BlueSWAT: A Lightweight State-Aware Security Framework for Bluetooth Low Energy

TL;DR

BlueSWAT addresses BLE session-based attacks by introducing a state-aware security framework that performs session-level inspection through a finite-state machine and enforces protections with a lightweight eBPF-based patching system. It hooks into the Link Layer and Security Manager Protocol to extract runtime session states and translates attack patterns into malicious FSM transitions, stopping exploitation without interrupting legitimate sessions. On a dataset of 101 real-world BLE vulnerabilities, BlueSWAT mitigates $76.1%$ of session-based attacks and $96.4%$ of packet-based attacks, with an average memory overhead of $0.073%$ and negligible latency, outperforming stateless defenses like LBM. The approach enables cross-device patch deployment without firmware updates, using universal eBPF patches that run across heterogeneous architectures, and demonstrates practical viability on five devices with diverse stacks, significantly reducing the vulnerable window after vulnerability disclosure for resource-constrained IoT devices.

Abstract

Bluetooth Low Energy (BLE) is a short-range wireless communication technology for resource-constrained IoT devices. Unfortunately, BLE is vulnerable to session-based attacks, where previous packets construct exploitable conditions for subsequent packets to compromise connections. Defending against session-based attacks is challenging because each step in the attack sequence is legitimate when inspected individually. In this paper, we present BlueSWAT, a lightweight state-aware security framework for protecting BLE devices. To perform inspection on the session level rather than individual packets, BlueSWAT leverages a finite state machine (FSM) to monitor sequential actions of connections at runtime. Patterns of session-based attacks are modeled as malicious transition paths in the FSM. To overcome the heterogeneous IoT environment, we develop a lightweight eBPF framework to facilitate universal patch distribution across different BLE architectures and stacks, without requiring device reboot. We implement BlueSWAT on 5 real-world devices with different chips and stacks to demonstrate its cross-device adaptability. On our dataset with 101 real-world BLE vulnerabilities, BlueSWAT can mitigate 76.1% of session-based attacks, outperforming other defense frameworks. In our end-to-end application evaluation, BlueSWAT patches introduce an average of 0.073% memory overhead and negligible latency.

Figures (11)

• Figure 1: BLE KNOB attack Antonioli2020KeyND and FSM diagram. The pattern of the KNOB session is modeled as a malicious transition path in FSM. S3 is the exploiting state.
• Figure 2: Workflow of BlueSWAT . ❶: Vendors abstract attack patterns and model them as illegal transition paths in FSM. ❷: Vendors compile transition rules into eBPF programs and distribute them to BLE devices. ❸: BlueSWAT captures session events and inspects FSM transitions at runtime.
• Figure 3: BlueSWAT FSM.
• Figure 4: BlueSWAT hooks in Mynewt NimBLE.
• Figure 5: Number of eBPF instructions and dynamic memory (DRAM) consumption (Byte) of 10 different rules when JIT enabled.