Inside Job: Understanding and Mitigating the Threat of External Device Misbinding on Android

Passive Attack

Here we demonstrate the passive attack on one of the target devices namely the iThermometer device. A malicious service is running in the background of the Android enabled phone. Once the service detects that the target application is in the foreground it tries to connect to the external Bluetooth thermometer device. If successful, it gets the temperature measurement from the device and releases the Bluetooth socket. The iThermometer app can then connect to the external device. Furthermore, the malicious service can detect when the user disconnects her thermometer device from the phone. It then takes advantage of that opportunity and again tries to connect and steal the sensitive data. On the video below we illustrate this scenario showing that the data is captured and sent to a remote location.

Passive Attack on iThermometer

Active Attack Demo

This demo shows an active attack on the Pulse Oximeter, in which a spoofed device (a laptop with a Bluetooth dongle) acted as a clone of the original device and fed fake data into the official app of the device. During the attack,  the smartphone stayed very close to the original device, almost side by side, where the spoofed device was placed several meters away (which can be up to 100 meters away for a Class 1 Bluetooth device), and on the other side of a wall. On the phone, there was a malicious app running in the background, which not only shipped out the pairing information to the adversary to make the clone but more importantly, stealthily reset the link key by unpairing the phone from the original device and pairing it with the clone.  We further gave the clone’s a large scan time so that it responded more promptly to the phone’s connection request than the original device (which was set by its manufacturer to react relatively slow to save power).   As a result, whenever the user wanted to connect to the original device, he always automatically connected to the clone.

YouTube Video


In this demo, we show how DaBinder stops a malicious app’s attempt to steal user data from iTheromometer.  In the video,  when the official app of iTheromometer was activated and got data from the device, the malicious app running in the background also tried to make a connection to the device right before or after the official app’s connection (see the paper), which should work in the absence of our protection (see the passive attack video).  However, this attempt was defeated here, as you can see from the video (a message from BluetoothAdapterService displayed on a PC), because the unauthorized app was not on the device’s binding policy.  Dabinder has been released as an Android patch.  You can download the code from this link  The user can also manually bind and unbind an app with a device using the advanced bluetooth settings of a device as shown in the screen shot below.

DaBinder in action

Dabinder interface for bonding and unbonding an device to an app