BLEKeeper: Response Time Behavior Based Man-In-The-Middle Attack Detection

TL;DR

This paper introduces BLEKeeper, a system that detects man-in-the-middle attacks on Bluetooth Low Energy devices by analyzing response time patterns, which are highly regular and difficult for attackers to conceal.

Contribution

BLEKeeper is the first to leverage response time behavior for MITM attack detection in BLE devices, offering high accuracy and quick detection with a simple learning approach.

Findings

High regularity in BLE device response times enables reliable attack detection

BLEKeeper achieves accurate and rapid MITM attack identification

The system requires minimal computational resources and simple learning methods

Abstract

Bluetooth Low Energy (BLE) has become one of the most popular wireless communication protocols and is used in billions of smart devices. Despite several security features, the hardware and software limitations of these devices makes them vulnerable to man-in-the-middle (MITM) attacks. Due to the use of these devices in increasingly diverse and safety-critical applications, the capability to detect MITM attacks has become more critical. To address this challenge, we propose the use of the response time behavior of a BLE device observed in relation to select read and write operations and introduce an activeMITM attack detection system that identifies changes in response time. Our measurements on several BLE devices show that theirresponse time behavior exhibits very high regularity, making it a very reliable attack indicator that cannot be concealed by an attacker. Test results show that our system can very accurately and quickly detect MITM attacks while requiring a simple learning approach.