Cybersecurity is an increasingly hot topic, and the security of industrial systems is under the microscope. Websites such as SCADAhacker are tracking the growing number of attacks on industrial control systems, and the consequences can be significant.
These consequences can range from capturing the data from a router to accessing the rest of the network or even shutting down essential pieces of equipment. Gaining control of valves can shutdown vital operations and even risk industrial accidents.
One of the potential attack vectors is bluejacking, where a smartphone can access equipment via the Bluetooth link, and has evolved into bluesnarfing and bluebugging techniques to capture data running over the Bluetooth connection. There are even apps available to help bluejack a connection and monitor the data flowing. This can give access to the equipment and even to the rest of the network, leaving commercially sensitive data vulnerable to being altered or stolen.
Bluejacking has been around since 2003, with surprise messages and photos sent to unprotected phones in train carriages and buses, but it is an increasing challenge in industrial equipment as the Bluetooth Low Energy (BLE) protocol is adopted in more designs. Part of this challenge is the range of the Bluetooth connection, which can be up to 100m. This allows a hacker to sit outside a site and probe the equipment for vulnerable Bluetooth nodes to pair with.
One of the ways around this has been to add Near Field Communications (NFC) to handle the pairing, and this has been popular with older Bluetooth implementations. NFC is used for services such as London’s Oyster card to pay for transport, as well as Apple Pay and Android Pay that allows a customer to pay for their shopping or services by touching their phone to a terminal to set up a secure transfer of data.
NFC operates at a distance of a few millimetres, and this can be used to transfer the pairing data to connect a smartphone or laptop to equipment making it much easier to set up the link and more secure. While this works with some smartphones, other phones, industrial terminals and laptops may not have this capability and may need additional hardware. This also means having to design in additional NFC coils and controllers and additional software, adding to the cost and complexity of developing, testing and commissioning the equipment.
The new BLE specification provides opportunities to simplify the linking process and provide more security. BLE uses Simple Secure Pairing with a secret link key to correctly authenticate devices. However, in most cases the pairing process itself is carried out on the same exposed wireless medium and is therefore still vulnerable to interceptions and attacks.
So one Bluetooth module maker, Laird Technologies, tackled this problem with a unique approach of dramatically reducing the transmission power while pairing is in progress. This provides the same security of requiring a pairing terminal to be close to the equipment, but can reduce the complexity of the hardware and software in both the equipment and the terminal.
This Whisper Mode Pairing adds the extra level of trust that can be used to authenticate BLE devices and means that operators can be certain they are connecting to the correct, intended remote device by simply bringing them close together.
The Whisper mode pairing is achieved with a smartBASIC function called BleTxPwrWhilePairing() that can be called on startup to set the transmit power of all packets that are transmitted while pairing is in progress. Radial measurements have shown that setting the pairing transmit power to -55dB creates a ‘bubble’ with a radius of about 30 cm, and outside this bubble pairing will not succeed.
This should be decreased even further if the module is covered by the final product enclosures which affect the radio’s overall RF performance, but it is still far enough away to make connecting convenient, rather than having to direct contact for NFC. This also means that a wireless sensor can be integrated into the heart of the equipment and still have a secure connection.
Whisper Mode is used in Laird’s BL600 module that are designed for industrial applications and can be powered from a coin cell battery. The surface mount modules have an integrated antenna for easy inclusion into a design and use 128 bit AES encryption to keep the data link secure once paired.
A network is only as secure as its weakest link, and bluejacking has demonstrated over the years that the pairing of the Bluetooth link is a key vulnerability. Adding NFC helped to secure Bluetooth links but has disadvantages of range and additional cost and complexity. The innovative control of the power stage of a Bluetooth module with the Whisper Mode now gives system developers a way to effectively and easily secure a wireless sensor node in industrial equipment and keep the hackers at bay