Who’s Accessing My Data? Application-Level Access Control for Bluetooth Low Energy

Bluetooth Low Energy (BLE) is a popular wireless technology deployed in billions of devices within the Internet-of-Things (IoT). The data on these devices is often related to user health or used to control safety-critical functionality, which makes it vital to protect the data from unauthorised access or manipulations. The only mechanism that is fully defined within the BLE specification for protecting sensitive data ispairing. This occurs at the device-level rather than at the application-level, and leaves BLE data vulnerable to unauthorised access at higher layers. When a BLE device interacts with a multi-application platform (i.e., a device that hosts more than one application, such as a mobile phone), when one application is able to access data from the BLE peer, all other applications on the same multi-application platform are also implicitly allowed the same access. The solutions suggested thus far for this vulnerability are either impractical for most users, not backward compatible with billions of existing devices, or do not suit normal BLE usage scenarios. In this paper, we conduct an analysis considering practical aspects regarding the BLE ecosystem, and thereafter propose a solution that will extend the available protection for BLE data to the application layer. Our solution ensures protection by default for BLE data, and is entirely backward compatible with existing BLE implementations, requiring no modification to resource-constrained BLE peripherals or companion applications. We also present an open-source proof-of-concept implemented on the Android-x86 platform. This, when tested against experimental and real-world devices and applications, demonstrates the viability and efficacy of our proposed solution.