RCayre/radiosploit

Android application allowing to sniff and inject Zigbee, Mosart and Enhanced ShockBurst packets on a Samsung Galaxy S20

RadioSploit 1.0

This Android application allows to sniff and inject Zigbee, Mosart and Enhanced ShockBurst packets from a Samsung Galaxy S20 smartphone. It interacts with a set of patches installed on the phone Bluetooth controller, allowing to add new capabilities to communicate using the previously mentioned protocols.

This project is a Proof of Concept developed in the context of a research work aiming at exploring the feasibility of cross-protocol pivoting attacks. If you need additional details, we have published multiple papers about it:

• Romain Cayre, Florent Galtier, Guillaume Auriol, Vincent Nicomette, Mohamed Kaâniche, Géraldine Marconato. POSTER: Cross-protocol attacks : weaponizing a smartphone by diverting its Bluetooth controller. 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2021), Jun 2021, Abu Dhabi (virtual), UAE. [en]

• Romain Cayre, Florent Galtier. Attaques inter-protocolaires par détournement du contrôleur Bluetooth d'un téléphone mobile. GT Sécurité des Systèmes, Logiciels et Réseaux, May 2021, En ligne, France. [fr]

• Romain Cayre, Florent Galtier, Guillaume Auriol, Vincent Nicomette, Mohamed Kaâniche, et al. WazaBee: attacking Zigbee networks by diverting Bluetooth Low Energy chips. IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), Jun 2021, Taipei (virtual), Taiwan. [en]

• Romain Cayre, Florent Galtier, Guillaume Auriol, Vincent Nicomette, Geraldine Marconato. WazaBee : attaque de réseaux Zigbee par détournement de puces Bluetooth Low Energy. Symposium sur la Sécurité des Technologies de l'Information et des Communications (SSTIC 2020), Jun 2020, Rennes, France. pp.381-418.[fr]

This application is released as an opensource software using the MIT License.

Screenshots

How to use this application ?

• First, you need to root your Samsung Galaxy S20: it should also work on Samsung Galaxy S10, but it has not been tested yet. Multiple tutorials can be found online to enable root.
• Enable the Bluetooth Debugging (BTsnoop logs) in your smartphone settings.
• Then, you have to install the Radiosploit patches on your Bluetooth controller. The patches are uploaded on a different repository, follow these instructions !
• Finally, you can install the application using adb:

$ adb install radiosploit.apk

• Launch the app and allow it to use root permissions.