AppSec USA 2016 has ended
Back To Schedule
Thursday, October 13 • 3:30pm - 4:30pm
When encryption is not enough: Attacking Wearable - Mobile Application communication over BLE

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Communication protocols have evolved from the traditional Serial and LAN ports to complex and lightweight protocols of today, such as Bluetooth Low Energy (BLE), ANT+ and ZigBee. Bluetooth Low Energy (BLE) is a popular protocol of choice for wearables which are low energy, low performance computing systems. The BLE standard specification provides for a variety of security mechanisms for channel encryption to protect data against snooping and man-in-the-middle style attacks.

In our presentation, we talk about the security assumptions made by popular mobile operating systems when they adopt the BLE specification and how this impacts their communication with wearable devices. We include vulnerability case studies to discuss how rogue mobile applications can use the same set of BLE encryption keys as the legitimate companion application, and get access to personal information or cause denial of service conditions on the wearables. We will discuss the insufficiencies of the protocols and the need for extra measures if the use cases demand confidentiality and integrity of data in transit.

We will present high level flows to correctly design secure communication channels between a phone application and the wearable device.

avatar for Chandra Prakash Gopalaiah

Chandra Prakash Gopalaiah

Intel Corp
Chandra has worked in software development and security domain for about 8 years in various roles. Prior to joining Intel, he worked for Motorola Mobility Inc., in Android development. He has a Masters degree in Computer Science from San Diego State University
avatar for Sumanth Naropanth

Sumanth Naropanth

Intel Corp
Sumanth has worked in the information security industry for a decade in a variety of roles, including incident response, feature development and security assurance. He worked for Sun Microsystems and Palm before his current job at Intel. He has a Masters in Computer Science (Security... Read More →
avatar for Kavya Racharla

Kavya Racharla

Intel Corp
Kavya has a Masters in Information Security from the Johns Hopkins University and a passion for Security. She worked for Oracle and Qualcomm’s security teams before she started her current job at Intel.

Thursday October 13, 2016 3:30pm - 4:30pm EDT
Grand North Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001