Thought Provoking Bluetooth Security
July 6, 2020
As mentioned in previous blogs, we have been evaluating a security product offered by Everykey which incorporates password management, device unlocking/locking and user authentication into one HW/SW supported product.
Essentially, the product unlocks a device when the Everykey (key fob) is in close proximity and manages passwords using the software running in the background on that device to securely communicate with servers supported by Everykey.
While the military-grade encryption assures the user that it is highly-unlikely that their user ID’s and passwords could be “hacked”, what about the Bluetooth connection that is used by the Everykey to communicate with the device?
FYI, the traditional levels of Bluetooth security modes are as follows:
· Just Works – Most popular method of communication as it doesn’t require a display. Effectively, zero security.
· Passkey Entry – Requires confirmation of a six-digit value displayed on one device by entering this value into the other device.
· Out Of Band (OOB) – This uses a communication method outside of the Bluetooth communication channel. There are several examples including the Apple Watch and some NFC enabled headphones.
Everykey opted to use the Elliptic Curve Diffie Hellman Key Exchange to make it more secure than any out-of-the-box option available thru Bluetooth.
Diffie-Helman was the first publicly-used mechanism that allowed two devices that have never connected to securely, connect by safely creating a shared-key regardless of whether that communications channel is secure or not. Elliptic-Curve was added to Diffie-Helman to make it more secure as the random numbers generated are very hard-to-follow and therefore much more difficult to anticipate and decipher.
Everykey exchanges an AES-128 key between the two devices. They also utilize 2 layers of AES-256 and a layer of RSA-4096 encryption as well between the locked device and their servers.
That solved the initial secured connection challenge.
Everykey also needed the Everykey to communicate with several devices at the same time. Traditionally, you can only connect with one device at a time over Bluetooth. In fact, when you are connected, no one else can connect or communicate with that device.
Bluetooth communicates using two different packets:
· Advertising Packets - allow devices to broadcast information defining their intentions.
· Data Packets – typically used to broadcast data.
Everykey has unique methodology (patented) that send out Advertising Packets every second to communicate with multiple devices. The packet itself triggers a Device Unlock action to any device that is within range of the Everykey and if that device knows how to decrypt this packet, then unlock yourself.