IoT Security Mechanisms in the Example of BLE

: In recent years, a lot of IoT devices, wireless sensors, and smart things contain information that must be transmitted to the server for further processing. Due to the distance between devices, battery power, and the possibility of sudden device failure, the network that connects the devices must be scalable, energy efﬁcient, and ﬂexible. Particular attention must be paid to the protection of the transmitted data. The Bluetooth mesh was chosen as such a network. This network is built on top of Bluetooth Low-Energy devices, which are widespread in the market and whose radio modules are available from several manufacturers. This paper presents an overview of security mechanisms for the Bluetooth mesh network. This network provides encryption at two layers: network and upper transport layers, which increases the level of data security. The network uses sequence numbers for each message to protect against replay attacks. The introduction of devices into the network is provided with an encryption key, and the out-of-band (OOB) mechanism is also supported. At the moment, a comparison has been made between attacks and defense mechanisms that overlap these attacks. The article also suggested ways to improve network resiliency.


Introduction
Mesh network-network topology dynamically establishes the maximum possible number of connections between devices for efficient and resilient data transmission [1]. Usually, mesh networks are based on several wireless technologies, such as Wi-Fi, Bluetooth, Thread, and Zigbee [2][3][4][5]. However, a mesh network based on Bluetooth Low Energy (BLE) is a popular solution [3,6] due to its high popularity, low cost, and low power consumption [3,7].
The main problem of building mesh networks is to ensure the security of data transmission [8]. Since the network can cover a large area [4], it is necessary to provide efficient protection against unauthorized access by intruders.
The aim of this paper is to compare wireless attacks and defense mechanisms implemented in the Bluetooth mesh standard, which was created by the Bluetooth Special Interest Group (SIG) and implemented on Bluetooth Low-Energy devices starting with 4.0 [9]. The current version of Mesh Profile 1.0.1 can be implemented on BLE devices from 5.0 and later. [10]. Furthermore, one of the tasks is to search for network vulnerabilities and provide recommendations for their elimination.

Wireless Network Vulnerabilities
Before considering the existing information security mechanisms, its necessary to introduce a classification of possible network attacks on wireless networks [11][12][13]: • Denial of Service. The purpose of this attack is to overload the device with redundant packets, which make the device unusable [14,15]; • Eavesdropping. An attacker eavesdrops on a data exchange in order to extract useful information; • Man In The Middle, MITM. A malicious device secretly establishes a connection between two devices and making them think they are exchanging data with each other; • Replay Attack. A previously sent valid message captured by an intruder can be used to exploit the system functionality without an authentication procedure [15]. • Relay Attack. A malicious device establishes communication between two nodes and transmits unmodified data between them [14].
Thus, in order to ensure the information security of wireless devices, it is necessary to take these attacks into account when developing security algorithms. However, these attacks are network attacks and do not include physical interaction attacks on the device, such as attacks to obtain security parameters [16].

Bluetooth Mesh Overview
First of all, we need to define the terms used in the Bluetooth mesh specifications [10]. Devices that can transmit or receive messages are called nodes or provisioned devices. Devices that are not a part of any mesh network are called unprovisioned devices. The provisioning process [17] is carried out by a provisioner device, which authenticates unprovisioned devices, assigns an address, and transmits encryption keys [18]. Further configuration of a node is performed by a configuration client, which can be a part of a provisioner device or a part of another node. A configuration client transmits an application key, additional network keys, and configures subscription and publish address for each model.
Each mesh node must have at least one element. An element is an addressable entity that contains models, which defines node functionality. All data exchanges are carried out using messages, which are defined by the opcode, associated parameters, and behavior. Messages are operating with states that represent the position of an element.
There are three types of models [19]: The Server model contains one or several states, divided between one or several elements, as well as messages and behaviors associated with receiving and sending data; the Client Model contains messages necessary for requesting, changing, or using corresponding states of the server; the Control model contains the functionality of both models.
The Bluetooth specification [9] also defines two types of messages: Control Messages for controlling network operations and Access Messages for data distribution. A data exchange between nodes is defined by subscription and publication methods [20,21]. Addresses can be unicast, group, and virtual. Unicast addresses are assigned to each element.
Bluetooth Mesh specification [10] describes the different types of nodes [22]: • A relay node is a device designed for data transmission within a mesh network. The message forwarding distance is limited by the TTL value; • A low-power node is a device that spends most of its time in sleep mode. After waking up, a low-power device receives data from a friendly host; • A friend node is a device that stores data for the Low-Profile node; • A proxy node is a device that can work with BLE devices via GATT; • A provisioner node is a device designed to register nodes in the mesh network and to distribute security keys. It also can be a configurator device.
Unlike other protocols (such as Zigbee, Thread, etc.), which are based on the use of routed networks, Bluetooth Mesh uses managed flooding for data transfer within the network [19,23,24]. Managed flooding is a node organizing method within the mesh network, which is a compromise between packets routing and uncontrolled forwarding of received packets. The essence of the method is that incoming packages have a time-to-live (TTL) value, which decreases with each packet transmission until the TTL value becomes zero. Furthermore, all incoming packets are cached to avoid re-forwarding. However, there is an implementation of routed networks based on BLE technologies [25,26].
Bluetooth Mesh is based on Bluetooth Low-Energy technology [10], which works in the 2.4 GHz frequency range. The entire frequency range is divided into 40 channels of 2 MHz each [9,27,28]. Since Bluetooth Mesh usually works without active connections, all communication happening in advertising channels by sending a special non-scanned type of advertising message "ADV_NONCONN_IND" [29]. Interaction between nodes occurs through one of three advertising channels: 37, 38, 39 [14,21].

Bluetooth Mesh Layers
Bluetooth Mesh has a layered model based on Bluetooth Low Energy. The Bluetooth mesh architecture consists of the following layers [20,21,28,30]: • The models layer defines model implementation, its behavior, state; • The foundation models layers defines network configuration and models management; • The access layers defines application interaction with the upper transport layer to determine data format, data encryption process, and data verification; • The upper transport layer defines message encryption and verification methods by using the application key generated for each device; • The lower transport layer performs segmentation of transmitted messages and assembly of incoming messages; • The network layer defines a message format for transfer data across network elements through a data link layer and message encryption. It also manages messages to be relayed, accepted, or rejected; • The bearer layer defines packets handling methods such as transmitting data into advertising bearer, which is used in scanning and advertising state. Data transmitting through GATT, which allows communication with regular BLE devices using proxy nodes.
For security reasons, Bluetooth Mesh uses two types of keys for data transmission [28]: AppKey using for data encryption on the upper transport layer, and NetKey for data encryption on the network layer. The same NetKey is used for all nodes within the same network. Key separation allows an intermediate node to verify message integrity and forward it without exposing content, which protects data from unauthorised access. In addition, key separation allows you to secure not only from an eavesdropping attack but also from a relay attack, in which the node that is part of the network can read the messages that are not intended for it [29].
In addition to using AppKey and NetKey, there is a unique key for each device called DevKey. This key is known only to the device itself and the configuration client. DevKey is used for secure communication between the node and the configuration client. Just like the application key, the device key is used in the upper transport layer.

Authentication and Encryption
Message exchange is secured using the AES-CCM algorithm [10,31]. On the upper transport layer used an application key called AppKey for data encryption and authentication. On the network layer used two security keys: the EncryptionKey for data encryption and authentication and the Privacy key for obfuscation of the message headers. The En-cryptionKey and PrivacyKey are divided from NetKey.
Due to the use of the AES-CCM algorithm, all messages have an authentication tag called the message integrity check (MIC).
A unique number that can only be used once (Nonce) is used to encrypt data. Using Nonce protects against replay attacks. Bluetooth Mesh defines four types of Nonce: network nonce (Figure 1), application nonce (Figure 2), device nonce, and proxy nonce.  A nonce value contains a field type, sequence number (SEQ), source address (SRC), destination address (DST), an initialization vector (IV Index), flag type, TTL value, and ASZMIC flag to indicate the segmented message.
Message headers are obfuscated to hide identifying information, such as source address (SRC), sequence number (SEQ), etc. Header obfuscation provides protection against eavesdropping attacks. The obfuscation process using the AES algorithm with PrivacyKey and an encrypted network message. Figure 3 presents the generation of a secure network message. The generated network message contains public information about the IVI value, the least significant bit of the IV Index, and network identifier (NID), which is used to determine the encryption key. Network identifier derived from NetKey, EncryptionKey, and PrivacyKey.
Transmitted messages can be eavesdropped on and resent later in an unmodified form. This attack is a Replay attack, in which the same message is transmitted several times, which has a malicious impact on the network. To secure the network from that kind of attack, Bluetooth Mesh defines the sequence number value (SEQ). Nodes increments a sequence value for each message transmission. If a node receives a message with a sequence number lower than previous messages, it will be rejected.
If the sequence number (SEQ) reaches its maximum value, the IV Index update procedure will be started. The IV Index is an equal value for all nodes within a network. The IV Index is updated periodically to avoid reuse, and the update procedure can be launch by any node. The IV Index must be equal to or greater than the value of the next message.

Provisioning Procedure
A mesh network can be created by a provisioner device, which searches for unprovisioned devices and registers them on the network. The provisioner protects the network against using malicious unprovisioned devices.
The provisioning process begins after the unprovisioned device broadcasts advertising messages saying that it is available. When the provision finds the message data, it sends a provision request to the unprovisioned device and information about the supported security algorithms, public key, etc. After the response, the public key is exchanged between the provisioner and the unprovisioned device. Using the Elliptic Curve Diffie-Hellman (ECDH) protocol [32] during the provisioning process, the provisioner sends encrypted security parameters. To prevent an attack man-in-the-middle (MITM), an optional Out-of-Band (OOB) mode [33] can be used (for example, passphrase input, use of NFC technology, etc.). Once a secure connection has been established, the devices exchange provisioning data, such as NetKey, AppKey, Index IV, TTL value, node address, etc.
Discarded nodes must be disposed of, so keys stored within the device cannot be used for attacks on the network. In order to protect against such an attack, the provisioner device adds a disposed-of node to the blacklist, and each node begins the security key update procedure. The provisioner provides new NetKey and AppKey for each node, except devices from the blacklist. Table 1 shows a summary comparison of network attacks with Bluetooth Mesh protection methods. As shown, Bluetooth Mesh is vulnerable to denial of service attacks.

Experiment
Since communications with nodes within a network happen by using only three channels, in an environment with high radio frequency interference, it can cause a significant loss of data. For example, general BLE devices use these channels to notify other devices, and the same channels are used by beacons to continuously broadcast messages [3,5]. Furthermore, the same frequency range is used by other technologies, such as WiFi, ZigBee, etc. [8,23]. Table 1. Comparison of network attacks and protection methods.

Attack Type Protection Methods
Denial of Service -Eavesdropping Message encryption and message header obfuscation Man In The Middle Authentication during node provisioning process by using OOB Replay Attack Use of the sequential number (SEQ) and IV Index Relay Attack Authentication during node provisioning process by using OOB and using two-level key separation We have experimentally demonstrated the possibility of denying a service attack on a Bluetooth Mesh network, which continuously transmits sequentially numbered messages to identify lost packets. For this purpose, our experimental setup includes two developer boards nRF52840 [34] from Nordic Semiconductor working within the Bluetooth Mesh network; these devices are also featured in [35] as a low-cost test bed, three SDR ADALM-PLUTO [36] from Analog Devices, which all generate radio frequency interference on the same three channels. The first node sends sequence numbers, and the second node receives them and transmits them to the computer. The ADALM-PLUTO SDR was chosen because it can generate or acquire RF analog signals in a range from 325 MHz to 3800 MHz, and BLE work on 2.4 GHz. The ADALM-PLUTO SDR was handled with GNURadio software in order to control and generate an interference at a specific frequency.
The experiment was carried out in the research laboratory of the Tomsk State University of Control Systems and Radioelectronics. Current research at the time included various wireless devices, operating at 802.11, and BLE standards at the same 2.4 GHz frequency band. This is conducted in order to create as realistic an environment as possible with possible radio interference.
The result is shown in Figure 4, which shows the arrival time of the packet and the channel on which the packet was received. The experiment consisted of five stages, 10 min each: in the first stage, the jammers were turned off; in the second stage, channel 37 was muted; in the third stage, 37 and 38 channels were muted; in the fourth stage, 37, 38, and 39 channels were muted; in the fifth stage 38 and 39 channels were muted. As a result, in the fourth stage, not all packets were drowned; this is explained by the close location of the mesh network nodes, as well as the low power of the jammers. The experiment showed that this network does not have any algorithms for protection against jammer attacks, such as calculating the location of jammers, which are discussed in the article by Dhivyasri et al. [37]. The following figures show the percentage of packet loss: the percentage of packet loss for each stage is shown in Figure 5, and the dynamics of changes in the percentage of total packet loss are shown in Figure 6.  The experiment confirms that with a small amount of equipment, it is possible to disrupt the network. Therefore, packet loss can be critical for systems, such as healthcare systems used to monitor patients' vital signs and their location [38]. The solution is to increase the number of used channels for data transmission, and it is necessary to use all available 40 channels. This can increase the fault tolerance of the network and make it difficult to implement such an attack.

Conclusions
The cheapening of microchip production has led to the rapid growth of the Internet of Things and the proliferation of various sensors and sensors. However, due to the large number of devices, it has become more difficult to deploy a wired network to provide communication between different devices. The solution to this problem is to build a wireless network. A wireless network can be deployed without any installation work, and it can exchange data between multiple devices and span large areas. However, a wireless network also has disadvantages. Due to the fact that data in a wireless network are transmitted in a shared radio environment, a collision can occur, an attacker can eavesdrop or send modified data packets, as well as jam data transmission. As a consequence, it is necessary to guarantee the protection of the transmitted data at a high level, as well as to ensure the possibility of data transmission in the presence of interference.
As a result of the work conducted, the main mechanisms of Bluetooth Mesh protection were considered, possible types of attacks on the wireless network were given, and a summary table was compiled reflecting weaknesses in network protection. Based on the table, an attack vector was found. An experiment has been successfully conducted demonstrating that despite the protection measures provided in the Bluetooth Mesh standard, it is possible to carry out a simple attack that paralyzes the operation of the entire distributed network. To increase the complexity of the attack presented in the experiment, it is necessary for the network to provide data transmission on all available channels and not only on advertising channels, which are quite noisy due to the prevalence of BLE devices and can be easily blocked by three jammers.
In the future, we plan to delve deeper into the security algorithms of the Bluetooth Mesh, as well as implement protection against the attack demonstrated in the experiment.

Conflicts of Interest:
The authors declare no conflict of interest.