BlueScream: Screaming Channels on Bluetooth Low Energy

About

Main repository of the BlueScream project.

Publication

This project led to the following ACSAC publication:

Pierre Ayoub, Romain Cayre, Aurélien Francillon and Clémentine Maurice. “BlueScream : Screaming Channels on Bluetooth Low Energy”. In: 40th Annual Computer Security Applications Conference (ACSAC ’24). Waikiki, Honolulu, Hawaii, United States, Dec. 2024. URL : https://hal.science/hal-04725668. DOI :

This project is also part of my PhD thesis: Pierre Ayoub (2024). Compromising Electromagnetic Emanations: Side-Channel Leakages in Embedded Devices. Sorbonne Université. https://theses.fr/2024SORUS558 https://theses.hal.science/tel-05008752

How to cite

@InProceedings{ ayoub24bluescream, title = {{BlueScream: Screaming Channels on Bluetooth Low Energy}}, author = {Ayoub, Pierre and Cayre, Romain and Francillon, Aur{'e}lien and Maurice, Cl{'e}mentine}, booktitle = {{40th Annual Computer Security Applications Conference (ACSAC ‘24)}}, address = {Waikiki, Honolulu, Hawaii, United States}, hal_local_reference = {Rapport LAAS n{\textdegree} 24326}, year = {2024}, month = dec, keywords = {Screaming Channels ; Side-channel attacks ; Bluetooth Low Energy ; BLE ; Distant side-channels ; Mixed-signal chips}, url = {https://hal.science/hal-04725668}, pdf = {https://hal.science/hal-04725668v2/file/bluescream.pdf}, hal_id = {hal-04725668}, hal_version = {v2}, affiliations = {Eurecom, Univ Lille, CNRS, Inria}, }

Repositories

This repository contains:

src

Source code for libraries and command-line utilities.

docs

Demos for reproducing the main results of the paper.

data

Datasets, experiments, signals, profiles, scripts.

Reproducing

Here are some hints about reproducing our results. More precise instructions can be found in the Ph.D. manuscript, or in the documentation. For instance, see docs/demo_20231014 to learn how to visually analyze a trace. Another example is docs/demo_20240828_acsac to learn how to reproduce attacks on two selected datasets. More precise demonstrations can be found in the directory of the experiments, see data.

Dependencies for Recording

Software

Libraries:

SoapySDR

The library for recording I/Q samples with an SDR.

WHAD

A framework for wireless hacking. It is registered as a submodule in ext/whad and can be initialized using git submodule update --init --recursive ext/whad.

Firmware:

ButteRFly

The attacker firmware, WHAD-enabled for low-level traffic injection. It is registered as a submodule in ext/butterfly and can be initialized using git submodule update --init --recursive ext/butterfly.

MyNewt

The victim firmware running the NimBLE from Apache MyNewt Bluetooth Low Energy stack with a software AES (TinyAES) instead of using the hardware cryptoaccelerator. It is registered as a submodule in ext/mynewt and can be initialized using git submodule update --init --recursive ext/mynewt.

Hardware

nRF52840

The attacker dongle.

nRF52832 (PCA10040)

The victim board.

SDR (e.g., HackRF, USRP)

The radio to record the leakage.

Dependencies for Attacking

Software

screaming_channels

Holds custom version of the Screaming Channels project, on which this one is based on. All credits for the initial project goes to EURECOM. It is registered as a submodule in ext/screaming_channels and can be initialized using git submodule update --init --recursive ext/screaming_channels.

Histogram-Enumeration Library (HEL)

Key enumeration and estimation library. All credits goes to Giovanni Camurati.

Numpy

Well-known Python scientific computation library.

Source code

The source code is composed of utilities, libraries and individuals scripts. While the initial intention was to build a modular framework, the source code may be messy – it is a research project. For more up-to-date tooling, see my other projects SoapyRX and SCAFF.

Most important files:

src/collect.sh

Collect a complete dataset, leveraging src/radio.py.

src/dataset.py

Perform multiprocessor dataset processing.

src/radio.py

Instrument the victim to make it scream and record the leakage for one trace. Leverage src/lib/soapysdr.py for I/Q recording and src/lib/device.py for victim instrumentation.

src/attack.py

Perform side-channel attacks on a dataset (e.g., CRA or Template Attack).

src/lib/device.py

Victim instrumentation leveraging WHAD to manipulate BLE parameters.

src/lib/soapysdr.py

Radio instrumentation leveraging SoapySDR to record I/Q at the right time.

src/lib/analyze.py

Digital signal processing and statistics helpers.

Structure

Files

docs

Text documents and images.

src

Source code.