobservation,thepacket-based
badsubchannelsusingthefollowingalgorithm.

Step1
:Initially,the20subchannelsthathavethehighestpacketratesare
asgood.Let
R
g
=
f
r
i
1
,...,
r
i
20
g
bethesetoftheirpacketrates.

Step2
:Inremainingsubchannels,thesearchesfortheonewith
thehighestpacketrate.Denotethissubchannelas
i
,anditspacketrateas
r
i
.
32
(a)Data.
(b)Audio.
Figure4.5:
Runningexamplesofpacket-basedsubchannelfordataandvoicetraf
underindifferentspectrumcontexts.Thepacket-basedcalculatesaprobabilityscore
basedonEq.(4.1)todeterminesubchannelstatus.Asubchannelisasbadiftheproba-
bilityscoreisbelowtheprthreshold.

Step3
:Thepacket-baseddetermineswhethersubchannel
i
isbadbycheck-
ingif
r
i
isanoutlierof
R
g
.If
r
i
isanoutlier,
i
andallremainingsubchannelsof
evenlowerpacketratesareasbad.Otherwise,
i
isasgoodand
itspacketrate
r
i
isinsertedto
R
g
.Thealgorithmthengoesbacktostep2untila
badsubchannelis
Wedetermineif
r
i
=
q
i
n
i
isanoutlierof
R
g
asfollows.Let
r
g
betheaveragepacket
rateof
R
g
.Assumingsubchannel
i
isgood,probabilitythatthetargettransmitslessthan
q
i
packetsafter
v
i
visitscanbecomputedas,
ˆ
i
=
q
i
X
n
=
0

v
i
n

(
1
-
r
g
)
v
i
-
n
r
n
g
(4.1)
Weidentifyoutliersunderagivenlevel,denotedas

.Subchannel
i
isclassi-
asbadif
ˆ
i

1
-

.
Fig.4.5givestwoexamplesofpacket-basedsubchannelfordataandau-
diotrafindifferentspectrumcontexts.Theuppereshowsthepacketratesmea-
suredon79subchannels.Lowpacketratesareobservedonbadsubchannelssubjected
33
(a)Cleansubchannel.
(b)Dirtysubchannel.
Figure4.6:
Probabilitydensitiesofinterferencepowermeasuredoncleananddirtysubchannels.
tointerference.Thebottomeshowstheprobabilityscores
ˆ
i
foreachsubchannel
i
calculatedusingEq.(4.1).Asshowninthee,thepacket-basedreliably
badsubchannelsdespitethevariationofpacketratesacrossdifferent
applications.
Discussion.
Byclassifyingsubchannelsbasedonpacketrates,packet-based
offerstwoadvantages:
(i)
itworksefacrossdifferentBluetoothdevicesdespite
vendor-dependentsubchannelmethods,
(ii)
theisnotaffected
bythedisparitybetweenthespectrumcontextsofthetargetandBlueEar.However,
packet-basedislessresponsiveindynamicspectrumcontextbecauseasubchan-
nelcannotbeasgoodorbadbeforeoverhearingasufnumberofpackets.
Asaresult,packet-basedmayperformpoorlywhensubchannelstatuschanges
fastwithtime-varyinginterference.
4.3.2.2SpectrumSensing-based
Design.
SinceBluetoothpiconetsubchannelbasedoninterferenceconditions,
subchannel
i
islikelybadifstronginterferenceismeasuredon
i
.Drivenbythisobser-
vation,spectrumsensing-basedinferssubchannelstatusbasedoninterference
34
measurements.Whenhoppingonthebasicchannel,thescoutmeasuresinterference
poweroneachsubchannel.Theinterferenceconditiononagivensubchannelischar-
acterizedusingtheprobabilitydensityofinterferencepower.Fig.4.6illustratestwo
examplesmeasuredbythescoutoncleananddirtysubchannels.Onbothsubchannels,
theenvironmentnoiseisfoundat-95dBm.Aninterferencesourcewhosesignal
powerrangesfrom-45dBmand-40dBmcanbeobservedinFig.4.6b.Theinterference
sourceisactiveinabout15%oftime.
Basedoninterferencemeasurement,thespectrumsensingbasedemploysan
SVMtodeterminesubchannelstatus.TheSVMtakesasinputafeaturevectorobtainedby
discretizingtheprobabilitydensityofinterferencepowerbasedon
X
i
=
f
x
-
100
,
i
,
x
-
99
,
i
...,
x
-
20
,
i
g
,
where
x
s
,
i
istheprobabilityofobservinganinterferingsignalpowerof
s
dBmonsub-
channel
i
.
X
i
characterizesinterferenceconditionbetween-100dBmand-20dBm,which
issuftocapturetheactivitiesofallinterferingsourcesinpractice.
Discussion.
Althoughspectrumsensing-basedisresponsivetotime-varying
interferenceconditions,achievingsatisfactoryaccuracyisdifbecause
(i)
depending
onthelocationofinterferencesource,thespectrummeasuredbythescoutmaydiffer
fromtheoneobservedbythetarget;
(ii)
thesubchannelmethodadoptedby
thetargetisvendor-dependentandmaydifferacrossdifferentdevices.Toaddressthese
limitations,thespectrumsensing-basedmustbetrainedatrun-time.
4.3.2.3Hybrid
Foraccurateandresponsiveofsubchannelstatus,BlueEaremploysahybrid
thatcombinesthecomplementarypacket-andspectrumsensing-basedclassi-
Atrun-time,thehybridusespacket-basedresultstotraina
35
Figure4.7:
Time-domainillustrationofrun-timetrainingofthespectrumsensing-based.
spectrumsensing-based,whichlearnsthevendor-dependentsubchannelclas-
methodofthetarget.Aftertraining,BlueEarfusestheoutputsofpacket-and
spectrumsensing-basedtoinfersubchannelstatus.
Totrainthespectrumsensing-basedclassi,BlueEarlabelsinterferenceconditions
measuredbythescoutusingtheoutputsofpacket-basedNotethatpacket-
basedinferssubchannelstatusbasedonpacketratesderivedfromthehistoryof
overheardpackets,thereforeitsresultmaylagbehindthetruesubchannelstatus.Tocom-
pensatethisdelay,BlueEarcomposestrainingcasesbylabeling
X
f
usingpacket-based
resultsobtainedatalatertimepoint.Fig.4.7illustratesthistrainingproce-
dureintime-domain.
Forsubchannelthehybridfusestheoutputsofpacket-and
spectrumsensing-basedbasedontheresponsivenessandofresults.
Thesoft-outputofSVMisutilizedtocharacterizetheofThe
soft-outputofSVMisalog-likelihoodratiocomputedas

i
=
log
ˆ
i
1
-
ˆ
i
,where
ˆ
i
isthe
probabilitythat
i
isgood,and
j

i
j
indicatesBecausespectrumsensing-based
36
ismoreresponsivetodynamicspectrumcontext,thehybridadopts
theoutputofSVMastheresultifits
j

i
j
ishigherthana
prthreshold.Otherwise,theoutputofpacket-basedisadopted.
4.3.3SelectiveJamming
Inthecrowded2.4GHzfrequencyband,BlueEarissubjectedtotheinterferenceofcoex-
istingwirelessdevices,especiallytheprevalent802.11basedWLANs.Unlikeauthorized
Bluetoothdevicesthatcanhandlesuchinterferencebycoordinatingtheirhopping,de-
signedasapassivepacketsniffer,BlueEarcannotcoordinatewiththetarget,whichmay
resultinpoorsnifperformance.BlueEarmitigatestheimpactsofsuchinterference
usingaselectivejammingalgorithm.Inthefollowing,wepresentthealgorithmdesign
indetail,andthendiscusstheimpactofjammingon802.11devices.
Whentheinterferencecausessubstantialpacketcorruptionsonasubchannel
i
,the
scoutdeliberatelygeneratesinterferenceon
i
whilethetargetvisits
i
.Becauseofadaptive
hopping,thetargetwillbedrivenawayfromsubchannels
i
,resultinginimplicitcoordi-
nation.Tothisend,BlueEaremploysalossdetectortoidentifysubchannelssubjectedto
hiddeninterference.Wheneverthescoutoverhearsapacket,itcheckspacketintegrity
usingCRC,andthensendstheresulttothelossdetector.Foreachsubchannel,theloss
detectoremploysamovingwindowtocomputetheratioofcorruptedpackets.Thescout
iscommandedtojamasubchannelifthepacketcorruptionratioishigherthanaprede-
threshold.Toeffectivelydrivethetarget,aclassoneBluetoothradiocapableofhigh
powertransmissionisemployedtoimplementthescout.
Discussion.
Despitedeliberatelygeneratinginterferenceinthe2.4GHzband,theimpacts
ofselectivejammingon802.11devicesisverylimitedbecauseoftworeasons.First,there
37
areconsiderablylowchancesforcollisionsbetween802.11-basedframesandselective
jammingframes.Asexplainedearlier,selectivejammingisequivalenttoBluetoothclass
1transmission,andhence,probabilityofcollisionwith802.11-basedWLANsisequiv-
alenttothatofBluetooth.Apreviousstudy[48]highlightsthatinworstcasescenario,
wherethethree802.11non-overlappedchannelsareconsistentlyoccupied,theproba-
bilityofcollisionwithBluetoothislessthan0.2.However,thisprobability
reducesifweconsiderthefollowingfactors:
(i)
thescenarioofoccupyingthethree802.11
non-overlappedchannelsisrare;
(ii)
thestudy[48]considersalowdatarate(5.5Mbps)
for802.11link.WithadoptionofOFDMhigherdatarates,frame-in-air-timebecomes
shorterthanthatof5.5Mbpsrate.Accordingly,abundantwhitespacebetween802.11
transmissionsisexpected.Arecentstudy[20]rmsthisandshowsthat802.11traf
ishighlyburstyandframesareclusteredtogetherwithshortintervalsoftime(typically
lessthan1
ms
),whileperiodsbetweenclustersarelonger;
(iii)
lifetimeofa
jammingsessionis2secinaverage,whereourexperimentsshowthatBluetoothreacts
tointerferencewithin4secatmost;and
(iv)
BlueEaronlyjamsinthepresenceof
hiddeninterference,whichisaspecialscenarioforBlueEar.Second,assumingthecaseof
collisionwith802.11-basedframe,apreviousstudy[10]showsthat802.11-basedWLANs
isrobustagainstnarrowband(thescoutoccupies1MHzvs.20MHzfor802.11),short-
livedinterference.Therefore,weconcludethatselectivejamminghasverylimitedeffect
on802.11-basedWLANs.
38
Figure4.8:
BlueEarprototypethatconsistsoftwoUbertooths[31].
4.4Implementation
Inthissection,wepresenttheimplementationofBlueEarindetail.AsshowninFig.
4.8,weemploytwoUbertooths[31]toimplementthescoutandthesnooper,andthen
interfacethemtoacontrollerrunningonaLinuxlaptop.Computationintensivetasks
likeclockacquisitionandsubchannelareimplementedonthelaptop.Time-
sensitivecomponentslikebasicandadaptivehopselectionareimplementedbyextending
theeofUbertooth.Inaddition,weidentifycriticalissuesinUbertoothe
thatseverelydegradeitsperformanceduringfrequencyhopping,andpresentnovelso-
lutionstoaddresstheseWenotethatalthoughourcurrentprototypeisbuiltbased
onUbertooth,thedesignofBlueEarisplatform-independentandcanbeeasilyportedto
othersystems.
39
4.4.1Ubertooth-EndImplementation
Ubertoothisanopensource2.4GHzwirelessdevelopmentboardthatcostsaround$80
perunit[31].EachUbertoothisequippedwithanLPC17xxmicrocontroller,andalow-
powerBluetooth-compliantCC2400transceiverconnectedtoa4-inch2.2dBiantenna.
Ubertoothiscapableoftransmittingat22dBm,whichassurestheeffectivenessofselec-
tivejamming.
TheoriginaleofUbertoothisimplementedin823linesofCcode,whichim-
plementsDMAmanagement,basichopselection,andcarriersense,etc.DatainDMA
bufferisframedintoUSBpacketsandforwardedtothehost.However,theoriginal
elackssupportforadaptivehopselectionandrun-timeclocksynchronization.In
addition,wethattheeispoorlyoptimizedforreal-timefrequencyhopping.
Inparticular,becauseofresourcecontentionamongmultipletasks,subchannelswitching
maybeimproperlydelayed(e.g.,byUSBpacketstreaming,whichtypicallytakesaround
50

accordingtoourmeasurements).Suchdelaywillbreakthehopsynchronizationbe-
tweenBlueEarandthetarget.WeextendtheeofUbertoothusing400linesofC
code,whichimplementthefollowingfunctions.
(
i)
Run-timeclocksynchronization
.Tohopfollowingthebasicandtheadaptedchan-
nelofthetarget,thescoutandthesnoopermustsynchronizetheirnativeclocks
withthetarget'spiconetclock,
i
.
e
.theirclocksmusthavethesamevalueandtick
atthesametime.Run-timeclocksynchronizationisimperativebecausetheclocks
ofthescout,thesnooper,andthetargetmayhaveclockskews[19],whichmake
themrunatdifferentrates,accumulatingadriftthatbreakshopsynchronization.
Theextendedeaccomplishesclocksynchronizationasfollows.Afterclock
40
acquisition,theereceivesapiconetclockvaluefromtheclockacquisition
component.Theclockvalueisusedastheinitialvalueofanativeclock,whichisob-
tainedbyprogramminga10MHztimerprovidedbyLPC17xxintoa27-bitcounter
thattickseveryhop.Toassurethatthenativeclockandthepiconetclocktickat
thesametime,theextendedeleveragesthefactthatBluetoothpacketsare
alwaystransmittedimmediatelyafterclockticks.Therefore,thereceivingtimesof
overheardpacketscanbeutilizedasaclockreferencetocorrectclockdrift.Toavoid
packetmisscausedbyremainingclockdrift,thenativeclocksofthescoutandthe
snooperareprogrammedtotick1

earlierthanthetarget.
(
ii)
Adaptivehopselection
.Theeofthesnooperimplementsastandard-compliant
adaptivehopselectionkernel.Thekerneltakesthreeinputs,includingtheinferred
subchannelmap,thepiconetaddressobtainedfromthecontroller,andthevalueof
thenativeclock.Theinferredsubchannelmapisupdatedeverysecond.
(
iii)
Taskscheduler
.Toassurereal-timehoppingperformance,theextendede
schedulestasksbasedontheirtimesensitivities.Hopselectionandsubchannel
switchingaregiventhehighestprioritytoassuretherighthopsynchronization.
USBpacketstreamingandcarriersensearegiventhesecondandlowestpriority,
respectively.Tasksareexecutedintheintervalbetweensubchannelswitchinginthe
orderoftheirpriorities.
4.4.2ControllerImplementation
Thecontrollerimplementscomputeintensivetasks,includingpacketdecoding,clockac-
quisition,subchannelandjammingsubchannelselection.Inaddition,itin-
41
teractswiththescoutandthesnooperviahigh-speedUSB.Thesetasksareimplemented
asmultipleprocesses,whichsharea3KBofmemoryforcoordinationandparameter
exchange.Forpacket-basedsubchannelthecontrollerimplementstheal-
gorithmdescribedinSectionV-B1in53linesofCcode.Alevelof99%isused
toassureaccurateionofbadsubchannels.Thespectrumsensing-basedclas-
isimplementedbasedonSVM
light
,whichisanopen-sourcecomputation-ef
SVMlibrary[25].Thespectrumsensing-basedtakesabout51.2KBofmemoryat
run-time.Tocompensatethedelayofpacket-basedwhentrainingtheSVM
(asexplainedinSectionV-B2andFig.4.7),thecontrollerusespacket-based
resultsobtainedin
t
+
4s
tolabelthesignalfeaturesmeasuredat
t
.Thischoiceismoti-
vatedbyourempiricalmeasurements,whichshowthatmostBluetoothdevicesupdate
subchannelmapevery
4s
.ThehybridchoosestheresultofSVMasoutputifthe
ofSVMishigherthan90%.Otherwisetheoutputofpacket-based
isadopted.Thecontrollerisresponsiblefordecodingtherawbitstreamreceivedfrom
Ubertooth.PacketintegrityisexaminedbycheckingthereceivedCRC.Asubchannelis
jammediftheratioofcorruptedpacketsishigherthan10%.
4.5BlueEarPerformance
Inthissection,wepresentathoroughevaluationofBlueEarperformance.Inthefol-
lowing,weintroduceourexperimentalmethodology,andthendiscussexperiment
resultsindetail.
42
4.5.1ExperimentalMethodology
WestudyBlueEarperformancewhensnifdatatransferandaudiostreaming,which
arerepresentativeBluetoothtrafthathavedistinctpacketrates.Datatrafisgen-
eratedbytransferringdatabetweentwolaptopsequippedwithBroadcomdongles.
AudiotrafisgeneratedbyplayinganaudioonalaptopequippedwithCSRdongle,
andaSamsungBluetoothheadsetissetastheaudiosink.Weconductexperimentsinan
ofbuildingundertheinterferenceofalarge-scale802.11-basedWLANs,aswellasin
variouscontrolledsettingstobenchmarkBlueEarperformanceunderinterference
patterns.Weevaluatethesynchronizationdelay,thesubchannelaccuracy,
andthepacketcapturerateofBlueEar.Thesynchronizationdelayismeasuredasthe
timeneededtodeterminethecorrectpiconetclock.Tomeasuresubchannel
accuracyandpacketcapturerate,welogthegroundtruthsubchannelmapandpacket
ratesatthepiconetmasterusingascriptwrittenbasedon
hcitool
.ThehostofBlueEar
isconnectedwiththepiconetmasterviaanEthernetlink.Theinstantaneousreadingsof
groundtruthsubchannelmapandpacketratesaretransferredtotheBlueEarhostusing
UDP.WecompareBlueEarwithasetofbaselines.First,wecomparethehybridsubchan-
nelproposedinSectionV-B3withpurepacket-,andspectrumsensing-based
(abbreviatedas˚Pkt'and˚SS'ines).TheSVMofpurespectrumsensing-
basedistrainedofinacontrolledsettingconsistingofan802.11accesspoint
(AP)andaBroadcompiconet.Duringtraining,wetunethepowerandtemporalpattern
of802.11transmissionstointroducedifferentinterferenceconditions,whichenablesex-
tensiveproftheadaptivehoppingbehavioroftheBroadcomdevice.Wethenuse
thetrainedtopredictthesubchannelmapsindataandaudiotests,wherethe
43
(a)Nobadsubchannels.
(b)25%badsubchannels.
(c)50%badsubchannels.
(d)75%badsubchannels.
Figure4.9:
Clockacquisitiondelaywhensnifdataandaudiotrafindifferentspectrum
contexts(characterizedbythepercentageofbadsubchannelsatthetargetpiconet).
piconetsareformedusingdifferentBluetoothdevices.Second,toevaluatethegainof
selectivejamming,wecompareBlueEarwithabaselinewheretheselectivejammingis
disabled.Third,wecomparethepacketcapturerateofBlueEarwiththatofanexisting
Ubertooth-basedsniffer[31],whichoperatesinthebasichoppingmode,andisoblivious
totheadaptivehoppingbehaviorandtheimpactsofinterference.
4.5.2SynchronizationDelay
WeevaluatethedelayincurredwhensynchronizingBlueEarwiththetargetpiconet.
Thedominantcomponentofthisdelayisintroducedbyclockacquisition,duringwhich
thescoutlistensonasinglesubchanneluntilitcapturesenoughpacketstoreversethe
piconetclock.Inthefollowing,weevaluateclockacquisitiondelay,basedonthe
44
PCMalgorithm,andthenbasedonMLalgorithm.
4.5.2.1DelaybasedonPCMalgorithm
Webenchmarkclockacquisitiondelayindifferentspectrumcontextswherethetargetex-
hibitsdiversehoppingbehaviors.Ourexperimentsareconductedinacontrolledsetting
wherethree802.11accesspoints(APs)aredeployedaroundthetarget.EachAPoccupies
oneofthethreenon-overlapping20MHzchannels.WhenallAPsareactive,theycreate
acrowdedspectrumwhereabout75%subchannelsofthetargetpiconetarebad.
Fig.4.9showstheprobabilityofsuccessfullydeterminingthepiconetclock,basedon
thePCMalgorithm,asthelisteningtimeofthescoutincreases.Weobservethatclock
acquisitiondelaywhensnifaudiotrafishigherthanthatwhensnifdatatraf-
ThisismainlybecauseofthelowerpacketrateofaudiotrafInterestingly,the
delaysubstantiallyreduceswhenthespectrumbecomesmorecrowded.Thisisbecause,
whenmoresubchannelsareoccupiedby802.11APs,thetargetpiconethastousefewer
subchannelsforpackettransmissions,resultinginanincreasedpacketrateonthesub-
channelmonitoredbythescout.,when75%ofsubchannelsareoccupiedby
802.11APs,theclockacquisitiondelayislessthan10sinbothdataandaudiotests.The
resultimpliesthatBluetoothtrafsnifferscansubstantiallyreduceitssynchronization
delayusingdeliberatelyplannedinterference.
4.5.2.2DelaybasedonMLalgorithm
NowweevaluatetheMLalgorithmperformance.Weconsiderclockacquisitiondelayas
anevaluationmetric.WecomparetheMLalgorithmperformancewiththatofthePCM
algorithmwhenactsalone.
45
(a)Nobadsubchannels.
(b)25%badsubchannels.
(c)50%badsubchannels.
(d)75%badsubchannels.
Figure4.10:
ClockacquisitiondelaybasedontheMLalgorithm,whichisevaluatedindifferent
spectrumcontexts(characterizedbythepercentageofbadsubchannelsatthetargetpiconet).
Fig.4.10showstheprobabilityofsuccessfullyestimatingthepiconetclockasthe
listeningtimeincreases.Tocompare,weobservethattheMLalgorithmoutperformsthe
PCMalgorithm,asinFig.4.9.TheMLalgorithmreducesclockacquisition
delaytolessthan4
s
.SimilartothePCMalgorithm,weobservethatclockacquisition
delaywhensnifonaudiotrafishigherthanthatwhensnifondatatrafIn
contrast,theMLalgorithmrequiresmoretimetoestimatethepiconetclockwhenmore
subchannelsareoccupiedby802.11trafwhichinturnmaximizesnumberofremapped
packets.,whenasetofobservedpackets
P
startswitharemappedpacket,
thereisalowchancethatthetrueclockispresentedinthesetofcandidates
C
,i.e.all
candidatesarefalse.Alternatively,when
P
startswithapacketthatbelongstothebasic
hoppingsequence,thetrueclockmustappearin
C
.Asaresult,theMLalgorithmrequires
46
(a)Data.
(b)Audio.
Figure4.11:
Subchannelaccuracyinfastvaryingspectrumcontext.
morepackets,i.e.morelisteningtime,ifthenumberofremappedpacketsisincreased.
Basedonthisthedesignofacountermeasureshouldconsiderincreasingnumber
ofremappedpacketsinBluetoothtraftopreventpassiveattacker,likeBlueEar,from
snifonBluetoothlink.
4.5.3FastVaryingSpectrumContext
WenowevaluateBlueEarindynamicspectrumcontextswherethesubchannelmapof
thetargetisfrequently.ThetransmissionofAPisturnedon/offeveryacouple
ofsecondstocreateafastvaryingspectrumcontext,whichcausesthetargettomodifyits
subchannelmapeveryupdateperiod.
Fig.4.11evaluatessubchannelaccuracybasedonfalsepositive(FP)and
falsenegative(FN)rates.Asexpected,thepacket-basedperformstheworst
becauseofitspoorresponsiveness.Incomparison,thespectrumsensing-basedclassi-
offersbetterperformancewhensnifdatatrafbutfailstomaintainitsaccuracy
whensnifaudio.Thisisbecausethespectrumsensing-basedistrainedof-
againstBroadcomdevices,anditfailstopredicttheadaptivehoppingoftheCSR
devicesusedintheaudiotest.Wealsoobservethatthehybridperformsbest
47
(a)Data.
(b)Audio.
Figure4.12:
Packetcapturerateinfastvaryingspectrumcontext.
Figure4.13:
Thegainofselectivejammingunderhiddeninterference.
amongthethreeInparticular,theFPandFNratesarelowerthan8%inboth
dataandaudiotests.Fig.4.12furthercomparesthepacketcapturerateswhenBlueEar
usesthethreetopredictadaptivehopping.Similarwiththeresultsshownin
Fig.4.11,thehybridisabletomaintainthebestpacketcapturerate,whichis
higherthan90%inbothdataandaudiotests.
4.5.4HiddenandExposedInterference
WenowevaluatethepacketcapturerateofBlueEarinthepresenceofhiddenandex-
posedinterference.Fig.4.13evaluatesthegainofselectivejamminginthepresenceof
hiddeninterference,whereanRFsignaldoesnotinterferewiththetarget,butcollidewith
48
(a)Data.
(b)Audio.
Figure4.14:
Packetcaptureratesincrowdedspectrumcharacterizedbythepercentageofbad
subchannelsatthetargetpiconet.
(a)Data.
(b)Audio.
Figure4.15:
Packetcaptureratesunderexposedinterferencecondition.
capturedpacketsatBlueEar.Theexperimentsareconductedinacontrolledsettingwhere
an802.11devicegenerateshiddeninterferencestartingfromthe100-thsecond.Whense-
lectivejammingisenabled,BlueEarisabletomaintainhighpacketcapturerates,despite
ashortperiodofperformancedropbeforethetargetpiconetreactstothegeneratedinter-
ference.Incomparison,whenselectivejammingisdisabled,BlueEarsufferssubstantial
performancedegradation,wherethepacketcapturerateisreducedtoabout60%from
higherthan95%.
WefurtherevaluateBlueEarinthepresenceofexposedinterference,whereanRF
signalinterferesthetarget,butistooweaktobemeasurableatthescout.Exposedin-
49
(a)Nobadsubchannels.
(b)25%badsubchannels.
(c)50%badsubchannels.
Figure4.16:
Subchannelaccuracyincrowdedspectrumcharacterizedbytheper-
centageofbadsubchannelsatthetargetpiconet.
terferenceresultsindisparitybetweenthespectrumcontextsatBlueEarand
thetarget.Weconductexperimentsinacontrolledsettingwherean802.11deviceisde-
ployedtogenerateexposedinterference.Duringourexperiment,the802.11devicekeeps
active,andinterfereswith20of79subchannelsofthetargetpiconet.Fig.4.14compares
thesubchannelaccuracyofthehybrid,thepacket-based,andthespectrum
sensing-basedDifferentfromwhatweobservedinFig.4.11,thespectrum
sensing-basedsuffershighFPinbothtests.Thisisbecausespectrumsensing-
basedreliesontheinterferencemeasurementsofthescouttoidentifybadsub-
channels,whichworkspoorlywhentheinterferencesignalcannotbedetectedbythe
scout.Incomparison,hybridandpacket-basedareabletomaintainextremely
lowFPandFNratesandhighpacketsnifperformance,asshowninFig.4.15.
50
(a)Data.
(b)Audio.
Figure4.17:
Subchannelaccuracyunderexposedinterferencecondition.
(a)Differentbuildinglocations
(b)Differentdistances.
Figure4.18:
Packetcaptureratesundertheambientinterference:(a)differentlocationsinan
ofbuilding(interferenceofalarge-scale802.11-basedWLANs);(b)differentdistances.
4.5.5CrowdedSpectrum
Wethenevaluatetherateofthehybridinspectrumcontexts
withdifferentlevelsofcrowdedness.TheFPs,FNs,andoverallratesare
showninFig.4.16.Weobservethatthehybridmaintainshighaccuracydespite
theincreasinglycrowdedspectrum.Inparticular,when50%ofsubchannelsarebad,the
overallrateisbelow8%inbothdataandaudiotests.Fig.4.17showsthe
packetcaptureratesmeasuredinthesameexperiment.Asshowninthee,BlueEar
capturesmorethan90%packetsinbothdataandaudiotests.
51
4.5.6AmbientInterference
WefurtherevaluatestheperformanceofBlueEarinanofbuildingundertheambient
interferencefromalarge-scale802.11-basedWLANs.Fig.4.18(a)showsthepacketcap-
tureratesmeasuredatfourrandomlyselectedlocations,whereBlueEarisdeployedat
10mawayfromthetargetpiconet.Inallofthefourlocations,thenumberofactive802.11
APsishigherthan20duringourexperiments.WecompareBlueEarwithanexisting
Ubertooth-basedsniffer[31]thathopsfollowingthebasicchannelofthetarget.Because
thebasichoppingsnifferisoblivioustotheadaptivehoppingbehavior,itsuffers50%
to25%packetmisses.Incomparison,BlueEarisabletomaintainapacketcapturerate
higherthan95%atallofthefourlocations.
Fig.4.18(b)evaluatesthepacketcapturerateatsiteDwhenBlueEarisdeployedat
differentdistancesfromthetarget.Thedisparityinspectrumcontextsisexpectedtoin-
creaseasBlueEarmovesawayfromthetarget.However,thankstothehigh-performance
subchannel,BlueEarisabletocapturemorethan85%packetsevenwhenitis
27mawayfromthetarget.
4.6ImplicationsofBlueEar
Inthissection,wediscusstheprivacyimplicationsofBlueEarindetail.
4.6.1ImplicationsonBluetoothLEPrivacy
AlthoughthecurrentprototypeofBlueEarisdevelopedforsnifclassicBluetooth,its
methodologyhasimplicationsontheprivacyofBluetoothLE.Inthefollowing,
weintroducethehoppingprotocolofBluetoothLE,andelaborateonthe
52
impactsofBlueEaronBluetoothLEprivacybreach.ThehoppingprotocolofBluetooth
LEaphysicalchannel,thathopsover37datasubchannelsintheopen2.4GHz
spectrumstartingfrom2.402to2.48GHz.Allsubchannelsareequallyspacedwith2
MHzofbandwidth.TheconnectionstateofBluetoothLEcanbecharacterizedasaset
ofconnectionevents.Duringtheinitializationofaconnection,themaster
(i)
connectionintervalŒamultipleof
1
.
25ms
rangingfrom
7
.
5ms
to
4
.
0s
thatthe
eventlifetime;
(ii)
transmissionwindowsizeŒamultipleof
1
.
25ms
thatthesize
oftransmitwindow,i.e.packetsize;and
(iii)
hopincrement
inc
Œarandomvalueranges
from5to16.Thebasicchannelhoppingischaracterizedby
K
(
c
,
inc
)
,where
K
(
.
)
isthe
hopselectionkernel,and
c
istheindexofcurrentsubchannel.Attheconnection
event,therstsubchannelistobezero[47],thechannelsequencerepeatsitself
wheneversubchannelzeroisvisited.SimilarwithBluetoothclassic,BluetoothLEadopts
adaptivehoppingmode,wherethebasicchannelistoadaptspectrumuseinthe
presenceofambientinterference.Theadaptivechannelisbyasubchannelmap
thatthedatasubchannelsintogoodandbad.Ifthebasickernel
K
(
c
,
inc
)
selects
abadsubchannel,aremappingprocedureisinvokedtocalculatea
remappedsubchannel
index
.Themastermaintainsthesubchannelmapanditslave(s)aboutanyupdates
[47].
ThehoppingprotocolofBluetoothLEisdifferentfromthatofBluetoothClassicin
twoaspects.First,basicchannelsequenceofBluetoothLEischaracterizedbyarandom
valueofthehopincrement
inc
.Incontrast,basicchannelsequenceofBluetoothClassic
ischaracterizedbythepiconetaddress.TheseconddifferencebetweenBluetoothLEand
BluetoothClassicishoppingphase,whichisnotinBluetoothLEhoppingpro-
tocol.UnlikethebasicchannelsequenceofBluetoothClassic,whichrepeatsitselfevery
53
about23hours,BluetoothLEbasicsequencerepeatsitselfwheneversubchannelzerois
visited.Duetopowerconstraints,thehoppingprotocolofBluetoothLEismuchsimpler
thanthatofBluetoothClassic,makingBluetoothLEbasicsequenceeasiertocompromise.
AsBluetoothLEbecomespervasive,theprivacyleakageofBluetoothLEdevicesis
becominganincreasingconcern.AlthoughBlueEarisdesignedforBluetoothClassic,it
hasimpactsontheprivacyleakageofBluetoothLEdevices,whichcallsfor
furtherresearchtofurtherinvestigateandenhancetheprivacyofBluetoothLE.Inpar-
ticular,thekeycomponentsofBlueEarsystem,includingsubchanneland
selectivejamming,areindependentofthehoppingprotocol.Thesetechniquescanbe
directlyportedtoBluetoothLEaswellasotheradaptivehoppingsystemswithoutmod-
Unfortunately,theclockacquisitioncomponent,thehopselectionsubsystem,
andthepacketdecoderofourprototypeareengineeredforBluetoothclassic,
whichmakethecurrentversionofBlueEarincompatiblewithBluetoothLE.
4.6.2ImpactsonPrivacyBreach
PreviousresearchhasshownthepossibilitiesofcrackingBluetoothencryptionandcom-
promisinguserprivacy[55][56][13][38][37][40][11].Aprerequisiteoftheseattacksis
topassivelysniffBluetoothtrafExistingattacks[38][13]employprohibitivelyexpen-
sivecommoditysniffers,whichlimitstheirwidespreaddistribution.TheBlueEarsystem
wedemonstratedinthispapermayunleashsuchattacks,makingthemarealissuefor
off-the-shelfBluetoothdevices.
TofurtherunderstandtheimpactsofBlueEaronprivacyleakage,weconductthe
followingtwoexperiments.
54
(a)Standard.
(b)Countermeasure.
Figure4.19:
Seriousnessofprivacyleakageevaluated:(a)standard;and(b)countermeasure.
4.6.2.1EavesdroppingonDataTraf
WestudytheimpactsofBlueEarwhensuccessfullyeavesdroppingonaBluetoothdata
link.Toquantifysuchprivacyleakage,weadoptthe
seriousnessofprivacyleakage
model.
Themodel,whichisproposedby[9],states,
S
(
P
,
L
)=

i
.
p
i
.
l
i
(4.2)
where
p
i
2
P
=
f
p
0
,
p
1
,..,
n
g
isa
privacyunit
,
w
i
istheweightof
p
i
,and
l
i
2
L
=
f
0
,
1
g
,
l
i
=
1
when
p
i
isleaked,and0otherwise.Asdatapacketcarriespotentialsensitive
information,ratherthanotherpackets,wethecomponentsofprivacyunitbased
ondatapacketsandassigntheirweightsas:datapacket(weight=95%),andothertypes
ofpackets(weight=5%).
Fig.4.19(a)seriousnessofprivacyleakage,where
S
iscalculatedevery2
secondsbasedonnumberofpacketscapturedbyBlueEar.Asshowninthee,the
seriousnessofprivacybasedsuccessfulsnifonBluetoothdatatrafisveryhigh,
wheretheaverageisabout90%.
55
(a)PSNR
(b)MOS
Figure4.20:
AudioqualityobservedbyBlueEar(withoutcountermeasure).
4.6.2.2EavesdroppingonAudioTraf
WestudyimpactsofBlueEarwheneavesdroppingonaudiotraflikeeavesdropping
onaspeechconversation,whichisknowntobechallengingbecauseaudiostreamsare
extremelysensitivetopacketloss.Theexperimentproceedsasfollows.
(i)
Wegenerate
audiotrafoveraBluetoothlinkanddeployedBlueEartosniffontraf
(ii)
asBlueEar
collectsreal-timetrace,itreportspacketlossratesevery2secondsandlogslocationsof
missingpackets;and
(iii)
wesimulatetheaudiopacketstreamonaPCandreplayedeach
missingpacketswithit'sprecedingone.
Wequantifythequalityofthesimulatedaudiostream,whichshouldbeequivalentto
thequalityoftheeavesdroppedaudio,basedonpeaksignaltonoiseratio(PSNR)and
meanopinionscores(MOS).Toobtainthelater,wemapPSNRvaluesintoMOS,which
iscategorizedasvoicequalitiesincluding,excellent,good,fair,poor,andbadas
proposedin[32].Fig.4.20(a)evaluatesaudioqualitybasedonPSNR,thatiscalculated
every2seconds,andMOS.WeobservethatBlueEarmaintainshighaudioquality,where
averagePSNRis35andMOSscoresarehigherthanfairin81%ofthetime.
56
(a)PSNR
(b)MOS
Figure4.21:
Audioqualityasthetargetimplementscountermeasure.
4.6.3PracticalCountermeasure
Tocounteractsnifsystems,likeBlueEar,weproposeapracticalcountermeasureap-
proach.Weimplementtheproposedcountermeasureasauser-spacescriptonBluetooth
masteranditrequiresnotoexistingslaves.Thekeyideaoftheapproachis
tofrequentlystatusofrandomlyselectedsubchannels(goodbecomesbad,andvice
versa).Suchrandominterferesthesubchannel,makingithardforthe
sniffertolearntheadaptivehoppingsequence.Thus,thesnifferexperiencespoordata
quality.Toevaluatetheeffectivenessofthecountermeasure,werunthefollowingexper-
iment.Thecountermeasurerandomlyselects
n
-
20
subchannelstobewhere
n
isthetotalnumberofgoodsubchannels;thiscomplieswiththeFCCrule,thatrequiresat
least20subchannelstobeusedbyBluetooth.Wewroteauser-spacescriptthatupdates
thesubchannelmapisevery200
ms
.ThescriptinteractswithBlueZŒtheopensource
Bluetoothstack.WedeployBlueEartoeavesdroponadataandaudiotrafasinsection
4.6.2.
Fig.4.22showsdropinpacketcaptureratesduetothecountermeasure.
Fig.4.21(a)evaluatesPSNR,wheretheaveragedropsto15.FurtherMOSscoresdropto
57
Figure4.22:
BlueEarpktcapturerates:standardandcountermeasure.
poorin95%ofthetime,asshowninFig.4.21(b).Thisthatthesnifferexperience
pooraudioqualityduetohighpacketlossrate,whichismainlycausedbythecoun-
termeasure.Similarly,Fig.4.19(b)evaluatesseriousnessofeavesdroppeddatapackets,
whereaverageseriousnessdropsto40%in95%ofthetime.
4.7SummaryofChapter
ThischapterpresentsBlueEar,theBluetoothpacketsnifferthatonlyusesoff-the-
shelf,Bluetooth-compliantradios.BlueEarfeaturesadual-radioarchitecture,wheretwo
radiosarecoordinatedbyasuiteofnovelalgorithmstoeavesdroponanindiscoverable
Bluetoothdevice,relievingtheneedofexpensivespecializedradiosadoptedbycommod-
itysniffers.ExtensiveexperimentsshowthatBlueEarcanmaintainahighpacketcapture
ratehigherthan90%indynamicsettings.WediscusstheprivacyimplicationsofBlueEar,
andproposeapracticalcountermeasurethatcanreducethepacketcapturerateofthe
snifferto20%.
58
Chapter5
BlueFunnel:EnablingLow-Power,
WidebandSnifofBluetoothTraf
5.1Introduction
ExistingBluetoothtrafsnifferscanbedividedintotwocategories,whichsufferdiffer-
enttechnicallimitations.TraditionalwidebandsniffersmonitorallBluetoothsubchan-
nelsinparallelbysamplingtheentire2.4GHzbandusingahigh-speedADC,which
isextremelypower-hungryandexpensive.Low-powersniffersusecheap,Bluetooth-
compliantradiostohopfollowingthetarget,whichhoweverrequiresknowingthepseudo-
randomhoppingsequence.TheBlueEarsystemweintroducedinchapter4canpassively
crackthehoppingsequence,butreliesonalongtrainingprocessthatrequiresseconds
oftrafmonitoring.Unfortunately,exceptforafewapplicationslikeaudiostreaming,
Bluetoothtrafaretypicallyshort-livedinnature.Forexample,duringmobilepay-
ments,low-dutycycledsensing,devicepairingandkeyestablishment,onetrafsession
containsonlyacoupletotensofpacketslastingatmosttensofmilliseconds,whicheffec-
tivelypreventsasnifferfromlearningthehoppingsequence.
Inthischapter,wepresentBlueFunnelŒalow-powerwidebandsnifferthataddresses
thelimitationsofpriorsystems.Unliketraditionalwidebandsniffers,BlueFunnelenables
59
parallelmonitoringofBluetoothsubchannelswithoutusingahigh-speedADC.Unlike
priorlow-powersniffers,BlueFunnelcandecodeBluetoothpacketswithoutknowingthe
hoppingsequenceofthetarget.ThetechnicalapproachofBlueFunnelisto
subsam-
ple
thewidebandspectrumusingalow-speedADC,andthendecodeBluetoothsignals
usingnovelsignalprocessingalgorithms.Byachievingthis,BlueFunnelisofgreatim-
portancetounderstandinganddiagnosingBluetoothnetworksandapplicationsinthe
wild.Inaddition,byenablingpracticalsnifofthepairingandkeyestablishmentpro-
cess,BlueFunnelhasimportantimplicationstothesecurityandprivacyofawiderange
ofBluetoothapplications.
WeimplementaprototypeofBlueFunnelbasedonUSRPplatform[41].Becausecom-
modityUSRPsdonotsupportsub-sampling,weemulatesub-samplingbyusingthe
high-speedADCofUSRPtosamplethe2.4GHzbandatfullspeed,andthendown-
samplethesignalsatalowratebeforedecodingusingBlueFunnel.Thesignalprocessing
ofBlueFunnelisimplementedasasoftwaredeployedonahostoftheUSRP.
Weevaluatethesystemperformancebasedonpacketcaptureratesinavarietyof
settings.OurgoalistounderstandtheperformanceofBlueFunnelinrealwirelessenvi-
ronmentsinthepresenceofambientinterferenceonthesystemperformance,whichmay
pollutethesub-sampledsignal.ExperimentresultsshowthatBlueFunnelcanmaintain
goodlevelsofpacketcaptureratesinallsettings.
WefurtherexplorethesecurityandprivacyimplicationsofBlueFunnelbystudying
twoeavesdropping-basedattacks.Intheattack,wedeployBlueFunneltosniffonthe
pairingphaseofaBluetoothLowEnergylink,andshowsthatBlueFunnelsuccessfully
revealsEDIV,SKDm,andIVmthatareusedtoestablishtheShortTermkey(STK).Inthe
secondattack,weutilizeBlueFunneltosniffonBluetoothmousetrafOurexperiment
60
showsthatBlueFunnelcanrevealthemousecoordinateswithhighaccuracy.
Therestofthischapterisorganizedasfollows.Section5.2providesanoverviewfor
BlueFunnelsniffer,andsystemarchitecture.Insection5.3,weintroducethedesigndetails
ofBlueFunnelsystem.WepresentimplementationdetailsofaprototypeofBlueFunnel
insection5.4.Section5.5evaluatesthesystemperformance.Insection5.6,wediscuss
possibleattackscenariosbasedonBlueFunnelpacketsniffer.Section5.7concludesthe
chapter.
5.2BlueFunnelDesign
5.2.1ObjectivesandChallenges
Weintroduce
BlueFunnel
Œalow-power,widebandBluetoothtrafsnifferthatleverages
off-the-shelfdevicestocaptureBluetoothpacketsinthewild.Designedasa
passive
traf
sniffer,BlueFunnelemploysasimpleRFcircuitalongwithasuitofnoveldigitalsignal
processingalgorithmstodemodulateBluetoothsignalwithouttheneedofpairingor
explicitcoordinationwiththetargetBluetoothnetwork.Toachievethesegoals,wetackle
thefollowingchallenges.
(
i)
Widebandspectrumsampling.
Bluetoothoperatesinthefree2.4GHzbandandde-
severalsubchannelsthatspreadover80MHzofthespectrum.Therefore,
asnifferwouldneedawidebandradiotomonitortheentirespectrumandcap-
tureallBluetoothpacketsinrealtime.However,thiswidebandradiosolutionis
challengingbecauseitrequiresahigh-speed(abouttwicethespectrum,according
toNyquist-Shannonrate)analog-to-digital-converters(ADCs)tocaptureBluetooth
61
signal.TheseADCsarecostly,powerhungry,andrequirehighcomputationalpower
systemtosupportsuchhighsamplerate.
(
ii)
Pseudo-randomfrequencyhopping.
AsBluetoothoccupiesonesubchannel,thatis1-2
MHz,atatimefordataexchange,asniffercouldemployalow-power,off-the-shelf
Bluetooth-compliantradiotocapturedatapackets.Atthebaseband,however,Blue-
toothadoptsfrequencyhoppingspreadspectrum,whichisachallengeforthiskind
ofsniffers.Thatis,frequencyhoppingsequenceisknowntolegitimateBluetoothde-
vicesbutnototherparties.Therefore,asniffercanlistenonanarbitrarysubchannel,
andcapturepacketsthatarerandomlytransmittedonthatsubchannel.However,
thenumberofpacketscapturedinthiswayrepresentsatinyportionofthetraf
Moreover,Bluetoothsessionsmaylastforaveryshortperiodoftimeandinvolve
onlytensofpackets.
(
iii)
Interferenceinthecrowded2.4GHzband.
Whencoexistingwithotherwirelessde-
vicesinthecrawdad2.4GHzband,Bluetoothmayexperiencevariousinterference
conditions,includinghiddenandexposedinterference,from802.11-basedWLANs
andotherambientradios.Therefore,Bluetoothadoptsadaptivefrequencyscheme
toadaptspectrumutilizationandimproveperformance.Totacklethesechallenges,
asnifneedstolearnadaptivefrequencyhoppingbehavior,andprovidesome
mechanismtonulltheinterferenceinthecaseofcollisionwithBluetoothpacketsin
realtime.
62
Figure5.1:
BlueFunnelsystemarchitecture.
5.2.2Systemarchitecture
Totackletheabovechallenges,BlueFunnelleveragesalow-power,wideband,customized
softwareradio(SDR)platformtosubsampleBluetoothspectruminrealtime.The
SDRisinterfacedtoacontrollerwhichimplementsnovelsignalprocessingalgorithms
todetect,demodulate,andanalyzeBluetoothpacketsinrealtime.Fig.5.1illustratesthe
architectureofBlueFunnel.Inparticular,theworkingofBlueFunnelsystemcanbe
dividedintothefollowingsteps.
5.2.2.1Analoganddownconversion
TheSDRplatformincorporatestwomaincomponents,namelyawidebandRF-Front-end
circuit,andalowspeedADC.TheRF-front-endcircuitdownconvertsareceived2.4GHz
signaltoanintermediatefrequency(IF)thatrangesfrom0-80MHz,asdepictedinFig.
5.2.Further,itoutundesiredfrequencycomponentsthatareoutofthe2.4GHz
ranges.TheADCsubsamplesthereceivedsignalbasedon2Msamples/sec,whichisless
thanNyquist-Shannonrate(i.e.2

80MHz).Theresultingcomplexsamplesarethen
63
Figure5.2:
FrequencydownconversionofBluetoothsignal.
forwardedtothehostcomputeroveraserialbusorGigabitEthernetconnection.
5.2.2.2Packetdetectionanddemodulation.
Onthehostcomputer,thecontrollerprocessesareceiveddigitalsignalbasedonthefol-
lowingstages.
(
i)
Packetdetection.
Toreducecomplexityofsystemcomputationsandpowerconsump-
tion,BlueFunnelimplementsapacketdetector,thatthesystemonlywhena
newpacketisarrived.Thedetectorisbasedonmeasuringtheamplitudeofreceived
digitalsignalstoindicatepacketstransmissions.Inparticular,BlueFunnelmeasures
strongchangeintheamplitudeofreceivedsignal.Thisisbecauseasharpchangein
thesignalamplitudeishighlycorrelatedwithpacketstransmissions.Fig.5.3shows
arealtimereceivedsignal.
(
ii)
Clocksynchronization.
Designedasapassivetrafsniffer,BlueFunnelcannotcoor-
dinatewiththetransmitterforclocksynchronizationatruntime.Therefore,Blue-
Funnelimplementsaclocksynchronizationpackageinordertokeepsynchronized
withBluetoothsignal.Thetaskofthispackageistorecoversamplesfromareceived
signalwiththesamefrequencyandphaseasthoseusedbythetransmitter.This
isessentialtaskwhenBlueFunnelwantstoextractsymbolsfromanasynchronous
64
Figure5.3:
Bluetoothreal-timecomplexsignal.
digitalsignal.ItallowsBlueFunneltosynchronizesamplingtimeswithcentersof
onesandzerospresentinthesignal.
(
iii)
Bluetoothdemodulation.
AsBlueFunnelsubsamplesBluetoothspectrumbasedon2
Msamples/secADC,whichislessthantheNyquist-Shannonrate,aregularBlue-
toothdemodulatormaynobeabletodemodulateareceivedsignal.Therefore,Blue-
FunnelimplementsanovelalgorithmtodemodulateBluetoothsignalunderthese
circumstances.
5.3Design
Inthissection,wepresentthedesignofBlueFunnelsnifferindetails.
5.3.1BluetoothDemodulator
AsBluetoothadoptsthesymbolrateof1MSymbols/secatbaseband,BlueFunnellever-
agesonlyasimpleADCwithasamplingrateof2Msamples/sec,todemodulateBlue-
toothsignalswithoutthepainoflearningthetarget'sfrequencyhoppingoradoptionof
65
Figure5.4:
AnillustrativeexamplewherethecenterfrequencyofBluetoothtransmitterandBlue-
Funnelarematched.
ahighspeedADCs.Thislowsamplingrateenablesalowpower,lowcomputationcom-
plexity,andinexpensivesystem.Beforedivingintothedesigndetailsofthedemodulator,
weassumeherethatBluetoothsignalisreceivedwithnointerference.Inthefollowing,
wediscussdemodulatingBluetoothLowEnergy(BLE)signalsandthenconsiderthe
caseofdemodulatingBluetoothClassicsignals.
5.3.1.1DemodulatingBluetoothLEsignal
Tostartwith,BlueFunnellistensonaBluetoothLEsubchannel
a
,where
f
a
isthecenter
frequencyofthesubchannel.Therefore,BlueFunnelcandirectlydemodulatesaBluetooth
LEsignal
y
[
n
]
thatistransmittedon
f
a
,asillustratedinFig.5.4.
Nowweassumethat
y
[
n
]
istransmittedonsomeotherfrequency
f
b
,where
a
6
=
b
.In
thiscase,thereceived
y
[
n
]
experiencesafrequencyshift.Fig.5.5showsanillustrative
exampleofBluetoothLEsignalthatexperiencesaspectrumshift.Thefrequencyshift
canbeexpressedas

2
=
f
a
-
f
b
,whereweuse

2
todenoteashiftintheBluetoothLE
spectrum.Tounderstandtheeffectofthisfrequencyshiftonthereceivedtime-domain
signal
y
[
n
]
,weleveragethefrequency-shiftpropertyofFouriertransform,whichisa
66
Figure5.5:
AnillustrativeexamplewherethecenterfrequencyofBluetoothLEtransmitterand
BlueFunnelarenotmatched.
fundamentalmathematicaltoolrelatingfrequencyandtimedomains.Thepropertystates
thatashift

2
inthespectrumofasignal
y
[
n
]
correspondstomultiplicationofthesignal
y
[
n
]
byafactor
e
j
2ˇ
N

2
n
[26].Thisismathematicallyexpressedas,
F
-
1
f
X
(
f
-

2
)
g
=
y
[
n
]
e
j
2ˇ
N

2
n
(5.1)
where
N
=
2
Msamples/secisthesamplingrateof
y
[
n
]
,
n
=
0
,
1
,
2
,...,
N
isasample
index,and

2
MHzistheamountofshiftinthespectrum.Tocalculate

2
,weleverage
thefollowingobservation.Bluetooth[46]statesthatBluetoothLEadjacent
subchannelsarespacedwith2MHzofspectrum.,asubchannelfrequency
iscalculatedas
f
BLE
=
2402
+
2k
MHz,where
k
=
0
,
1
,
2
,...,
39
,asdepictedinFig.5.5.
Basedonthisobservation,weconcludethat

2
isbasicallyamultipleof
2k
MHz.Thatis,

2
=
f
a
-
f
b
=
m

2k
MHz,where
m
isaninteger.Hence,weanalyzetheexponential
terminEq.(5.1)asfollows,
e
j
2ˇ
2

10
6
(

2

10
6
)
n
=
e

2
n
(5.2)
67
ThiscanbefurtherbasedonEuler'sformula,whichrelatesthecomplex
exponentialfunctionandtrigonometricfunctions,asfollows,
e

2
n
=
cos
(

2
n
)+
jsin
(

2
n
)
(5.3)
Giventhat

2
=
m

2k
isalwaysaneveninteger,theimaginarycomponentcancels
because
sin
(

2
n
)=
0
,andtherealcomponentbecomes
cos
(

2
n
)=(-
1
)

2
n
=
1
,
accordingtothetrigonometricfunctionsfacts.Therefore,theexponentialterm
e
j
2ˇ
N

2
n
is,
infact,asequenceofones[30],andhence,ithasnoeffectonthereceivedBluetoothLE
signal
y
[
n
]
.Thesameargumentholdsfor
-

2
becausethecosineisanevenfunction,i.e.
cos
(-

2
n
)=
cos
(

2
n
)
.
Toconclude,BlueFunnelcandirectlydemodulatereceivedBluetoothLEsignalsre-
gardlessoftheirtransmissionsubchannels.Inpractice,BlueFunnellistensonthecenter
ofBluetoothLEspectrum,i.e.subchannel
39
or
40
,whichguaranteesthattransmitted
signalsonothersubchannelsareshiftedby

2
=
m

2k
MHz.
5.3.1.2DemodulatingBluetoothClassicsignals
SimilartothecaseofBluetoothLE,BlueFunnelinitiallylistensonsubchannel
a
,where
f
a
isthecenterfrequencyofthesubchannel,asshowninFig.5.4.Therefore,BlueFunnel
candirectlydemodulateBluetoothClassicsignals
y
[
n
]
thataretransmittedon
f
a
.
However,
y
[
n
]
couldbetransmittedonsomeothersubchannel
b
,where
f
a
6
=
f
b
,as
depictedinFig.5.6.Inthiscase,receivedsignal
y
[
n
]
experiencesspectrumshiftand
demodulating
y
[
n
]
ischallengingbecauseofthefollowing.UnlikethecaseofBluetooth
LE,BluetoothClassicsignal
y
[
n
]
couldbemultipliedbysomevaluesratherthanase-
68
Figure5.6:
AnillustrativeexamplewherethecenterfrequencyofBluetoothClassictransmitter
andBlueFunnelarenotmatched.
quenceofones.,BluetoothClassicsubchannelsarespacedwith1MHzof
spectrum[46],whereasubchannelfrequencyiscalculatedas
f
Classic
=
2402
+
k
MHz,
k
=
0
,
1
,
2
,...,
78
,asdepictedinFig.5.6.WedenoteashiftinBluetoothClassicspectrum
as

1
todistinguishfromthecaseofBluetoothLE.Therefore,thespectrumshiftcanbe
calculatedas

1
=
f
a
-
f
b
=
m

k
MHz,where
m
isaninteger.Wealsore-writeEuler's
formulaforBluetoothClassicasfollows,
e

1
n
=
cos
(

1
n
)+
jsin
(

1
n
)
(5.4)
Because

1
couldbeanevenoroddinteger,theproductof

1

n
couldbeanoddor
evenintegeraccordingly.Inanyway,theimaginarycomponentcancelsas
sin
(

1
n
)=
0
,
andtherealcomponent
cos
(

1
n
)=(-
1
)

1
n
=

1
.Thisholdsallthetimeaccordingto
thetrigonometricfunctionsfacts.
Nowweexaminethetwopossibilitiesoftherealcomponent.First,when

1
isan
eveninteger,
(

1

n
)
isalwaysaneveninteger.Thisleadsto
cos
(

1
n
)=
1
,meaning
thattheexponentialtermisbasicallyasequenceofones,andithasnoeffecton
y
[
n
]
.
Inthiscase,BlueFunnelcandirectlydemodulate
y
[
n
]
justlikethecaseofBluetoothLE.
69
Second,when

1
isanoddinteger,

1

n
isasequenceofeven,oddintegersas
n
=
0
,
1
,..,
N
.Thus,theexponentialtermisbasicallyasequenceof
f
+
1
,
-
1
,
+
1
,
-
1
,...
g
,which
multiplies
y
[
n
]
.Inthiscase,BlueFunnelcannotdirectlydemodulate
y
[
n
]
.Tonullthe
effectoftheexponentialterm,BlueFunnelsimplymultiplies
y
[
n
]
bythesamesequence
of
f
+
1
,
-
1
,
+
1
,
-
1
,...
g
.
However,thekeyquestionishowtoknowwhether

1
isanoddorevenintegerfora
givensignal
y
[
n
]
?Toanswerthisquestion,BlueFunnelreliesonsomefeaturesofBlue-
toothClassicpacketsandconductsomestatisticstoinfertheanswer.,aBlue-
toothClassicpacketstartswithanaccesscodefollowedbyapacketheader.Theheader
isprotectedby1/3FECerrorcorrectioncode.Giventhatthepacketheaderisastringof
18bits,theprotectedheaderisastringof54bits(i.e.
18

3
)[46].Soitiscommontosee
bitpatternsofthreeones,like'111',orthreezerosinarowwhendemodulatingpacket
header.Thesebitpatterns,whicharemandatoryintroducedbyFEC,isagoodindicator
thatareceivedsignal
y
[
n
]
doesnotsufferfromashift.
Toconclude,BlueFunnelinferswhether

1
isoddorevenbasedonthefollowingsteps.
(i)
Givenareceivedsignal
y
[
n
]
,BlueFunnelshiftsthesignalbasedonmultiplyingit's
symbolsby
f
+
1
,
-
1
,
+
1
,
-
1
g
(infact,processingheaderbitsisgoodenoughhere)toget
y
0
[
n
]
.
(ii)
BlueFunneldemodulatesheadersof
y
[
n
]
and
y
0
[
n
]
andlooksforbit
patterns,likethreezerosinarow'000',orthreeonesinarow,thatareintroducedby1/3
FECerrorcorrectioncode.And
(iii)
onceBlueFunneltheshiftedversionof
y
[
n
]
,
thatiseither
y
[
n
]
or
y
0
[
n
]
,itcandemodulatethereceivedsignal.
Moreover,theaccesscodeisastringof72bits,andisforagivenBluetooth
Classicpiconet.Thismeansallthepiconetpacketsstartwiththesameaccesscode.Blue-
Funnelleveragesthispropertyasfollows.BlueFunnelsavesaccesscodesandheaders
70
of
y
[
n
]
and
y
0
[
n
]
inadatabasetoidentifyshiftedsignalsinfuture.Thatis,BlueFunnel
comparesincomingsignalsagainstaccesscodesandheadersof
y
[
n
]
and
y
0
[
n
]
toidentify
shiftedversionoflaterreceivedsignals
y
[
n
]
.
Itisalsoworthtomentionthatthisalgorithmrequireslight-weightcomputations.
Thisisbecausetheprocessesofthisalgorithm,includingshiftingheaderofasignal,de-
modulation,comparingandsavingsignalheader,doesnotrequirecomputa-
tionsasthetotalnumberofbitsintheaccesscodeandpacketheaderis
72
+
54
=
126
.
5.4Implementation
Inthissection,wepresentimplementationofBlueFunnelprototypeindetails.
TobuildaprototypeforBlueFunnel,weopttouseoff-the-shelfUniversalSoftware
RadioPeripheral(USRP),namelyUSRP2[22],alongwithSBXdaughterboard[16],which
coversvarietyofbandsincludingthe2.4GHzISMband.Duetothehardwarelimi-
tationsimposedbyUSRP2/SBXincludingthelimitationofRF-front-end
bandwidth,wehavetousetwoUSRP2devicestoobservetheentireBluetoothspectrum.
Inparticular,thehighestpossiblebandwidthsupportedbyUSRP2/SBX
is50MHz.Therefore,webuiltacustomizedsoftwareradio(SDR)basedontwo
USRP2devicestoobserve100MHzofthefree2.4GHzspectrum,startingfrom2400MHz
upto2500MHz.EachUSRP2isequippedwithSBXdaughterboardandtwo2.4GHz3dBi
antennas.ThecustomizedSDRisshowninFig.5.7(a).
AnotherlimitationimposedbyUSRP2/SBXisthedifoftuning
theADCsamplingrate.However,thiscustomizedSDRprovidesBlueFunnelwiththe
highestpossiblesamplingrate,whichisabout100Msamples/sec.Tomimicalow-speed
71
(a)SoftwareRadio(SDR).
(b)Linux-BasedLenovoT530laptop.
Figure5.7:
AprototypeofBlueFunnelsniffer,wherewebuiltacustomizedSoftwareRa-
dio(SDR)platformbasedontwoUSRP2devicesasshownin(a).Thesoftwarecomponents,
includingpacketheaderdetectorandBluetoothsignaldemodulator,areimplementedonthe
Linux-basedLenovoT530laptopasshownin(b).TheUSRP2devicesaresynchronizedviaa
MIMO-CableandeachUSRP2isconnectedtothehost(Lenovolaptop)viaGigabitEthernetcable.
ADC,weimplementadigitaldownconverteronthehost,whichbasicallydecimatesthe
complexsamplesstreamandmakesthesamplerateas2MSymbols/ses.Baseonthis
simpletrick,thecustomizedSDRmeetstheBlueFunnelrequiredsamplingrate.
Forthepurposeofclocksynchronization,weutilizeaMIMO-Cable[42],whichacts
tosynchronizetheADCsonbothUSRP2devicestothesameclocktick.EachUSRP2is
interfacedtoaLinux-basedlaptopviaGigabitEthernetcable.WeeeachUSRP2
toprovidecomplexreal-timesamples,wheretheresolutionofacomplexsampleis16
bits;thatis,8bitsareassignedfortherealpartandtheother8bitsareassignedforthe
imaginarypart.ThecenterfrequencyoftheUSRP2issetto2420MHz,whilethe
centerfrequencyforthesecondUSRP2deviceissetto2460MHz.
Forthehostcomputer,weutilizesaLinux-basedLenovoT530laptop(ProcessorCorei7
2.4GHzthirdgeneration,RAM16GB,HarddriveSSD250GB)asshowninFig.5.7(b).
72
WeimplementthesoftwarecomponentsforBlueFunnel,includingpacketheaderdetec-
torandBluetoothsignaldemodulator,ontheLinux-basedlaptopwith530linesofC/C++
code.Forbettercomputationalefinreal-time,BlueFunnelcomponentsareimple-
mentedasthreats.BlueFunnelcomponentsareinterfacedtoUHD[21]Œthecelebrated
driverforUSRPhardwaredevices.Asthesoftwarecomponentsneedtointeractwiththe
UHDdriverinreal-time,weopttousesharedmemorytechniquetoprovideaninterface
forsuchhighspeed,real-timeinteraction.Inparticular,thesharedmemoryisusedto
passdatabetweenUHDandBlueFunnel.WewriteaC/C++,Linux-basedsharedmem-
orypackagethatsupportsinteractionbetweenBlueFunnelandUHDdriver.Accordingly,
wetheUHDdriversothatitsupportsthesharedmemoryinterfaced.
5.5SystemPerformance
Inthissection,weevaluateBlueFunnelperformance.
5.5.1ExperimentalMethodology
Thetestbedforourexperimentconsistsofthefollowing.
(i)
BluetoothClassictestbed,whichincludestwowirelessheadsets,37USBadapters,and
built-inBluetoothinterfacesinfourlaptops,eightsmartphones,andtablets.Wealso
employstwoLinux-BasedAsusnetbooks,towhichweconnectBluetoothUSBadapters
andestablishalink.
(ii)
ForBluetoothLowEnergy(BLE),weemploythefollowingdevicesaspiconetmaster:
nRF52840developmentkit(DK)[35],twoBluetoothdual-modeUSBadapters,andthree
smartphones,includingtwoMotoGandLGStylo3+.Forthepiconetslave,weutilizes
73
Figure5.8:
PacketcapturerateachievedbyBlueFunnelundervariousinterferenceconditionsin
acontrolledsetting.
BlueFruitLE[2],andBluetoothLEnRF51USBDongle[34].WealsoemployLinux-based
LenovoT530,Windows-basedLenovoT430,andtwoLinux-basedAsusnetbooks.These
laptopsareusedtoconnectandoperatetheaboveBluetoothLEdevices.
5.5.2Evaluation
WeevaluateBlueFunnelperformancebasedonpacketcapturerateinacontrolledenvi-
ronment.Wealsoevaluatethesystemperformancebasedonpacketcapturerateinaprac-
ticalenvironment,wherevariousinterferencepatternsintroducedbyenterprise802.11-
basedWLANsradios.Weopttoconductthisexperimentintheengineeringbuildingat
MichiganStateUniversity.
5.5.2.1PacketCaptureRateinControlledSettings
Inthisexperiment,weevaluatethesystemperformanceunderthefollowingconditions:
(i)
802.11-basedtrafinterfereswith50%ofBluetoothsubchannels;
(ii)
802.11-basedtraf-
interfereswith25%ofBluetoothsubchannels;and
(iii)
NoBluetoothsubchannelisin-
terferedby802.11-basedtrafTheexperimentsetupconsistsofthreeLinux-basedAsus
74
Figure5.9:
PacketcapturerateachievedbyBlueFunnelatdifferentfromthetarget.
netbooks,BluetoothClassicUSBadapterandMotoGsmartphone.Weutilizestwoofthe
netbookstogenerate802.11-basedtrafWewriteauser-spacescript,whichinteracts
withanopensource802.11Linuxdriver,namely.Thescriptesthe802.11WLAN
adapteronthenetbooktobeinmonitormodeandinjects802.11-basedpackets[52].
Fig.5.8evaluatessystemperformanceintermsofpacketcaptureratesunderthree
interferenceconditions.Asshowninthee,thesystemperformanceisthehighest
whennointerferenceisintroducedby802.11-basedWLANs.However,thepacketcap-
tureratesdegradedasthenumberofinterferedsubchannelisincreased.,the
systemexperiencetheworstperformancewhen50%ofBluetoothsubchannelsarein-
terferedby802.11-basedtrafThisduetopacketscollisions,i.e.between
802.11-basedpacketandBluetoothClassicpackets,ontheoverlappedsubchannels.
5.5.2.2PacketCaptureRateinPracticalEnvironment
Inthisexperiment,weevaluatethesystemperformanceinapracticalenvironment,which
anofbuilding.Inthissetting,differentinterferencepatternsareintroducedbyenter-
prise802.11-basedWLANsradios.Weevaluatepacketcapturerateas:
(i)
BlueFunnel
isplacedatdifferentdistancesfromthetarget;and
(ii)
BlueFunnelcapturesBluetooth
packetsatdifferentsitesinthebuilding.
75
Figure5.10:
PacketcapturerateachievedbyBlueFunnelatdifferentlocationsinofBuilding.
Fig.5.9comparesthesystemperformanceintermsofpacketcapturerates,where
BlueFunnelisplacedatdifferentdistancesfromthetargetBluetoothlink.Asshownin
thee,thesystempresentshighperformancewhenthetargetislessthan21meters
away.ThepacketcaptureratestartstodegradeasBlueFunnelmovesawayfromthe
target.Thismainlybecausesignalattenuation,whichdegradesthesignal-to-noise-ratio
(SNR)atBlueFunnelreceiver.
Fig.5.10comparesthesystemperformanceatdifferentsitesinthebuilding,where
differentinterferenceconditionsareexpected.Asshowninthee,thepacketcapture
ratesvaryfromonesitetoother.Thisisbecausethesystemexperiencesvariousinterfer-
enceconditions,thatismainlyintroducedby802.11-basedWLANs,atdifferentsitesof
thebuilding.
5.6AttackScenarios
Inthissection,weintroducetwoscenariosofpossibleattacksagainstBluetooth.Asproof
oftheconcept,weimplementtheseattacksbasedonBlueFunneltrafsniffer.Aswedis-
cussedinchapter3,thereareseveralcryptanalysisattacksagainstBluetoothencryption,
includingBluetoothClassicandBluetoothLE.Aprerequisiteforthesekindsofattacksis
aBluetoothtrafsniffer,suchasBlueFunnel.Asaproof-of-concept,wepresentinthis
76
Figure5.11:
BluetoothLEencryptionestablishmentparameters(markedwithred).
sectiontwoscenariostoshowthatasuccessfultrafsnifbasedonatrafsniffer
likeBlueFunnel,maycompromiseBluetoothprivacy.Inparticular,weimplementoneat-
tackagainstBluetoothClassic,whereBlueFunnelreveals
(
x
,
y
)
coordinatesoutofcapture
packets.WealsoimplementanotherattackagainstaBluetoothLEtarget.Inthiscase,
BlueFunnellistensonthepairingphaseofBluetoothLEandrevealssensitiveparameters
thatareusedtogeneratelinkencryptionkey.
5.6.1SnifonPairingPhaseofBluetoothLE
TheimportanceofsnifonBluetoothLEpairingphaseisofincreasinginterestbe-
causeofthefollowing.First,BlueoothLEengineersandapplicationsdevelopersneed
toexamineBluetoothLElinkestablishment,andhence,monitoringtheseearlystagesof
handshakingincludingpairingphase,isimportant.Second,thepairingphaseinvolves
theexchangeofsensitiveparametersbetweenBluetoothLEpiconetparticipantsinearly
stagesoflinkestablishment.Theseparameters,includingencryptionkeys,frequency
77
hoppingparameters,areifprivacyconcernwithrespecttoBluetoothLEusers.However,
thepairingphaseisashort-livedsessionthatmayinvolveafewtensofBluetoothLE
packets.Inthisexperiments,wedeployBlueFunneltoeavesdroponpairingphaseofa
BluetoothLElink.WeshowthatBlueFunnelcansuccessfullysnifonBluetoothLE
paringandrevealShortTermsKey(STK),whichandbeusedbyanattackertodetermine
LTKoftheBluetoothLEvictim.Inparticular,atthepairingphase,BluetoothLEshares
somerandomseedsthatareusedtogenerateSTK[46].Asproof-of-conceptapplication,
weleverageourdesigntoshowthatBlueFunnelcanrevealSTKseeds,whichpavesthe
waytocompromiseBluetoothLEprivacy.
Theexperimentalsetup.
ThetestbedsetupofthisexperimentconsistsofnRF52board[35],
thatplaystheroleofBluetoothLEmaster,andLGStylo3+smartphone(BluetoothLE
slave).WedeployBlueFunnelsystemtosniffonpairingphaseofBluetoothLE.Werun
thisexperimentasfollows.First,werunBlueFunneltosniffonBluetoothLEtraf
Second,weestablishedBluetoothLElinkbetweenLGStylo3+smartphoneandthenRF52
board.
AsshowninFig.5.11,BlueFunnelrevealssensitivelinkparameters,includingEDIV,
SKDm,andIVm.TheseparametersareusedasseedsbyBluetoothLEpiconetparticipant
toestablishSTK,whichcanbeusedbyanattackertoreveallongtermencryptionkey[36]
[3].
5.6.2SnifonBluetoothMouseTraf
Arecentresearch[39]reportedthatmousemovementdataleakageisextremelyprivacy
sensitiveandmayleadtorevealsensitivedatalikeuserspasswords.Inthisscenarioof
attack,wetargetBluetoothClassiclink.Thatis,asproof-of-concept,weutilizesBlueFun-
78
Figure5.12:
MousecoordinatesobtainedfromcapturedBluetoothpackets.
neltosniffonBluetoothmousetrafandrevealthemousecoordinates.Weopttoes-
tablishunencryptedBluetoothClassiclinkwiththemousetofacilitateextractionofdata
frompacketpayload.Although,thecryptanalysisofBluetoothClassiccipherisstud-
ied[55][56]intheliterature,implementingcryptanalysisattackagainstcapturedpackets
isbeyondthescopeofthisthesis.
Theexperimentsetup.
ThesetupofthisexperimentconsistsofanHPBluetoothMouse
X4000BthatispairedwithaLinux-basedNotebook.TheNotebookisequippedwith
aUSBBluetoothadapter.Tocollectgroundtruthcoordinatesofthemousepointer,we
wroteapython-basedscript,thatrunsinLinuxuser-space,toreportthemousecoordi-
nates,i.e.
(
x
,
y
)
pairs,inreal-time.Finally,wedeployBlueFunneltosniffonBluetooth
trafThemousegeneratestrafastheusermovesthemousepointer.
Fig.5.12showstherevealed
(
x
,
y
)
coordinatesoutofcapturedpackets.Thee
comparesthecapturedcoordinatesbyBlueFunnelsniffer(inblue)againstgroundtruth
(
x
,
y
)
coordinates(inred),thatarecollectedontheLinux-basedlaptop.Theplotshows
thatthecollectedmousetraceexperiencesomeerrorpoints,whichdonotmatchwith
groundtruthtrace;thisisbecauseBlueFunnelmayexperiencesomebit-levelerrorsspe-
ciallywhendemodulatingBluetoothsignalinthepresenceofinterference.
79
5.7SummaryofChapter
Inthischapter,weintroduceBlueFunnelŒalow-power,widebandBluetoothtrafsniffer
thatmonitorsBluetoothspectruminrealtime.BlueFunnelfeaturesalow-powersoftware
radioarchitecture,whichintegratesalowspeedADC,andsuiteofnoveldigi-
talsignalprocessingalgorithms.WepresentaprototypeimplementationforBlueFunnel
systemthatisbasedonUSRP2devicesandSBXdaughterboard.Weevaluatethesys-
temperformanceinacontrolledandpracticalenvironment,tounderstandtheimpactsof
802.11-basedinterference.Theexperimentsshowthatthesystemsmaintainsgoodlevel
ofpacketcapturerates.Further,wediscusstwoscenariosofattacksbasedonawideband
trafsniffer,likeBlueFunnelsystem.ThescenarioconsiderssnifonBluetooth
LEpairingphase,whereBlueFunnelsuccessfullyrevealssensitivesecurityinformation
includinglinkencryptionprimitives.ThesecondscenarioemploysBlueFunneltoeaves-
dropondatatraftransmittedbyBluetoothmousetoapersonalcomputer,whereBlue-
Funnelsuccessfullyextractsthemousecoordinatesfromcapturedpackets.
80
Chapter6
ConclusionandFutureWork
ThisthesistacklesthechallengesofsnifBluetoothtrafincludingwidebandspread
spectrum,pseudo-randomfrequencyhoppingadoptedbyBluetoothatbaseband,and
theinterferenceintheopen2.4GHzband.,weintroducepracticalsystems
forsnifBluetoothtrafinthewild.Inthischapter,wesummarizethecontributions
ofthisthesis,andthenpresentfuturework.
6.1Contributions
Themaincontributionsofthisthesisaresummarizedasfollows.
(
i)
BlueEarSniffer
Wepresentthedesign,implementation,andevaluationof
BlueEar
Œ
thepracticalBluetoothtrafsnifferthatconsistsonlyofinexpensive,Bluetooth-
compliantradios.BlueEarfeaturesanoveldual-radioarchitecture,wheretworadios
ŒnamedasscoutandsnooperŒcoordinatewitheachotheronlearningthehopping
sequenceofindiscoverableBluetooth,predictingadaptivehoppingbehavior,and
handlingcomplexinterferenceconditions.WeimplementedaprototypeofBlueEar
forsnifthetrafofBluetoothClassic,whichoffersenhanceddataratesand
amorecomplexhoppingprotocolthanBluetoothLE.Theprototypeemploystwo
Ubertoothdevicestoimplementthescoutandthesnooper,andinterfacesthemto
81
acontrollerrunningonaLinuxlaptop.Extensiveexperimentsresultsshowthat
BlueEarcanmaintainapacketcaptureratehigherthan90%consistentlyinpractical
environments,wherethetargetBluetoothnetworkexhibitsdiversehoppingbehav-
iorsinthepresenceofinterferencefromcoexisting802.11basedWLANs.Further,
wediscussprivacyimplicationsofBlueEaronBluetoothsystemandproposeaprac-
ticalcountermeasureapproachthateffectivelyreducestheaveragepacketcapture
rateofasnifferto20%.
(
ii)
BlueFunnelSniffer
Weintroducethedesign,implementation,andevaluationof
Blue-
Funnel
Œalow-power,widebandtrafsnifferthatmonitorsBluetoothspectrumin
parallelandcapturespacketinrealtime.BlueFunnelleverageslowspeedADCto
subsampleBluetoothspectrumtoaddressthechallengeofhigh-speedADC.Inpar-
ticular,BlueFunnelconsistsoftwomaincomponents,including,
(i)
asoftwarede-
radio(SDR),thatintegratesawidebandradio,andalow-speedADC,which
subsamplesBluetoothspectrumbasedon2Msamples/sec,whichisbelowtheNyquist-
Shannonrate;and
(ii)
acontroller,thatimplementsdigitalsignalprocessingpack-
ages,whichareresponsiblefordetecting,demodulating,andanalyzingBluetooth
packetsinrealtime.WeimplementBlueFunnelprototypebasedonUSRP2devices.
,weemploytwoUSRR2devices,eachisequippedwithSBXdaughter-
board,tobuildacustomizedsoftwareradioplatform.ThecustomizedSDRplat-
formisinterfacedtothecontroller,whichimplementsthedigitalsignalprocessing
algorithmsonapersonallaptop.Weevaluatethesystemperformancebasedon
packetcaptureratesinvarietyofsettings.,weevaluatedthesystemina
controlledsetting,whereweintentionallyintroduce802.11-basedtrafasaform
82
ofinterferenceonoverlappedBluetoothsubchannels.WetestBlueFunnelwhen
thereisnointerference,25%and50%ofthesubchannelsareinterferedwith802.11-
basedtrafrespectively.Moreover,weevaluatethesysteminanofbuilding,
wheredynamicinterferenceconditionsareintroducedbyanenterprise802.11-based
WLAN.Inallsettings,BlueFunnelmaintainsgoodlevelsofpacketcapturerates.
Further,weintroducetwoscenariosofattacksagainstBluetooth,whereBlueFunnel
successfullyrevealssensitiveinformationaboutthetargetlink.
6.2Futurework,andConclusion
Inthissection,wepresentsomefutureworkforBlueFunnelsystem.Thisincludes,
(
i)
Interferencecancellation.
Inpracticalenvironment,BlueFunnelisexpectedtoexperi-
enceinterferenceintroducedbyambientradios,speciallytheprevalent802.11-based
WLANs.Therefore,thenextstepistoconnectasmallgroupofSDRsandsynchro-
nizedsuchdevicestoperformanceinterferencenullingandenabledemodulationof
Bluetoothsignalinthepresenceofinterference.
(
ii)
Aliasingandmultiplepacketreception.
AsBlueFunnelsubsamplesofthewideband
spreadspectrumintime-domain,itcausesaliasinginfrequencydomain.Therefore,
BluetoothpacketsfrommultiplepiconetscouldcollideatBlueFunnel'santenna.We
designanalgorithmtoresolvecollisionandenablemultipleBluetoothreceptionby
BlueFunnel.
(
iii)
Demodulatingenhancedataratepackets
.ToenhanceBlueFunnel,weplantointroduce
somealgorithmstodemodulateenhanceddataratespackets,whicharemodulated
83
basedonDifferentialPhase-shiftKeyingscheme.
84
BIBLIOGRAPHY
85
BIBLIOGRAPHY
[1]
Adafruit.Bluefruitlesniffer.
[2]
Adafruit.Bluefruitlesniffer.
https://www.adafruit.com/products/2269
.
[3]
M.Afaneh.Thebestbluetoothlowenergysnif-
fertutorial(connections).
https://www.novelbits.io/
best-bluetooth-low-energy-sniffer-tutorial-connections/
.
[4]
M.Afaneh.Fiveessentialtoolsforeverybluetoothlowenergydeveloper.Online:
goo.gl/C5sMK1.
[5]
Apple.Applecarplay.
[6]
A.Biryukov,D.Khovratovich,andI.Nikoli
´
c.Distinguisherandrelated-keyattack
onthefullaes-256.InS.Halevi,editor,
AdvancesinCryptology-CRYPTO2009
,pages
231Œ249,Berlin,Heidelberg,2009.SpringerBerlinHeidelberg.
[7]
A.Bogdanov,D.Khovratovich,andC.Rechberger.Bicliquecryptanalysisofthe
fullaes.In
Proceedingsofthe17thInternationalConferenceonTheTheoryandApplica-
tionofCryptologyandInformationSecurity
,ASIACRYPT'11,Berlin,Heidelberg,2011.
Springer.
[8]
M.Bon.Abasicintroductiontoblesecurity.
https://pomcor.com/2015/06/03/
has-bluetooth-become-secure/
,Accessed:Oct,2016.
[9]
N.Cheng,X.O.Wang,W.Cheng,P.Mohapatra,andA.Seneviratne.Characterizing
privacyleakageofpublicnetworksforusersontravel.In
2013ProceedingsIEEE
INFOCOM
,April2013.
[10]
A.Cidon,K.Nagaraj,S.Katti,andP.Viswanath.Flashback:Decoupledlightweight
wirelesscontrol.In
ProceedingsoftheACMSIGCOMM2012ConferenceonApplications,
Technologies,Architectures,andProtocolsforComputerCommunication
,SIGCOMM'12.
ACM,2012.
[11]
P.Cope,J.Campbell,andT.Hayajneh.Aninvestigationofbluetoothsecurityvul-
nerabilities.In
2017IEEE7thAnnualComputingandCommunicationWorkshopand
Conference(CCWC)
,pages1Œ7,Jan2017.
[12]
F.Corella.Hasbluetoothbecomesecure?
https://pomcor.com/2015/06/03/
has-bluetooth-become-secure/
,Accessed:Jun,2015.
86
[13]
A.K.Das,P.H.Pathak,C.-N.Chuah,andP.Mohapatra.Uncoveringprivacyleakage
inblenetworktrafofwearabletrackers.In
Proceedingsofthe17thInterna-
tionalWorkshoponMobileComputingSystemsandApplications
,HotMobile'16.ACM,
2016.
[14]
Ellisys.Ellisysprotocoltestsolutions.
https://www.ellisys.com/products/bex400
.
[15]
Ettus.Bluetoothtechnologywebsite.
https://www.bluetooth.com/
.
[16]
Ettus.Ettusresearch-sbx40.
https://www.ettus.com/product/details/SBX
.
[17]
S.Gollakota,F.Adib,D.Katabi,andS.Seshan.Clearingtherfsmog:Making802.11n
robusttocross-technologyinterference.In
ProceedingsoftheACMSIGCOMM2011
Conference
,SIGCOMM'11,NewYork,NY,USA,2011.ACM.
[18]
Google.Androidauto.
https://www.android.com/auto
.
[19]
J.Huang,W.Albazrqaoe,andG.Xing.Blueid:Apracticalsystemforbluetooth
deviceIn
IEEEINFOCOM2014-IEEEConferenceonComputerCommu-
nications
,pages2849Œ2857,April2014.
[20]
J.Huang,G.Xing,G.Zhou,andR.Zhou.Beyondco-existence:Exploiting
whitespaceforzigbeeperformanceassurance.In
NetworkProtocols(ICNP),18th
IEEEInternationalConferenceon
,Oct2010.
[21]
N.Instruments.Usrphardwaredriver.
https://www.ettus.com/sdr-software/
detail/usrp-hardware-driver
.
[22]
N.Instruments.Usrp2.
http://files.ettus.com/manual/page_usrp2.html
.
[23]
T.Instruments.Blesniffer.
http://processors.wiki.ti.com/index.php/BLE_
sniffer_guide
.
[24]
T.Instruments.Sniffereofcc2540.
https://e2e.ti.com/support/
wireless_connectivity/f/538/t/197748
.
[25]
T.Joachims.Makinglarge-scaleSVMlearningpractical.InB.Sch
¨
olkopf,C.Burges,
andA.Smola,editors,
AdvancesinKernelMethods-SupportVectorLearning
.MIT
Press,Cambridge,MA,1999.
[26]
B.P.Lathi.
ModernDigitalandAnalogCommunicationSystems
.OxfordUniversity
Press,Inc.,NewYork,NY,USA,2ndedition,1995.
[27]
T.LeCroy.Teledynelecroyinc.
http://teledynelecroy.com/frontline
.
87
[28]
C.-J.M.Liang,N.B.Priyantha,J.Liu,andA.Terzis.Survivinginterferencein
lowpowerzigbeenetworks.In
Proceedingsofthe8thACMConferenceonEmbedded
NetworkedSensorSystems
.ACM,2010.
[29]
Logitech.Logitechadvanced2.4ghztechnology.
[30]
R.G.Lyons.
UnderstandingDigitalSignalProcessing(SecondEdition)
.PrenticeHall
PTR,UpperSaddleRiver,NJ,USA,2004.
[31]
D.S.MichaelOssmannetal.Ubertooth.
[32]
A.N.Moldovan,I.Ghergulescu,andC.H.Muntean.Anovelmethodologyfor
mappingobjectivevideoqualitymetricstothesubjectivemosscale.In
Broadband
MultimediaSystemsandBroadcasting(BMSB),2014IEEEInternationalSymposiumon
,
June2014.
[33]
M.Moser.BustingthebluetoothmythŒgettingrawaccess.
[34]
Nordic.Blesniffer.
https://www.nordicsemi.com/eng/Products/
Bluetooth-low-energy/nRF-Sniffer
.
[35]
Nordic.nrf52previewdevelopmentkit.
https://www.nordicsemi.com/eng/
Products/Bluetooth-low-energy/nRF52-Preview-DK/(language)/eng-GB
.
[36]
J.Padgette,J.Bahr,andetal.Guidetobluetoothsecurity.
https://doi.org/10.
6028/NIST.SP.800-121r2
,2010.
[37]
J.Padgette,J.Bahr,andetal.Guidetobluetoothsecurity,2017.
[38]
X.Pan,Z.Ling,A.Pingley,W.Yu,N.Zhang,andX.Fu.Howprivacyleaksfrom
bluetoothmouse?In
Proceedingsofthe2012ACMConferenceonComputerandCom-
municationsSecurity
,CCS'12.ACM,2012.
[39]
X.Pan,Z.Ling,A.Pingley,W.Yu,N.Zhang,K.Ren,andX.Fu.Passwordextrac-
tionviareconstructedwirelessmousetrajectory.
IEEETransactionsonDependableand
SecureComputing
,13(4):461Œ473,July2016.
[40]
Y.QuandP.Chan.Assessingvulnerabilitiesinbluetoothlowenergy(ble)wireless
networkbasediotsystems.In
2016IEEE2ndInternationalConferenceonBigData
SecurityonCloud(BigDataSecurity),IEEEInternationalConferenceonHighPerformance
andSmartComputing(HPSC),andIEEEInternationalConferenceonIntelligentDataand
Security(IDS)
,pages42Œ48,April2016.
[41]
E.Research.Ettusresearch.
88
[42]
E.Research.Mimocable.
https://www.ettus.com/product/details/MIMO-CBL
.
[43]
E.Ronen,A.Shamir,A.O.Weingarten,andC.OFlynn.Iotgoesnuclear:Creating
azigbeechainreaction.In
2017IEEESymposiumonSecurityandPrivacy(SP)
,pages
195Œ212,May2017.
[44]
M.Ryan.Bluetooth:Withlowenergycomeslowsecurity.In
Proceedingsofthe7th
USENIXConferenceonOffensiveTechnologies
,WOOT'13.USENIXAssociation,2013.
[45]
K.Schramm,G.Leander,P.Felke,andC.Paar.Acollision-attackonaes.InM.Joye
andJ.-J.Quisquater,editors,
CryptographicHardwareandEmbeddedSystems-CHES
2004
,pages163Œ175,Berlin,Heidelberg,2004.SpringerBerlinHeidelberg.
[46]
B.SIG.Bluetoothcorev5.0.
https://www.bluetooth.org/
.
[47]
B.SIG.Bluetoothtechnology.
[48]
M.Song,S.Shetty,andD.Gopalpet.Coexistenceofieee802.11bandbluetooth:
Anintegratedperformanceanalysis.
MobileNetworksandApplications
,12(5):450Œ459,
Dec2007.
[49]
D.SpillandA.Bittau.Bluesniff:Evemeetsaliceandbluetooth.In
Proceedingsofthe
FirstUSENIXWorkshoponOffensiveTechnologies
,WOOT'07.USENIXAssociation,
2007.
[50]
D.SpillandM.Ossmann.Gr-bluetooth.
https://github.com/greatscottgadgets/
gr-bluetooth
.
[51]
Wikipedia.Frequency-shiftkeying(fsk).
https://en.wikipedia.org/wiki/
Frequency-shift_keying
.
[52]
L.Wireless.802.11wlandriver.
https://wireless.wiki.kernel.org/en/users/
drivers/ath9k
.
[53]
B.Yu,L.Yang,andC.C.Chong.Optimizeddifferentialgfskdemodulator.
IEEE
TransactionsonCommunications
,59(6):1497Œ1501,June2011.
[54]
Y.Yubo,Y.Panlong,L.Xiangyang,T.Yue,Z.Lan,andY.Lizhao.Zimo:Building
cross-technologymimotoharmonizezigbeesmogwithwithoutinterven-
tion.In
Proceedingsofthe19thAnnualInternationalConferenceonMobileComputingand
Networking
,MobiCom'13,NewYork,NY,USA,2013.ACM.
[55]
B.Zhang,C.Xu,andD.Feng.Realtimecryptanalysisofbluetoothencryptionwith
conditionmasking.InR.CanettiandJ.A.Garay,editors,
AdvancesinCryptologyŒ
CRYPTO2013
,Berlin,Heidelberg,2013.SpringerBerlinHeidelberg.
89
[56]
B.Zhang,C.Xu,andD.Feng.Practicalcryptanalysisofbluetoothencryptionwith
conditionmasking.In
JournalofCryptology
,Jul,2017.
[57]
T.Zhang,J.Lu,F.Hu,andQ.Hao.Bluetoothlowenergyforwearablesensor-based
healthcaresystems.In
2014IEEEHealthcareInnovationConference(HIC)
,pages251Œ
254,Oct2014.
90