/BlueToolkit

BlueToolkit is an extensible Bluetooth Classic vulnerability testing framework that helps uncover new and old vulnerabilities in Bluetooth-enabled devices. Could be used in the vulnerability research, penetration testing and bluetooth hacking. We also collected and classified Bluetooth vulnerabilities in an "Awesome Bluetooth Security" way

Primary LanguageShellOtherNOASSERTION

BlueToolkit

BlueToolkit

Extensible Bluetooth Classic vulnerability testing framework based on simple YAML DSL.

DocumentationInstallUsageSupported ExploitsBluetooth Classic and BLE vulnerabilities and attacksResultsHardware


BlueToolkit is an extensible Bluetooth Classic vulnerability testing framework that helps uncover new and old vulnerabilities in Bluetooth-enabled devices.

It works by executing templated exploits one by one and verifying appropriate properties based on the template logic. The toolkit is extensible and allows new research to be added to the centralized testing toolkit. There are 43 Bluetooth exploits available in the toolkit, from known public exploits and tools to custom-developed ones.

The framework works in a Black-box fashion, but it is also possible to operate the toolkit in a Gray-box fashion. For that one needs to extend the framework and connect it to the Operating System of the target so that it would be possible to observe Bluetooth logs and guarantee no false positives.

Also, we have already used our framework and were able to find 64 new vulnerabilities in 22 cars (Audi, BMW, Chevrolet, Honda, Hyundai, Mercedes-Benz, Mini, Opel, Polestar, Renault, Skoda, Toyota, VW, Tesla).

We have a dedicated repository that provides various types of vulnerability templates.

Credit

This work has been done at Cyber Defence Campus and System Security Group at ETH Zurich.

Install BlueToolkit

BlueToolkit has 2 installation stages: general and specific module installation. The general installation downloads the code, modules and tools available in the toolkit and tries to set up modules that do not require human interaction. The specific module installation requires a human to verify that the needed hardware is connected to the device on which the toolkit is being installed.

Install

We provide 2 installation options: virtual machine or Ubuntu/Debian.

VM Installation

Prerequisites:

git clone https://github.com/sgxgsx/BlueToolkit --recurse-submodules
cd BlueToolkit/vagrant
vagrant up

After Installation:

  • You need to allow the virtual machine to access the Bluetooth module or additional hardware through USB, which requires you to do the following:
  • USB support is already switched on, that's why open VirtualBox
  • Find a running virtual machine and click on "Show"
  • Click on "Devices" -> "USB"
  • You will be presented with multiple devices that you can switch on for the virtual machine
  • Tick any device that you need (Bluetooth module, hardware, phone) or tick all devices to be sure.
Ubuntu/Debian Installation Installation:
sudo mkdir /usr/share/BlueToolkit
sudo chown $USER:$USER /usr/share/BlueToolkit
git clone https://github.com/sgxgsx/BlueToolkit /usr/share/BlueToolkit --recurse-submodules
chmod +x /usr/share/BlueToolkit/install.sh
/usr/share/BlueToolkit/install.sh
Windows and MacOS Installation You could try to install the toolkit on WSL or MacOS directly. Alternatively, use the VM installation option.

Specific Module Install

Virtual Machine
  • Verify that the hardware is connected to the machine
  • Verify that you allowed the hardware to be shown to the VM in the USB settings
  • Then depending on the hardware that you need to install do the following:
vagrant ssh
cd /usr/share/BlueToolkit/installation/
ls -al
  • Find a script for your hardware and execute it
./{HARDWARE}_installation.sh
Linux
  • Verify that the hardware is connected to the machine
  • Then depending on the hardware that you need to install do the following:
cd /usr/share/BlueToolkit/installation/
ls -la
  • Then find a script for your hardware and execute it
./{HARDWARE}_installation.sh

Usage

sudo -E env PATH=$PATH bluekit -h

This will display help information for the tool. Here are all the parameters it supports.

usage: bluekit [-h] [-t TARGET] [-l] [-c] [-ct] [-ch] [-v VERBOSITY] [-ex EXCLUDEEXPLOITS [EXCLUDEEXPLOITS ...]] [-e EXPLOITS [EXPLOITS ...]] [-r] [-re] [-rej] [-hh HARDWARE [HARDWARE ...]] ...

positional arguments:
  rest

options:
  -h, --help            show this help message and exit
  -t TARGET, --target TARGET
                        target MAC address
  -l, --listexploits    List exploits or not
  -c, --checksetup      Check whether Braktooth is available and setup
  -ct, --checktarget    Check connectivity and availability of the target
  -ch, --checkpoint     Start from a checkpoint
  -v VERBOSITY, --verbosity VERBOSITY
                        Verbosity level
  -ex EXCLUDEEXPLOITS [EXCLUDEEXPLOITS ...], --excludeexploits EXCLUDEEXPLOITS [EXCLUDEEXPLOITS ...]
                        Exclude exploits, example --exclude exploit1, exploit2
  -e EXPLOITS [EXPLOITS ...], --exploits EXPLOITS [EXPLOITS ...]
                        Scan only for provided --exploits exploit1, exploit2; --exclude is not taken into account
  -r, --recon           Run a recon script
  -re, --report         Create a report for a target device
  -rej, --reportjson    Create a report for a target device
  -hh HARDWARE [HARDWARE ...], --hardware HARDWARE [HARDWARE ...]
                        Scan only for provided exploits based on hardware --hardware hardware1 hardware2; --exclude and --exploit are not taken into account

EXAMPLES:
Run bluekit recon:
   $ sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF -r

Run bluekit connectivity check:
   $ sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF -ct

Run bluekit with a specific exploit:
   $ sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF -e invalid_max_slot

Run bluekit with specific exploits:
   $ sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF -e invalid_max_slot au_rand_flooding internalblue_knob

Run bluekit and list all available exploits:
   $ sudo -E env PATH=$PATH bluekit -l

Documentation is available at: https://github.com/sgxgsx/BlueToolkit/wiki

Available Bluetooth Vulnerabilities and Attacks

BlueToolkit automatically downloads all vulnerability and hardware templates. BlueToolkit templates repository provides a full list of ready-to-use templates. Additionally, you can write your own templates and checks as well as add new hardware by following BlueToolkit's templating guide The YAML reference syntax is available here

We collected and classified Bluetooth vulnerabilities in an "Awesome Bluetooth Security" way. We used the following sources - ACM, IEEE SP, Blackhat, DEFCON, Car Hacking Village, NDSS, and Google Scholars. Looked for the following keywords in Search Engines such as Google, Baidu, Yandex, Bing - Bluetooth security toolkit, Bluetooth exploits github, Bluetooth security framework, bluetooth pentesting toolkit. We also parsed all Github repositories based on the following parameters - topic:bluetooth topic:exploit, topic:bluetooth topic:security.

Currently BlueToolkit check the following vulnerabilities and attacks:

For manual attacks refer to the documentation.

Vulnerability Category Type Verification type Hardware req. Tested
Always pairable Chaining Chaining Manual
Only vehicle can initiate a connection Chaining Chaining Manual
Fast reboot Chaining Chaining Manual
SC not supported Chaining Info Automated
possible check for BLUR Chaining Info Automated
My name is keyboard Critical RCE Semi-automated
CVE-2017-0785 Critical Memory leak Automated
CVE-2018-19860 Critical Memory execution Automated
V13 Invalid Max Slot Type DoS DoS Automated
V3 Duplicated IOCAP DoS DoS Automated
NiNo check MitM MitM Semi-automated
Legacy pairing used MitM MitM Automated
KNOB MitM MiTM Semi-automated
CVE-2018-5383 MitM MiTM Automated
Method Confusion attack MitM MiTM Automated
SSP supported <= 4.0 weak crypto or SSP at all MitM Info/MitM Automated
CVE-2020-24490 Critical DoS Automated
CVE-2017-1000250 Critical Info leak Automated
CVE-2020-12351 Critical RCE/DoS Automated
CVE-2017-1000251 Critical RCE/DoS Automated
V1 Feature Pages Execution Critical RCE/DoS Automated
Unknown duplicated encapsulated payload DoS DoS Automated
V2 Truncated SCO Link Request DoS DoS Automated
V4 Feature Resp. Flooding DoS DoS Automated
V5 LMP Auto Rate Overflow DoS DoS Automated
V6 LMP 2-DH1 Overflow DoS DoS Automated
V7 LMP DM1 Overflow DoS DoS Automated
V8 Truncated LMP Accepted DoS DoS Automated
V9 Invalid Setup Complete DoS DoS Automated
V10 Host Conn. Flooding DoS DoS Automated
V11 Same Host Connection DoS DoS Automated
V12 AU Rand Flooding DoS DoS Automated
V14 Max Slot Length Overflow DoS DoS Automated
V15 Invalid Timing Accuracy DoS DoS Automated
V16 Paging Scan Deadlock DoS DoS Automated
Unknown wrong encapsulated payload DoS DoS Automated
Unknown sdp unknown element type DoS DoS Automated
Unknown sdp oversized element size DoS DoS Automated
Unknown feature req ping pong DoS DoS Automated
Unknown lmp invalid transport DoS DoS Automated
CVE-2020-12352 Critical Info leak Automated

Novel attacks

These attacks a novel/new and are tested by the framework

Vulnerability Category Type Verification type Hardware req. Tested
Insecure NC implementation MitM MitM Manual
Vehicular NiNo MitM Info Manual
Contact Extractor Critical BAC Manual

Vulnerabilities to be added soon

Vulnerability Category Type Verification type Hardware req. Tested Scheduled to be added
BLUR MitM ? -
BIAS MitM ? -
BLUFFS MitM ? -
BlueRepli Critical BAC -
CVE-2020-26555 MitM MiTM -

Bluetooth Vulnerabilities and Attacks

Additionally, we found the following Bluetooth Classic and Bluetooth Low Energy (BLE) vulnerabilities. The table has the following information about the attacks and vulnerabilities - name, type either implementation-specific, protocol-specific or affecting a BT profile, Bluetooth Type (BLE, BT, BT + BLE), BT versions affected, number of exploits, year released, CVE if available, CVSS if available, Hardware if required, Proof of Concept if available and additional information in the comment section with additional links or explanation.

Exp. Family Name Type BT Type BT ver exp. # Year CVE CVSS Hardware PoC Link Comment
Qualcomm WSA8835 attck Imp BLE 1 2023 https://www.cvedetails.com/cve/CVE-2023-21647/?q=CVE-2023-21647 Improper GATT packet verification
Auth bypass, spoofing Imp BLE 1 2022 https://fmsh-seclab.github.io/ Authentication Bypass by Spoofing in Tesla Keys
unauth MITM Prot BLE 4.0 - 5.3 1 2022 https://www.cvedetails.com/cve/CVE-2022-25836/ Check CVE for details, relies on Method Confusion
BLE Proximity Auth relay Rel BLE 4.0 - 5.3 1 2022 https://research.nccgroup.com/2022/05/15/technical-advisory-tesla-ble-phone-as-a-key-passive-entry-vulnerable-to-relay-attacks/ BLE Proximity Authentication Vulnerable to Relay Attacks
Sniffle Snif BLE 4.0-5.0 1 2022 TI CC1352/CC26x2 https://github.com/nccgroup/Sniffle
InjectaBLE Prot BLE 4.0 - 5.2 1 2021 nRF52840 https://github.com/RCayre/injectable-firmware https://hal.laas.fr/hal-03193297v2/document MITM, Send malicious packets, post-exploitation after the session was established/hijacked (Imp and model specific)
jacknimble Imp BLE 2020 nRF52840 https://github.com/darkmentorllc/jackbnimble https://i.blackhat.com/USA-20/Wednesday/us-20-Kovah-Finding-New-Bluetooth-Low-Energy-Exploits-Via-Reverse-Engineering-Multiple-Vendors-Firmwares.pdf 3 exploits for specific hardware, CVE-2020-15531
SweynTooth Imp BLE 12 2020 nRF52840 https://github.com/Matheus-Garbelini/sweyntooth_bluetooth_low_energy_attacks https://asset-group.github.io/disclosures/sweyntooth/
BlueDoor Prot BLE 4.0 - 5.2 1 2020 nRF51822 http://tns.thss.tsinghua.edu.cn/~jiliang/publications/MOBISYS2020_BlueDoor.pdf MITM
Downgrade attack Prot BLE 4.2 - 5.0 1 2020 TICC2640 & Adafruit Bluefruit LE Sniffe https://www.usenix.org/system/files/sec20-zhang-yue.pdf MITM through downgrade (SCO) CVE-2020-35473
BLESA Spoof BLE 1 2020 https://www.usenix.org/system/files/woot20-paper-wu.pdf Spoofing to establish MITM and disable encryption
SweynTooth Cypress PSoc 4 BLE Imp BLE 1 2019 https://www.cvedetails.com/cve/CVE-2019-16336/?q=CVE-2019-16336 DoS
SweynTooth Cypress PSoc 4 BLE Imp BLE 1 2019 https://www.cvedetails.com/cve/CVE-2019-17061/?q=CVE-2019-17061 Buffer Overflow
SweynTooth NXP KW41Z up to 2.2.1 Imp BLE 1 2019 https://www.cvedetails.com/cve/CVE-2019-17060/?q=CVE-2019-17060 BLE Link layer buffer overflow
SweynTooth STMicroelectronics BLE Stack Imp BLE 1 2019 https://www.cvedetails.com/cve/CVE-2019-19192/?q=CVE-2019-19192 through 1.3.1 for STM32WB5x devices does not properly handle consecutive ATT requests on reception
Co-located app BLE BLE 1 2019 Theory https://www.usenix.org/system/files/sec19-sivakumaran_0.pdf Co-located apps can get BLE data, and thus exfiltrate needed info??? can we do a relay with it?
BleedingBit Imp BLE 4.2 - 5.0 1 2018 https://www.armis.com/research/bleedingbit/
GATTacking Prot BLE 4.0 1 2016 CSR 8510-based USB dongle https://github.com/securing/gattacker https://www.blackhat.com/docs/us-16/materials/us-16-Jasek-GATTacking-Bluetooth-Smart-Devices-Introducing-a-New-BLE-Proxy-Tool.pdf MITM BLE
Crackle Prot BLE 4 1 2013 https://github.com/mikeryan/crackle https://www.usenix.org/system/files/conference/woot13/woot13-ryan.pdf crack ble encryption
Bluez MynameIsKeyboard Imp BT 1 2023 CVE-2023-45866 8.8 https://github.com/marcnewlin/hi_my_name_is_keyboard - CVE-2023-45866, CVE-2023-45866, CVE-2023-45866
Antonioli BLUFFS Prot BT 4.2-5.2 6 2023 CVE-2023-24023 6.8 CYW920819EVB-02 https://github.com/francozappa/bluffs
- Prot BT 1 2022 https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9833777 Cross-stack illegal access attack (formal methods) + CVE-2020-26560 and CVE-2020-15802 mentioned in other entries
BlackTooth Prot BT 1 2022 CYW920819EVB-02 https://dl.acm.org/doi/pdf/10.1145/3548606.3560668 1 new attack (connection stage) + KNOB and other attacks that were reused
BLAP Prot BT 1 2022 Theory https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9833575 Extract Link Key from the HCI dump needs physical access to the car (applicable in car sharing only)
Blue's Clues Prot BT <=5.3 2022 CVE-2022-24695 4.3 Ubertooth & USRP B210 SDR https://github.com/TylerTucker/BluesClues https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10179358 CVE-2022-24695 affects Privacy, defeats non-discoverable feature of BT/EDR
unauth MITM Prot BT 1.0B-5.3 1 2022 CVE-2022-25837 7.5 https://www.cvedetails.com/cve/CVE-2022-25837/ Check CVE for details, relies on Method Confusion, CVE-2022-25837
Braktooth BrakTooth Imp BT 3.0 - 5.2 16 2021 CVE-2021-28139 8.8 ESP-WROVER-KIT https://github.com/Matheus-Garbelini/braktooth_esp32_bluetooth_classic_attacks https://asset-group.github.io/disclosures/braktooth/
BleedingTooth BadChoice Imp BT 4.2-5.2 1 2020 CVE-2020-12352 6.5 https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html Information leak
BleedingTooth BadKarma Imp BT 5.0 1 2020 CVE-2020-12351 8.8 https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html stack-based info leak BlueZ
BleedingTooth BadVibes Imp BT 5.0+ 1 2020 CVE-2020-24490 6.5 https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649 https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html Requires BT 5.0 and higher
Snapdragon Auto CVEs Imp BT 4 2020 https://www.cvedetails.com/cve/CVE-2020-3703/?q=CVE-2020-3703 CVE-2020-11156 Snapdragon Auto, no exploits CVE-2020-11154 CVE-2020-11155, CVE-2020-3703
BlueRepli Imp BT 1 2020 No exploit so far https://i.blackhat.com/USA-20/Wednesday/us-20-Xu-Stealthily-Access-Your-Android-Phones-Bypass-The-Bluetooth-Authentication.pdf https://github.com/DasSecurity-HatLab/BlueRepli-Plus
UberTooth Snif BT ALL 1 2020 Ubertooth https://github.com/greatscottgadgets/ubertooth https://ubertooth.readthedocs.io/en/latest/ Sniffing
Antonioli BIAS Prot BT <=5.0 4 2019 CVE-2020-10135 5.4 CYW920819, possibly CYW920819M2EVB-01 https://github.com/francozappa/bias https://francozappa.github.io/about-bias/ CVE-2020-10135
MITM SSP BT 5.0 Prot BT 5 1 2018 https://link.springer.com/article/10.1007/s00779-017-1081-6 passkey entry association model is vulnerable to the MITM
BlueBorne CVE-2017-0785 Imp BT 1 2017 CVE-2017-0785 6.5
BlueBorne CVE-2017-1000251 Imp BT 5 4 2017 CVE-2017-1000251 8.0 https://github.com/ArmisSecurity/blueborne https://www.armis.com/research/blueborne/
Lexus BT Heap Overflow Imp BT 1 2017 CVE-2020-5551 8.8 Theory https://keenlab.tencent.com/en/2020/03/30/Tencent-Keen-Security-Lab-Experimental-Security-Assessment-on-Lexus-Cars/ RCE in Lexus (LC, LS, NX, RC, RC F), TOYOTA CAMRY, and TOYOTA SIENNA manufactured not in Japan from Oct. 2016 to Oct. 2019
BlueEar Snif BT ALL 1 2016 Ubertooth (2) https://github.com/albazrqa/BluEar https://www.cs.cityu.edu.hk/~jhuan9/papers/blueear16mobisys.pdf Sniffing, extending the code of Ubertooth
CVE-2018-19860 Imp BT 1 2014 CVE-2018-19860 8.8 Nexus 5 (internalblue) internalblue Nexus 5 examples Imp. specific attacks on Broadcom chips BCM4335C0, BCM43438A1, and some other from 2012-2014 (DoS)
NINO MITM attack Prot BT 2 2010 Nexus 5 (internalblue) Theory + a PoC from internalblue + easy exploit similar to method confusion https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5374082 NINO - no input no output (mitm + out-of-band mitm attacks). https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=4401672
Attacks on Pairing Prot BT 2.1 1 2008 https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=ac095564c820f02b2793694018d419ce99279de0 MITM, attack on 2.1
Cracking Bluetooth PIN Brute BT 1 2005 Theory https://www.usenix.org/legacy/event/mobisys05/tech/full_papers/shaked/shaked.pdf 6
Key extraction BT 1.0B 1 2001 https://link.springer.com/chapter/10.1007/3-540-45353-9_14 Old attack on very old version 1.0B
BadBluetooth Prot BT + adj 1 2019 Theory https://staff.ie.cuhk.edu.hk/~khzhang/my-papers/2019-ndss-bluetooth.pdf Too high assumptions (malicious app installed + compromised device)
BlueMirror BlueMirror BT Mesh profile brute Prot BT Profile 2.1-5.2 1 2021 CVE-2020-26556 7.5 Brute-force insufficient random AuthValue in BT Mesh 1.0 and 1.0.1 to complete authentication
BlueMirror BlueMirror BT Mesh profile brute 2 Prot BT Profile 2.1-5.2 1 2021 CVE-2020-26557 7.5 Determine Authvalue in BT Mesh 1.0 and 1.0.1 via brute-force attack
BlueMirror BlueMirror BT Mesh profile no brute Prot BT Profile 2.1-5.2 1 2021 CVE-2020-26559 8.8 Auth bypass in Mesh profile 1.0, 1.0.1, can determine authvalue and other data without brute-force
BlueMirror BlueMirror BT Mesh profile Prot BT Profile 1.0B-5.2 1 2020 CVE-2020-26560 8.1 https://kb.cert.org/vuls/id/799380 CVE-2020-26560 - Auth bypass in Mesh profile 1.0, 1.0.1  https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9474325
BlueMirror BlueMirror Legacy pairing Prot BT/BLE 2.1-5.2 1 2021 CVE-2020-26555 5.4 https://kb.cert.org/vuls/id/799380 Complete pairing without knowledge of the PIN  https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9474325     https://www.ieee-security.org/TC/SP2021/SPW2021/WOOT21/files/woot21-claverie-slides.pdf
BlueMirror BlueMirror passkey leak Prot BT/BLE 2.1-5.2 1 2021 CVE-2020-26558 4.2 MitM attacker can determine passkey value through reflection of the public key (can leak passkey value 1 bit at a time)
Antonioli BLURTooth Prot BT/BLE 4.2, 5.0, 5.1, 5.2 4 2020 CVE-2020-15802 5.9 https://github.com/francozappa/blur https://hexhive.epfl.ch/BLURtooth/ CVE-2020-15802
Fixed Coord. Inv. Attack Imp BT/BLE 2.1-5.2 1 2019 CVE-2018-5383 Nexus 5 (internalblue) or CY5677 internalblue Nexus 5 examples https://biham.cs.technion.ac.il/BT/ MITM exploiting crypto (implementation/protocol attack) CVE-2018-5383
Antonioli KNOB Prot BT/BLE <=5.0 1 2019 CVE-2019-9506 8.1 Nexus 5 (internalblue) https://github.com/francozappa/knob https://knobattack.com/ CVE-2019-9506
Ghost attack Prot BT/BLE? 2 2023 https://www.ndss-symposium.org/wp-content/uploads/2023/02/ndss2023_s119_paper.pdf Ghost attack and group guessing attack
Qualcomm 9206 Imp BT/BLE? 1 2022 CVE-2022-40503 8.2 https://www.cvedetails.com/cve/CVE-2022-40503/?q=CVE-2022-40503 Buffer overread in A2DP profile
Qualcomm APQ8009 Imp BT/BLE? 1 2022 CVE-2022-40537 7.3 https://www.cvedetails.com/cve/CVE-2022-40537/?q=CVE-2022-40537 Memory corruption while processing AVRC_PDU_GET_PLAYER_APP_VALUE_TEXT AVRCP response
Qualcomm WSA8815 Imp BT/BLE? 1 2022 CVE-2022-33280 7.3 https://www.cvedetails.com/cve/CVE-2022-33280/?q=CVE-2022-33280 Memory corruption while processing AVRCP packet
Qualcomm WSA8835 Imp BT/BLE? 1 2022 CVE-2022-33255 8.2 https://www.cvedetails.com/cve/CVE-2022-33255/?q=CVE-2022-33255 Bluetooth HOST Buffer overread while processing GetFolderItems, GetItemAttributes
Qualcomm WSA8835 Imp BT/BLE? 1 2022 CVE-2022-22088 9.8 https://www.cvedetails.com/cve/CVE-2022-22088/?q=CVE-2022-22088 Bluetooth Host Buffer overflow while processing response from remote
SnapDragon Auto Imp BT/BLE? 1 2021 CVE-2021-35068 9.8 https://www.cvedetails.com/cve/CVE-2021-35068/?q=CVE-2021-35068 Null pointer dereference while freeing the HFP profile
Method Confusion Prot BT/BLE? 2.1-5.2 1 2020 CVE-2020-10134 6.3 huge selection with different capabilities. https://github.com/maxdos64/BThack https://www.sec.in.tum.de/i20/publications/method-confusion-attack-on-bluetooth-pairing/@@download/file/conference-proceeding.pdf MITM between 2 BLE or BR/EDR devices. Strange hardware needed, CVE-2020-10134
BlueSnarf revisited Imp OBEX 1 2011 https://inria.hal.science/hal-01587858/document OBEX path traversal (FTP)

The YAML DSL reference syntax is available here.

Results from testing

We tested 22 cars from the following manufacturers and were able to find 60+ new vulnerabilities in them: Audi, BMW, Chevrolet, Honda, Hyundai, Mercedes-Benz, Mini, Opel, Polestar, Renault, Skoda, Toyota, VW, Tesla.

We responsibly disclosed all of the vulnerabilities. All manufacturers had time to fix the vulnerabilities but not all of them did or wanted to!

Manufacturer Model Year BT version Vuln Type Vulnerability Status Comment
Audi A5 2020 4,2 Chaining IVI is not rebootable
Audi A5 2020 4,2 Chaining Not only IVI can initiate a connection
Audi A5 2020 4,2 Chaining Always Pairable
Audi E-tron 2020 4,2 Chaining IVI is not rebootable
Audi E-tron 2020 4,2 Chaining Not only IVI can initiate a connection
Audi E-tron 2020 4,2 Chaining Always Pairable
BMW X2 2021 4 Chaining IVI is not rebootable
BMW X2 2021 4 Chaining Not only IVI can initiate a connection
BMW X2 2021 4 Chaining SC not supported
Chevrolet Corvette 2018 3 Chaining IVI is not rebootable
Chevrolet Corvette 2018 3 Chaining Not only IVI can initiate a connection
Chevrolet Corvette 2018 3 Chaining SC not supported
Honda e 2020 5 Chaining IVI is not rebootable
Honda e 2020 5 Chaining Not only IVI can initiate a connection
Honda e 2020 5 Chaining Always Pairable
Hyundai Kona 2022 5 Chaining IVI is not rebootable
Hyundai Kona 2022 5 Chaining Not only IVI can initiate a connection
Hyundai Kona 2022 5 Chaining SC not supported
Hyundai Kona 2022 5 Chaining Always Pairable
Mercedes-Benz Sprinter 316CDI 2021 4,2 Chaining IVI is not rebootable
Mercedes-Benz Sprinter 316CDI 2021 4,2 Chaining Not only IVI can initiate a connection
Mercedes-Benz Sprinter 316CDI 2021 4,2 Chaining SC not supported
Mini Cooper S 2022 5 Chaining IVI is not rebootable
Mini Cooper S 2022 5 Chaining Not only IVI can initiate a connection
Mini Cooper S 2022 5 Chaining SC not supported
Opel Astra 2019 4,1 Chaining IVI is not rebootable
Opel Astra 2019 4,1 Chaining SC not supported
Polestar Polestar 2 2022 4,2 Chaining SC not supported Not fully tested!
Renault Megane 2016 2,1 Chaining IVI is not rebootable
Renault Megane 2016 2,1 Chaining Not only IVI can initiate a connection
Renault Megane 2016 2,1 Chaining SC not supported
Renault Megane 2021 4,2 Chaining IVI is not rebootable
Renault Megane 2021 4,2 Chaining Not only IVI can initiate a connection
Renault Megane 2021 4,2 Chaining SC not supported
Renault ZOE 2021 4,2 Chaining IVI is not rebootable
Renault ZOE 2021 4,2 Chaining Not only IVI can initiate a connection
Renault ZOE 2021 4,2 Chaining SC not supported
Skoda Octavia 2015 3 Chaining IVI is not rebootable Not fully tested!
Skoda Octavia 2015 3 Chaining SC not supported Not fully tested!
Skoda Octavia 2019 3 Chaining SC not supported Not fully tested!
Skoda Octavia 2022 4,2 Chaining Not only IVI can initiate a connection
Skoda Octavia 2022 4,2 Chaining Always Pairable
Toyota Corolla 2023 5,1 Chaining Not only IVI can initiate a connection
VW Caddy 2023 4,2 Chaining IVI is not rebootable
VW Caddy 2023 4,2 Chaining Not only IVI can initiate a connection
VW Caddy 2023 4,2 Chaining Always Pairable
VW ID.3 2022 4,2 Chaining Not only IVI can initiate a connection
VW ID.3 2022 4,2 Chaining Always Pairable
VW T6.1 2021 4,1 Chaining IVI is not rebootable
VW T6.1 2021 4,1 Chaining Not only IVI can initiate a connection
VW T6.1 2021 4,1 Chaining SC not supported
VW T6.1 2021 4,1 Chaining Always Pairable
Opel Astra 2019 4,1 Critical CVE-2018-19860 Fixed in new versions
Renault Megane 2021 4,2 Critical Contact extractor Unknown
Renault ZOE 2021 4,2 Critical Contact extractor Unknown
Skoda Octavia 2015 3 Critical CVE-2018-19860 Acknowledged. Working on a fix Not fully tested!
Skoda Octavia 2015 3 Critical Contact extractor Acknowledged. Working on a fix Not fully tested!
VW T6.1 2021 4,1 Critical Contact extractor Acknowledged. Working on a fix
Audi A5 2020 4,2 DoS invalid_max_slot Acknowledged. Working on a fix (probably known) (Broadcom - Cypress)
BMW X2 2021 4 DoS au_rand_flooding Acknowledged. Fixed in new hardware
BMW X2 2021 4 DoS truncated_sco_request Acknowledged. Fixed in new hardware (unknown) Texas Instruments
BMW X2 2021 4 DoS invalid_timing_accuracy Acknowledged. Fixed in new hardware (unknown) Texas Instruments
Chevrolet Corvette 2018 3 DoS lmp_overflow_2dh1 Unknown (unknown) (Qualcomm)
Chevrolet Corvette 2018 3 DoS invalid_timing_accuracy Unknown (known WCN3990) (Qualcomm)
Mercedes-Benz Sprinter 316CDI 2021 4,2 DoS invalid_max_slot Unknown (unknown) Marvell Technology
Mini Cooper S 2022 5 DoS au_rand_flooding Acknowledged. Fixed in new hardware
Mini Cooper S 2022 5 DoS lmp_auto_rate_overflow Acknowledged. Fixed in new hardware False positive probably - recovered after 40 seconds
Opel Astra 2019 4,1 DoS lmp_overflow_dm1 Acknowledged. But might be discarded? (unknown) (chip problem Cypress)
Opel Astra 2019 4,1 DoS invalid_timing_accuracy Acknowledged. But might be discarded? (unknown) (chip problem Cypress)
Opel Astra 2019 4,1 DoS truncated_lmp_accepted Acknowledged. But might be discarded? (unknown) (chip problem Cypress)
Polestar Polestar 2 2022 4,2 DoS duplicated_encapsulated_payload Acknowledged. Had problems reproducing Not fully tested! (unknown) (Qualcomm)
Renault Megane 2016 2,1 DoS invalid_timing_accuracy Unknown Might be a false positive as this is the data from the first run !!!!!
Renault Megane 2021 4,2 DoS au_rand_flooding Unknown (unknown) (Marvell Technology)
Renault Megane 2021 4,2 DoS lmp_invalid_transport Unknown (unknown) (Marvell Technology)
Renault Megane 2021 4,2 DoS lmp_max_slot_overflow Unknown (unknown) (Marvell Technology)
Renault Megane 2021 4,2 DoS invalid_max_slot Unknown (unknown) (Marvell Technology)
Renault Megane 2021 4,2 DoS truncated_sco_request Unknown (unknown) (Marvell Technology)
Renault Megane 2021 4,2 DoS sdp_unknown_element Unknown (unknown) (Marvell Technology)
Renault Megane 2021 4,2 DoS duplicated_encapsulated_payload Unknown (unknown) (Marvell Technology)
Renault ZOE 2021 4,2 DoS invalid_max_slot Unknown
Toyota Corolla 2023 5,1 DoS feature_req_ping_pong Acknowledged Marvell technology chip has an actual vulnerability (unknown before)
Toyota Corolla 2023 5,1 DoS wrong_encapsulated_payload Acknowledged Marvell technology chip has an actual vulnerability (unknown before)
Toyota Corolla 2023 5,1 DoS duplicated_iocap Acknowledged Marvell technology chip has an actual vulnerability (unknown before)
Toyota Corolla 2023 5,1 DoS lmp_overflow_dm1 Acknowledged Marvell technology chip has an actual vulnerability (unknown before)
Toyota Corolla 2023 5,1 DoS sdp_oversized_element_size Acknowledged Marvell technology chip has an actual vulnerability (unknown before)
Toyota Corolla 2023 5,1 DoS duplicated_encapsulated_payload Acknowledged Marvell technology chip has an actual vulnerability (unknown before)
Toyota Corolla 2023 5,1 DoS invalid_max_slot Acknowledged Marvell technology chip has an actual vulnerability (unknown before)
Toyota Corolla 2023 5,1 DoS invalid_timing_accuracy Acknowledged Marvell technology chip has an actual vulnerability (unknown before)
Audi A5 2020 4,2 MitM Insecure NC implementation Acknowledged. Fixing in a new firmw. version
Audi A5 2020 4,2 MitM KNOB Acknowledged. Fixing in a new firmw. version
Audi E-tron 2020 4,2 MitM Insecure NC implementation Acknowledged. Fixing in a new firmw. version
BMW X2 2021 4 MitM NiNo Acknowledged. Working on a fix
BMW X2 2021 4 MitM CVE-2018-5383 Acknowledged. Not fixing, fixed in new hardw.
BMW X2 2021 4 MitM Insecure NC implementation Acknowledged. Working on a fix
BMW X2 2021 4 MitM E0 Algorithm is used (due to BT vers) Acknowledged. Working on a fix
Chevrolet Corvette 2018 3 MitM KNOB Unknown
Chevrolet Corvette 2018 3 MitM E0 Algorithm is used (due to BT vers) Unknown
Honda e 2020 5 MitM NiNo Acknowledged
Honda e 2020 5 MitM Insecure NC implementation Acknowledged
Honda e 2020 5 MitM KNOB Acknowledged
Honda e 2020 5 MitM Vehicular NiNo Acknowledged
Hyundai Kona 2022 5 MitM Insecure NC implementation Unknown
Mini Cooper S 2022 5 MitM NiNo Acknowledged. Working on a fix
Mini Cooper S 2022 5 MitM Insecure NC implementation Acknowledged. Working on a fix
Renault Megane 2016 2,1 MitM NiNo Unknown
Renault Megane 2016 2,1 MitM CVE-2018-5383 Unknown
Renault Megane 2016 2,1 MitM KNOB Unknown
Renault Megane 2016 2,1 MitM Legacy Pairing enabled Unknown code 0000
Renault Megane 2016 2,1 MitM E0 Algorithm is used (due to BT vers) Unknown
Renault Megane 2016 2,1 MitM SSP not supported Unknown
Renault Megane 2021 4,2 MitM Insecure NC implementation Unknown
Renault Megane 2021 4,2 MitM NiNo Unknown Might have been marked as vulnerable due to Vehicular NiNo (should be checked independently)
Renault Megane 2021 4,2 MitM Vehicular NiNo Unknown
Renault ZOE 2021 4,2 MitM NiNo Unknown Might have been marked as vulnerable due to Vehicular NiNo (should be checked independently)
Renault ZOE 2021 4,2 MitM Insecure NC implementation Unknown
Renault ZOE 2021 4,2 MitM Vehicular NiNo Unknown
Skoda Octavia 2015 3 MitM KNOB Acknowledged. Not fully tested!
Skoda Octavia 2015 3 MitM E0 Algorithm is used (due to BT vers) Acknowledged. Not fully tested!
Skoda Octavia 2019 3 MitM KNOB Acknowledged. Not fully tested!
Skoda Octavia 2019 3 MitM E0 Algorithm is used (due to BT vers) Acknowledged. Not fully tested!
Tesla Model Y 2023 5,2 MitM Vehicular NiNo Not fixing. Usability feature
VW ID.3 2022 4,2 MitM Vehicular NiNo Acknowledged. Fixing in a new firmw. version
VW T6.1 2021 4,1 MitM KNOB Acknowledged. Fixing in a new firmw. version
VW T6.1 2021 4,1 MitM NiNo Acknowledged. Fixing in a new firmw. version
VW T6.1 2021 4,1 MitM Vehicular NiNo Acknowledged. Fixing in a new firmw. version
VW T6.1 2021 4,1 MitM CVE-2018-5383 Acknowledged. Fixing in a new firmw. version
Tesla Model Y 2023 5,2 Accidental crash (on BT connection) Not reproduced

Novel Attacks

Insecure NC Implementation

The IVI system does not properly implement the Numeric Comparison authentication protocol as in the core specification of the Bluetooth which makes a link to be non-authenticated and thus vulnerable to the NiNo, Method Confusion and custom MitM attacks.

There are 3 possible variations:

  1. The IVI/device doesn't require a confirmation for pairing (e.g. no button to confirm the pairing) (Renault, Hyundai cars)
  2. The static number is always shown. (BMW, Mini cars)
  3. The IVI shows a pairing window without a pairing number to compare. (Audi)

There are 2 possible reasons:

  1. State problem
  2. Design problem

In case of the state problem an adversary needs to connect to the IVI(other device) with a capability other than DisplayYesNo and the IVI should try to execute a broken Numeric Comparison and not Passkey or Just Works.

In case of a design problem, one simply needs to observe the pairing process and what is required of a used on a target device (IVI).

Examples of vulnerable cars: ExampleInsecureNC

For the PoC steps please consult contact extractor documentation

Vehicular NiNo

The vehicle allows connections to a device with no input or output capabilities. According to the specification if one of the devices has a NoInputNoOutput capability, then the pairing mode used is named Just Works and such a link should be considered unauthenticated and vulnerable to MitM attacks. This results in an adjacent adversary being able to execute a practical attack and establish a MitM position.

Important distinction: In this case, the vehicle doesn't allow NoInputNoOutput devices to initiate a connection to the IVI, but fails to check the same for a connection initiated by the IVI. The attack window is smaller than in a usual NiNo attack but still exists.

Note on NiNo devices in the vehicular domain: In the vehicular domain, the usage of NiNo devices such as headphones is not frequent if legal at all while driving. When it comes to the smartphone domain a connection to such devices is considered a feature and a usability trade-off to enable wireless headphones for example. As such a use-case is not present in the vehicular domain then it's better to disallow connection from such devices, which many of the manufacturers do already.

For the PoC steps please consult contact extractor documentation

Contact Extractor attack

The vehicle IVI system allows a physical adversary to extract previously shared through Bluetooth contacts. This happens due to incorrect handling of access control for newly created BT sessions for already known MAC addresses.

Examples of vulnerable cars: ExampleRenault

For the PoC steps please consult contact extractor documentation

Hardware

To test all vulnerabilities one would need to buy additional hardware:

  • ESP-WROVER-KIT-VE for Braktooth vulnerabilities
  • Nexus5 (phone) for Internalblue-based vulnerabilities. It also could be substituted by CYW20735, but an additional hardware profile would be needed and 2 exploits won't be reproducible.
  • CYW920819M2EVB-01 for BIAS, BLUR and BLUFFS attacks

Running Bluetoolkit

See https://github.com/sgxgsx/BlueToolkit/wiki for details on running BlueToolkit

License

BlueToolkit is distributed under MIT License