Discussion on the safety of smart Bluetooth technology in cars

    Bluetooth low energy technology is a low-cost, highly interoperable, short-range wireless technology that can operate in the unlicensed 2.4GHz ISM radio frequency band. Bluetooth low energy technology was formerly known as Bluetooth Smart technology. It is precisely because of the above characteristics of Bluetooth low energy technology that various automobile manufacturers have expressed their plans to apply this technology to cars. Through Bluetooth low energy technology, users can open and close car doors, adjust windows, seats, rearview mirrors, lights, etc. through their smartphone buttons or car wireless control buttons.

    Applying Bluetooth low energy technology to cars not only brings great convenience to users, but also to car manufacturers. By using Bluetooth low energy technology, car manufacturers can save wired connections in the car during the production process, which avoids the problem of messy car wiring in the car. This will greatly reduce the complexity of car wiring for car manufacturers and reduce the weight of the whole vehicle. Therefore, why not apply Bluetooth low energy technology to cars with such great advantages?

    However, there is currently a major problem with Bluetooth low energy technology: how safe is it to control electronic devices in the vehicle body through Bluetooth low energy technology?

    Luca De Ambroggi, chief analyst of automotive semiconductors at IHS Technology, said in an interview with EE Times, a foreign media, that due to the nature of wireless technology, no matter which type of wireless technology is used, there will be corresponding security issues. At the same time, Luca De Ambroggi also said that Bluetooth low energy technology is much more secure than wireless fidelity technology (WIreless-FIdelity, WiFi) or long-term evolution technology (Long Term Evolution, LTE). Luca De Ambroggi also speculated that the entire industry is currently working hard to fix the security vulnerabilities related to Bluetooth low energy technology, and also said that this is a never-ending problem.

    It turns out that Luca De Ambroggi's guess was correct. Currently, the Bluetooth Special Interest Group (SIG) is working hard to improve the device-level security level of the Bluetooth low-power technology. Joel Linsky, senior technical director of Qualcomm Technologies and chairman of the Bluetooth SIG Core Specification Working Group, said that the Bluetooth SIG is currently working hard to research and develop the Bluetooth low-power technology to achieve new features of its industrial-grade security level technology. Suke Jawanda, chief marketing officer of the Bluetooth SIG, said that the specific implementation time for the new Bluetooth low-power technology standard is still uncertain.

Bluetooth security risks

    Jimmy Pai, marketing manager of Cambridge Silicon Radio, a British company, said that various automakers and Tier 1 suppliers have expressed concerns about the security of Bluetooth low-power technology. A year ago, when CSR Technologies launched its automotive body electronic equipment control chip, the Bluetooth low-power chip, it said: "We, CSR Technologies, have been working with automakers to design this Bluetooth low-power chip for more than two years, and we can no longer wait for the Bluetooth Technology Alliance to come up with a new solution." Therefore, CSR Technologies has developed a workaround to meet the needs of the time. "The technical improvements we launched this time are exclusive solutions of our CSR company, which comply with the relevant standards and specifications of the Bluetooth Technology Alliance."

    A common security question automakers and Tier 1 suppliers ask about Bluetooth low energy technology is: Can someone hijack the wireless connection to take control of the car?

    Mike Ryan, a security engineer at iSEC Partners, said that the "key exchange" process of Bluetooth low energy technology is the weakest link of the technology. In his technical white paper, Mike Ryan pointed out the conversation eavesdropping vulnerability in Bluetooth low energy technology and demonstrated the process of data packets being intercepted and reassembled into a connection data stream. Mike Ryan also demonstrated a data attack on the key exchange protocol of Bluetooth low energy technology. Among them, the main function of the key exchange protocol is to prevent data encryption from failing to prevent data eavesdropping.

    After an email exchange with EE Times, Mike Ryan summarized the response from EE Times: If the Bluetooth low energy technology key exchange protocol fails, and if the user's device security relies on the built-in security settings of Bluetooth low energy technology, and the hacker attacker needs to be able to see the user's phone pairing process. Only in this way can the hacker attacker hijack the user's vehicle through the Bluetooth low energy technology. If the user sets the door to be opened through Bluetooth low energy technology, then the hacker attacker will be able to control the door to be opened through the Bluetooth low energy technology.

Key exchange protocol has vulnerabilities

    Mike Ryan believes that the key exchange protocol is the only weak link in Bluetooth low energy technology. In the email, Mike Ryan said: "The other technical protocols of Bluetooth low energy technology are designed very well and can meet daily needs. At the same time, different devices use different technical protocols. Therefore, some devices do have security issues. However, some devices do not use key exchange protocols or encryption protocols at all. Other devices do not use privacy protection technology properly, so this type of device is easily hacked."

    In addition, Mike Ryan also wrote in his technical white paper that the characteristics of Bluetooth low energy technology are the use of encryption protocols and in-band key exchange protocols, rather than mature key exchange protocols such as Elliptic Curve Diffie-Hellmann (ECDH is a Diffie-Hellman key exchange algorithm based on ECC-Elliptic Curve Cryptosystems). Among them, the Elliptic Curve Diffie-Hellmann key exchange protocol is a key exchange protocol invented and proposed by the Bluetooth Technology Alliance. In addition, the in-band key exchange protocol used by Bluetooth low energy technology has a fatal weakness, that is, the in-band key exchange protocol will destroy the privacy of Bluetooth sessions, resulting in the risk of eavesdropping on the session content.

    The questions raised by Mike Ryan's team this time mainly focused on the key exchange protocol of the Bluetooth low energy technology and did not mention its encryption technology.

    Joel Linsky, senior technical director of Qualcomm Technologies, said that Mike Ryan's team was right in pointing out that the Bluetooth low energy technology key exchange protocol does not have anti-eavesdropping protection. However, for the Bluetooth SIG, the design purpose of Bluetooth low energy technology is mainly to achieve universality on different devices. Bluetooth SIG technicians cannot design Bluetooth low energy technology without any problems on the first day of Bluetooth low energy technology development. This is indeed too strict for technicians. "And the wireless technology industry is well aware of the shortcomings and potential attacks of this technology."

    According to the different application backgrounds of Bluetooth low energy technology, Joel Linsky said that it is completely feasible to increase the security level of Bluetooth low energy technology to "product application level security level", but not all wireless devices require device-level security level.

Native support for Diffie-Hellmann key exchange protocol

    Joel Linsky also said that the Bluetooth SIG is currently working on developing a Bluetooth low-power technology that natively supports the Diffie-Hellmann key exchange protocol, which is a standard algorithm launched by the National Institute of Standards and Technology of the United States. In addition, the standard algorithms launched by the National Institute of Standards and Technology also include hashing functions key exchange protocol and Elliptic Curve Diffie-Hellmann (ECDH) key exchange protocol.

    Mike Ryan said that although ECDH will increase the cost of the central processing unit (CPU), increase power consumption and prolong the key exchange time of Bluetooth low energy technology, "but as long as it is used properly, the cost increase will be a one-time solution for users."

    In Joel Linsky's opinion, the biggest problem with introducing the ECDH key exchange protocol for Bluetooth low energy chips is that its response time is prolonged, and its calculation process is carried out in an industrial-grade 8051 microcontroller unit (MCU). "A Bluetooth low energy chip using the ECDH key exchange protocol takes several seconds just to complete the key exchange. If the time required for this process exceeds 1 second, the chip is judged to be too slow." In response to this, Joel Linsky said that the chip calculation speed can be simply improved according to Moore's Law. If the Bluetooth low energy chip uses a microcontroller unit such as ARM Cortex M0 or even higher, the key exchange time of the chip can be reduced to 50-100 milliseconds. Joel Linsky also said that he is not very clear about what security measures CSR Technology has added to Bluetooth low energy technology.

    According to Jimmy Pai of CSR Technology, CSR Technology has proposed security measures such as "out-of-band pairing" and "AES-128 encryption algorithm" for Bluetooth low energy technology. Jimmy Pai believes that Bluetooth low energy technology is just a communication tool, and functions such as controlling the vehicle through the user's smartphone can be achieved through internal vehicle devices.

    It is said that the update of Bluetooth low energy technology security specification is already in the planning, and it will be released at the same time as the new specification of Bluetooth SIG at the earliest. However, for now, the Bluetooth SIG has not announced the specific release date of its new Bluetooth specification.