研究生: |
戴辰宇 Chen-Yu - Dai |
---|---|
論文名稱: |
智慧型手機低功率藍牙應用上之亂數化裝置識別元對安全的影響與建議 The Research of Impact on Authentication Mechanism for Smartphone BLE-based Applications with Randomized Hardware Identifier: Using a Taiwan Smart Vehicle as Example. |
指導教授: |
查士朝
Shi-Cho Cha |
口試委員: |
葉國暉
Kuo-Hui Yeh 鄭欣明 Shin-Ming Cheng |
學位類別: |
碩士 Master |
系所名稱: |
管理學院 - 資訊管理系 Department of Information Management |
論文出版年: | 2017 |
畢業學年度: | 105 |
語文別: | 中文 |
論文頁數: | 25 |
中文關鍵詞: | 藍牙低功耗 、物聯網 、智慧車輛 、認證機制.用戶隱私 |
外文關鍵詞: | smart vehicle, authentication protocol |
相關次數: | 點閱:342 下載:6 |
分享至: |
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
一般IoT裝置不易具備有上網際網路 (Internet) 的能力,常會需要透過智慧型手機作閘道器 (Gateway),省電和成本因素。在這角度的考量下,低功率藍牙(以下簡稱BLE) 在目前市場相當受到歡迎的連線方式。
對一些IoT裝置應用來說,需要透過 BLE識別操作手機的使用者,是被授權的使用者才可以使用,例如智慧車輛或實體安全系統。在提供認證資訊時,如果想把手機當成硬體識別機制 (Hardware Token) 必須有唯一裝置識別元(identifier)、並且能達成某種雙向認證協定。但是這樣的做法需要相關硬體機制,以及手機廠商或電信廠商的資源配合,成本高且推廣不易。因此,目前常應用讓裝置認證連線手機的硬體識別元,例如 MAC 位置。一般情況下,手機的硬體識別資訊並不容易被更改,故可當做硬體識別機制,阻止未被授權的第三者可以用手機操控IoT裝置的風險。
然而隨著消費者隱私意識抬頭,為了保護隱私、避免App或附近裝置透過硬體識別資訊追蹤使用者,主流手機已限制 App 可取得的硬體識別元,並將WiFi和藍牙 MAC 位置亂數化,造成手機不易當硬體識別機制使用。
既然IoT裝置和手機App都無法取得手機硬體識別元,又希望限定特定使用者才能用手機連線操控裝置,則會需要其他管道賦予手機作為識別機制的認證資訊。例如向一個裝置開發者架設的網路Server做認證,由該網路伺服器確認使用者身分後,提供一個識別金鑰或其他認證資訊,而憑藉該金鑰去進行IoT裝置和手機之間的配對。
本研究針對這樣的問題,以台灣一個知名智慧機車為例,去分析可能的問題,並且找出可能的改善方式,以便同時兼顧到安全與隱私。
In current BLE-based IoT applications, people may need to prove their identities to Internet services to obtain credentials to pair with IoT devices. In this case, the Bluetooth physical address of a device could be leverage to increase the security of pairing processes. On the other hand, current major smartphones usually use random Bluetooth addresses to protect user privacy. Using random Bluetooth address may increase security risks because it increases the difficulties for IoT devices to identify smartphones.
This study uses a smart vehicle from a major Taiwanese brand as an example to illustrate this security issue. In addition, this study also discusses the possible solution to address the issue. Therefore, this study can contribute to propose a scheme to balance the tension between security and privacy for BLE-based smartphone applications.
[1] Gogoro Smart Scooter及 Gogoro App圖文版權屬於睿能創意股份有限公司所有
[2] Bluetooth SIG, Bluetooth Specification Version 4.0, Bluetooth SIG, 2010
[3] Bluetooth SIG, Bluetooth Smart (Low Energy) Security. Bluetooth SIG, 2016
https://developer.bluetooth.org/TechnologyOverview/Pages/LE-Security.aspx
[4] Andrew Garkavyi, Bluetooth Low Energy. Essentials for Creating Software with Device to Smartphone Connectivity, Stanfy Inc, 2015
https://medium.com/@stanfy/bluetooth-low-energy-essentials-for-creating-software-with-device-to-smartphone-connectivity-5164c71963e7
[5] Mike Ryan, Bluetooth: With Low Energy comes Low Security, iSEC Partners, USENIX WOOT, 2013.
[6] Mike Ryan, Hacking Bluetooth Low Energy: I Am Jack's Heart Monitor, ToorCon 14, 2012.
[7] Lindell, A. Y. Attacks on the pairing protocol of bluetooth v2.1, BlackHat US, 2008.
[8] Samy Kamkar, Drive It Like You Hacked It, Defcon 23, 2015
http://samy.pl/defcon2015/2015-defcon.pdf
[9] Gogoro, Gogoro Smart Scooter 規格書, 睿能創意股份有限公司, 2015.
http://images.gogoroapp.com/download/PDF/tw/Gogoro-Smartscooter-Spec-Sheet-2015-06-17-02-Chinese.pdf
[10] Google, Android Physical Identifier Privacy, Google, 2016.
https://developer.android.com/about/versions/marshmallow/android-6.0-changes.html#behavior-hardware-id
[11] Apple, iOS Physical Identifier Privacy, Apple, 2016.
https://developer.apple.com/library/ios/documentation/UIKit/Reference/UIDevice_Class
[12] N. Gupta, Inside Bluetooth Low Energy. Artech House, 2013.