BlueScream: Screaming Channels on Bluetooth Low Energy - Trustworthy systems: foundations and practices
Communication Dans Un Congrès Année : 2024

BlueScream: Screaming Channels on Bluetooth Low Energy

Pierre Ayoub
Romain Cayre
Aurélien Francillon

Résumé

In recent years, a class of wireless devices has been demonstrated to be vulnerable to a new side-channel attack called Screaming Channels. This attack exploits distant electromagnetic side channels up to a few meters, when a coupling occurs between the digital activity and the radio transceiver of a system. This can happen in mixed-signal chips, where both digital and analog parts reside on the same silicon die. Until now, the Screaming Channel attack has mainly been demonstrated using custom firmware used in laboratory conditions or simple protocols -- e.g., Google Eddystone. In this paper, we evaluate an end-to-end Screaming Channel attack on a real-world firmware running on an off-the-shelf and popular Bluetooth Low Energy stack. By doing a careful analysis of Bluetooth Low Energy to find how to make the victim device leak, our results show that an attacker can manipulate the protocol such that a Screaming Channel leak happens during a radio transmission. Finally, we conducted one successful full-key recovery attack against AES using instrumented firmware and a partial-key recovery using stock firmware.
Fichier principal
Vignette du fichier
bluescream.pdf (2.2 Mo) Télécharger le fichier
Origine Fichiers produits par l'(les) auteur(s)

Dates et versions

hal-04725668 , version 1 (10-10-2024)
hal-04725668 , version 2 (11-10-2024)

Identifiants

  • HAL Id : hal-04725668 , version 2

Citer

Pierre Ayoub, Romain Cayre, Aurélien Francillon, Clémentine Maurice. BlueScream: Screaming Channels on Bluetooth Low Energy. 40th Annual Computer Security Applications Conference (ACSAC '24), Dec 2024, Waikiki, Honolulu, Hawaii, United States. ⟨hal-04725668v2⟩
102 Consultations
15 Téléchargements

Partager

More