Nordic Semiconductor APPROTECT Compromised

LimitedResults have published details of how they have been able to access what were previously presumed to be protected Nordic Semiconductor nRF52 devices. nRF52 devices are regularly used in beacons and other Bluetooth devices such as fitness trackers. This post summarises the vulnerability, looks LimitedResults claims, Nordic Semiconductor’s response and how that affects those using such devices.

Nordic nRF52 System on a Chip (SoC) devices are small Arm® Cortex™-M4 CPU computers running software. The software is flashed into the devices and authors usually apply what’s called APPROTECT to prevent the software from being read back and the debug port from being used for examining data. The software read back lock is to prevent the software being copied onto non-sanctioned devices or for decompilation to obtain algorithms that might be considered intellectual property (IP). Examining data via the debug port allows access to passwords or data that might be considered to be confidential.

LimitedResults have cleverly managed to disrupt the running of the SoC by removing some circuit capacitors and producing a very short pulse on the power line. This allows bypassing of the APPROTECT, subsequent use of the debug port to control code execution, extraction of the code and ultimately disabling the APPROTECT mechanism. LimitedResults say:

Due to its low-complexity, this attack on the nRF52840 can be reproduced on the field easily

Nordic Semiconductor responded today with an Informational Notice that describes the problem and concludes:

The nRF52-series of SoCs, like many standard microcontroller circuits, are not hardened against fault injection techniques

This puts the onus on companies using the nRF52 to only use it for non-critical uses where a security breach has negligible consequences OR to only use it where it’s known that physical access, required to perform such security breaches, is unlikely or impossible to occur.

What does this mean for users? This affects nRF52-based product owners in that binary code can’t now be considered safe from copying or examination. While this sounds concerning, anyone wishing to take advantage of the vulnerability needs a very high level of skill. Despite LimitedResults saying it can be “reproduced on the field easily”, the ‘easily’ part is contentious. Producing a power spike isn’t easy. Analysing extracted binary code and data also requires a high level of skill. We can’t think of any uses of the nRF52 where it would be worth the effort.

When it comes to the end users, there could be uses, particularly in healthcare, where a vulnerability might be a concern. For example, Nordic devices have been used in heart rate monitors. However, the vulnerability requires removal of components from the circuit board and physically attaching wires to the inside of such devices. With today’s surface mount based PCB designs, it’s difficult to do this in the lab let alone on a user’s device.

As with all security issues, you have to put possible attacks into perspective. The vulnerabilities are difficult to exploit and not worth the effort in most cases. The security of the nRF52 is suitable for the kind of data collection tasks for which it tends to be used.

It’s in security-critical areas such as healthcare and finance that such vulnerabilities need to be taken more seriously. As with some microcontrollers used in finance, extra physical (impossible to get to the circuit) and/or software (self-destruct) protections need to be put in place.

SweynTooth and Beacons

New vulnerabilities, called SweynTooth, have recently been found in Bluetooth LE. The problems aren’t in Bluetooth itself but in software development kits (SDKs) provided by some System on a Chip (SoC) manufacturers.

There are three types of problem that can be triggered by sending particular data to Bluetooth devices: crash, deadlock and security bypass. Only some manufacturer’s SDKs are affected and only some of their SoCs models.

Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics and Telink Semiconductor SDKs are affected. The main manufacturer used in beacons in beacons and gateways is Nordic so the majority of beacons are not affected. Nevertheless, there are a few beacon models that use Texas Instruments and Dialog Semiconductors SoCs. Of these, very few use the specific affected SoC models.

The only affected devices we stock are the ABKey01, TON9128, TON9118, TON9108 that use the Dialog DA14580 SoC. You should avoid using these in critical scenarios because they can be caused to crash or deadlock. No beacons are vulnerable to the security bypass vulnerability.

As with all security issues, you have to put the possible attacks into perspective. The vulnerabilities are difficult to exploit in practice and it’s usually much easier to steal a beacon or remove its battery to make it inoperable.

The vulnerabilities are of more concern for critical medical devices such as pacemakers and blood glucose monitors.

Tesla Model 3 is an iBeacon

There’s an article at The Parallax on how the Tesla Model 3 constantly sends out iBeacon advertising. This allows the Android/iOS app to see the car and consequently unlock and start the car without a key. Martin Herfurt, a security expert for Austria, claims this is a security and privacy vulnerability.

Tesla’s response has been:

“BLE tracking is something we’ve discussed internally, and we revisited this discussion after receiving your report. However, our current assessment is that randomizing BLE identifiers would not result in significant privacy gains due to the ubiquity of automated license plate readers”

What Tesla is saying is that there are other ways to track cars so they believe it’s not a issue.

The security researcher can detect cars up to 50m away and said…

“… the range can be easily extended with a directional antenna, possibly to reach up to a mile away”

We would like to know how to ‘easily’ get such a directional antenna as, to our knowledge, no such thing exists. 50m range advertising is just that and can’t be extended significantly by changing the receiver antenna.

However, the Tesla Model 3 being an iBeacon raises the question whether this is a significant privacy concern. Indeed, anything or anyone advertising Bluetooth can turn into a privacy concern. In the article, connected-car security researcher Tim Brom says it can be a concern if you’re a high-value target of any kind or worried about a stalker.

Even when id’s or randomized or cycled, as in the case of Eddystone EID, the mere presence of Bluetooth advertising can reveal the presence of something that needs to be concealed. For example, Wired recently wrote Burglars Really Do Use Bluetooth Scanners to Find Laptops and Phones.

The learning is that you shouldn’t blindly implement Bluetooth without considering the security implications and providing mitigations. In the case of Tesla, they could have had an option for security conscious users to turn off Bluetooth and instead use a key.

Bluetooth KNOB Attack is for Classic Bluetooth, not Bluetooth LE

There’s a Bluetooth security vulnerability story doing the rounds that, according to the security researchers:

…affects basically all devices that “speak Bluetooth”

This isn’t true. The vulnerability relates to Bluetooth BR/EDR, so called ‘Classic Bluetooth’, and not Bluetooth LE. It isn’t found in beacons or other devices communicating via Bluetooth LE. It also isn’t found in Bluetooth mesh.

Read about Beacons and the Bluetooth Mesh

Bettercap for Debugging Bluetooth LE

There’s a useful tool called bettercap that claims to be the “Swiss Army knife for WiFi, Bluetooth Low Energy, wireless HID hijacking and Ethernet networks reconnaissance and MITM attacks”.

While you might want to use it to test Bluetooth LE security, a more interesting use is for debugging Bluetooth LE. If you are scanning for advertising or creating or using GATT, for example with a beacon, it’s sometimes useful to have a separate way of exercising Bluetooth LE.

Bettercap is written in Go and runs on GNU/Linux, BSD, Android, Apple macOS and the Microsoft Windows. However, a bug in Windows and macOS prevents the Bluetooth commands from working. Hence, it’s for Linux or Android only.

Better caps runs in the browser and you can create scripts.

Bluetooth MAC Randomization Can Be Defeated

The Register has an article Brilliant Boston boffins blow big borehole in Bluetooth’s ballyhooed barricades: MAC addy randomization broken.

Beneath the hyperbolic alliteration is some research (pdf) that Bluetooth MAC randomization isn’t foolproof. Researchers have found that similarities between the non-MAC information in advertising allows devices to be uniquely identified:

“What is perhaps even more concerning, say the Boston Uni trio, is the message Bluetooth vendors are putting out to the public when they advertise Bluetooth LE as being an untrackable standard.”

In actual fact, very few vendors do MAC randomization. The majority of beacon manufacturers don’t because the whole idea of a beacon is that it can be identified via MAC address or iBeacon id. For the same reason, most Bluetooth accessories don’t as they want to be identified via apps. Android smartphones don’t do MAC randomization but iOS and Windows 10 do to improve end-user privacy. It’s mainly iOS devices that will be moving around and possibly tracked in-store or on-site via the ‘vulnerability’ described in the paper.

Guide to Bluetooth Security

We occasionally get asked about the specifics of Bluetooth LE security. This is usually when a project has security requirements or needs to formally document things such as cryptography schemes and vulnerabilities.

The U.S. Department of Commerce National Institute of Standards and Technology (NIST) has an informative Guide to Bluetooth Security (pdf) that provides information on the security features of Bluetooth, vulnerabilities, threats and extensive recommendations.

The following table provides an overview of Bluetooth LE compared ‘Classic’ Bluetooth Basic Rate/Enhanced Data Rate (BR/EDR) protocol:

Bluetooth LE 4.2 and later uses ECDH P-256 Elliptic Curve public key cryptography for protection against passive eavesdropping and man in the middle (MITM) during pairing.

While it’s good for projects to be aware of the underlying mechanisms and their limitations, we find that, in practice, security threats and weaknesses tend to be related more to how Bluetooth LE is used (by software) on a particular project rather than Bluetooth implementation itself.

Crowd Security with iBeacons

The UK Defence and Security Accelerator (DASA) held a competition to find ideas to reduce the threat of terrorists in public spaces. KSharp created CriB, Crowd Resilience through iBeacons, a system using iBeacons to allow people to report terrorist threats and receive security alerts through an app. This allows venues such as city centres, shopping centres and sports stadiums to improve safety and security. A video has recently become available:

Bluetooth Beacon Security

We sometimes get asked about Beacon security. Beacons use Bluetooth so the underlying security is that provided by Bluetooth 4.0. There’s a great new video by Ellisys, who create Bluetooth test equipment, that explains the threats and mitigations:

In the context of beacons, the mentioned perisistent bonding never happens. Pairing is temporary. Also, beacon manufacturers often layer additional security on top of Bluetooth in the form of pins or passwords required to set up the beacon.

As the underlying Bluetooth communication is relatively secure, the main beacon security issues tend to be related to spoofing (the possibility of beacons pretending to be yours). However, this is usually only pertinent in security sensitive scenarios such as payment. Contact us if you need more advice on beacon security.

Beacons and Physical Web Security Review

Renaud Lifchitz, a security consultant, has some great new slides on Security review of proximity technologies: beacons and physical web.

He mainly concludes that:

  • Beacons can easily be spoofed
  • Beacon passwords are often sent in plain text
  • Web Bluetooth might be used with XSS to allow hacked sites to access local devices via GATT

The spoofing issue is well known and is a necessary consequence of a broadcast, non-connectable, type mechanism. Fortunately, people mainly only use these things for nefarious purposes when there’s a profit motive. Spoofing beacons rarely benefits anyone.

The beacon passwords thing sometimes happens when beacons are set up using the manufacturer app. This is usually a one-off event, when the beacon is first set up, when the user is usually control who in their surroundings. Hence, it’s very unlikely other people will ‘sniff’ the beacon password.

For Web Bluetooth, GATT communications without a known password is benign. You can’t do much by just connecting to a beacon or Bluetooth device. You usually need a password to change or view security sensitive data.

While it’s good to know these things, it’s very unlikely any of these security observations will ever be a problem. Beacons don’t tend to be used in critical or valuable scenarios so the risk of things being subverted is low. There are much easier, more valuable and higher profile targets for hackers in the shape of servers, desktops, laptops and apps. Even if one of the mechanisms mentioned in the slides were used one day, the consequences, for most scenarios, would be minimal.