BlueToolkit

Extensible Bluetooth Classic vulnerability testing framework based on simple YAML DSL.

Documentation • Install • Usage • Supported Exploits • Bluetooth Classic and BLE vulnerabilities and attacks • Results • Hardware • License

---

BlueToolkit is an extensible Bluetooth Classic vulnerability testing framework that helps uncover new and old vulnerabilities in Bluetooth-enabled devices.

It works by executing templated exploits one by one and verifying appropriate properties based on the template logic. The toolkit is extensible and allows new research to be added to the centralized testing toolkit. There are 43 Bluetooth exploits available in the toolkit, from known public exploits and tools to custom-developed ones.

The framework works in a Black-box fashion, but it is also possible to operate the toolkit in a Gray-box fashion. For that one needs to extend the framework and connect it to the Operating System of the target so that it would be possible to observe Bluetooth logs and guarantee no false positives.

Also, we have already used our framework and were able to find 64 new vulnerabilities in 22 cars (Audi, BMW, Chevrolet, Honda, Hyundai, Mercedes-Benz, Mini, Opel, Polestar, Renault, Skoda, Toyota, VW, Tesla).

We have a dedicated repository that provides various types of vulnerability templates.

In addition to that, you can use MAP Account hijack attack to elevate privileges for the already established connections or as a chain in MitM and DoS attacks.

Credit

This work has been done at Cyber Defence Campus and System Security Group at ETH Zurich.

Install BlueToolkit

BlueToolkit has 2 installation stages: general and specific module installation. The general installation downloads the code, modules and tools available in the toolkit and tries to set up modules that do not require human interaction. The specific module installation requires a human to verify that the needed hardware is connected to the device on which the toolkit is being installed.

Install

We provide 2 installation options: virtual machine or Ubuntu/Debian.

VM Installation

Prerequisites:

• Virtualbox https://www.virtualbox.org
• vagrant https://developer.hashicorp.com/vagrant/install?product_intent=vagrant

git clone https://github.com/sgxgsx/BlueToolkit --recurse-submodules
cd BlueToolkit/vagrant
vagrant up

After Installation:

• You need to allow the virtual machine to access the Bluetooth module or additional hardware through USB, which requires you to do the following:
• USB support is already switched on, that's why open VirtualBox
• Find a running virtual machine and click on "Show"
• Click on "Devices" -> "USB"
• You will be presented with multiple devices that you can switch on for the virtual machine
• Tick any device that you need (Bluetooth module, hardware, phone) or tick all devices to be sure.

Ubuntu/Debian Installation

Installation:

sudo mkdir /usr/share/BlueToolkit
sudo chown $USER:$USER /usr/share/BlueToolkit
git clone https://github.com/sgxgsx/BlueToolkit /usr/share/BlueToolkit --recurse-submodules
chmod +x /usr/share/BlueToolkit/install.sh
/usr/share/BlueToolkit/install.sh

Windows and MacOS Installation

You could try to install the toolkit on WSL or MacOS directly. Alternatively, use the VM installation option.

Specific Module Install

Virtual Machine

• Verify that the hardware is connected to the machine
• Verify that you allowed the hardware to be shown to the VM in the USB settings
• Then depending on the hardware that you need to install do the following:

vagrant ssh
cd /usr/share/BlueToolkit/installation/
ls -al

• Find a script for your hardware and execute it

./{HARDWARE}_installation.sh

Linux

• Verify that the hardware is connected to the machine
• Then depending on the hardware that you need to install do the following:

cd /usr/share/BlueToolkit/installation/
ls -la

• Then find a script for your hardware and execute it

./{HARDWARE}_installation.sh

Usage

sudo -E env PATH=$PATH bluekit -h

This will display help information for the tool. Here are all the parameters it supports.

usage: bluekit [-h] [-t TARGET] [-l] [-c] [-ct] [-ch] [-v VERBOSITY] [-ex EXCLUDEEXPLOITS [EXCLUDEEXPLOITS ...]] [-e EXPLOITS [EXPLOITS ...]] [-r] [-re] [-rej] [-hh HARDWARE [HARDWARE ...]] ...

positional arguments:
  rest

options:
  -h, --help            show this help message and exit
  -t TARGET, --target TARGET
                        target MAC address
  -l, --listexploits    List exploits or not
  -c, --checksetup      Check whether Braktooth is available and setup
  -ct, --checktarget    Check connectivity and availability of the target
  -ch, --checkpoint     Start from a checkpoint
  -v VERBOSITY, --verbosity VERBOSITY
                        Verbosity level
  -ex EXCLUDEEXPLOITS [EXCLUDEEXPLOITS ...], --excludeexploits EXCLUDEEXPLOITS [EXCLUDEEXPLOITS ...]
                        Exclude exploits, example --exclude exploit1, exploit2
  -e EXPLOITS [EXPLOITS ...], --exploits EXPLOITS [EXPLOITS ...]
                        Scan only for provided --exploits exploit1, exploit2; --exclude is not taken into account
  -r, --recon           Run a recon script
  -re, --report         Create a report for a target device
  -rej, --reportjson    Create a report for a target device
  -hh HARDWARE [HARDWARE ...], --hardware HARDWARE [HARDWARE ...]
                        Scan only for provided exploits based on hardware --hardware hardware1 hardware2; --exclude and --exploit are not taken into account

EXAMPLES:
Run bluekit recon:
   $ sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF -r

Run bluekit connectivity check:
   $ sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF -ct

Run bluekit with a specific exploit:
   $ sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF -e invalid_max_slot

Run bluekit with specific exploits:
   $ sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF -e invalid_max_slot au_rand_flooding internalblue_knob

Run bluekit and list all available exploits:
   $ sudo -E env PATH=$PATH bluekit -l

Documentation is available at: https://github.com/sgxgsx/BlueToolkit/wiki

Available Bluetooth Vulnerabilities and Attacks

BlueToolkit automatically downloads all vulnerability and hardware templates. BlueToolkit templates repository provides a full list of ready-to-use templates. Additionally, you can write your own templates and checks as well as add new hardware by following BlueToolkit's templating guide The YAML reference syntax is available here

We collected and classified Bluetooth vulnerabilities in an "Awesome Bluetooth Security" way. We used the following sources - ACM, IEEE SP, Blackhat, DEFCON, Car Hacking Village, NDSS, and Google Scholars. Looked for the following keywords in Search Engines such as Google, Baidu, Yandex, Bing - Bluetooth security toolkit, Bluetooth exploits github, Bluetooth security framework, bluetooth pentesting toolkit. We also parsed all Github repositories based on the following parameters - topic:bluetooth topic:exploit, topic:bluetooth topic:security.

Currently BlueToolkit check the following vulnerabilities and attacks:

For manual attacks refer to the documentation.

Vulnerability	Category	Type	Verification type	Hardware req.	Tested
Always pairable	Chaining	Chaining	Manual		✓
Only vehicle can initiate a connection	Chaining	Chaining	Manual		✓
Fast reboot	Chaining	Chaining	Manual		✓
SC not supported	Chaining	Info	Automated		✓
possible check for BLUR	Chaining	Info	Automated		✓
My name is keyboard	Critical	RCE	Semi-automated		✓
CVE-2017-0785	Critical	Memory leak	Automated		✓
CVE-2018-19860	Critical	Memory execution	Automated		✓
V13 Invalid Max Slot Type	DoS	DoS	Automated	✓	✓
V3 Duplicated IOCAP	DoS	DoS	Automated	✓	✓
NiNo check	MitM	MitM	Semi-automated		✓
Legacy pairing used	MitM	MitM	Automated		✓
KNOB	MitM	MiTM	Semi-automated	✓	✓
CVE-2018-5383	MitM	MiTM	Automated	✓	✓
Method Confusion attack	MitM	MiTM	Automated		✓
SSP supported <= 4.0 weak crypto or SSP at all	MitM	Info/MitM	Automated		✓
CVE-2020-24490	Critical	DoS	Automated		✓
CVE-2017-1000250	Critical	Info leak	Automated		✓
CVE-2020-12351	Critical	RCE/DoS	Automated		✓
CVE-2017-1000251	Critical	RCE/DoS	Automated		✓
V1 Feature Pages Execution	Critical	RCE/DoS	Automated	✓	✓
Unknown duplicated encapsulated payload	DoS	DoS	Automated	✓	✓
V2 Truncated SCO Link Request	DoS	DoS	Automated	✓	✓
V4 Feature Resp. Flooding	DoS	DoS	Automated	✓	✓
V5 LMP Auto Rate Overflow	DoS	DoS	Automated	✓	✓
V6 LMP 2-DH1 Overflow	DoS	DoS	Automated	✓	✓
V7 LMP DM1 Overflow	DoS	DoS	Automated	✓	✓
V8 Truncated LMP Accepted	DoS	DoS	Automated	✓	✓
V9 Invalid Setup Complete	DoS	DoS	Automated	✓	✓
V10 Host Conn. Flooding	DoS	DoS	Automated	✓	✓
V11 Same Host Connection	DoS	DoS	Automated	✓	✓
V12 AU Rand Flooding	DoS	DoS	Automated	✓	✓
V14 Max Slot Length Overflow	DoS	DoS	Automated	✓	✓
V15 Invalid Timing Accuracy	DoS	DoS	Automated	✓	✓
V16 Paging Scan Deadlock	DoS	DoS	Automated	✓	✓
Unknown wrong encapsulated payload	DoS	DoS	Automated	✓	✓
Unknown sdp unknown element type	DoS	DoS	Automated	✓	✓
Unknown sdp oversized element size	DoS	DoS	Automated	✓	✓
Unknown feature req ping pong	DoS	DoS	Automated	✓	✓
Unknown lmp invalid transport	DoS	DoS	Automated	✓	✓
CVE-2020-12352	Critical	Info leak	Automated		✓

Novel attacks

These attacks a novel/new and are tested by the framework

Vulnerability	Category	Type	Verification type	Hardware req.	Tested
Insecure NC implementation	MitM	MitM	Manual		✓
Vehicular NiNo	MitM	Info	Manual		✓
Contact Extractor	Critical	BAC	Manual		✓

Vulnerabilities to be added soon

Vulnerability	Category	Type	Verification type	Hardware req.	Tested	Scheduled to be added
BLUR	MitM	?	-	✓		✓
BIAS	MitM	?	-	✓		✓
BLUFFS	MitM	?	-	✓		✓
BlueRepli	Critical	BAC	-
CVE-2020-26555	MitM	MiTM	-

Bluetooth Vulnerabilities and Attacks

Additionally, we found the following Bluetooth Classic and Bluetooth Low Energy (BLE) vulnerabilities. The table has the following information about the attacks and vulnerabilities - name, type either implementation-specific, protocol-specific or affecting a BT profile, Bluetooth Type (BLE, BT, BT + BLE), BT versions affected, number of exploits, year released, CVE if available, CVSS if available, Hardware if required, Proof of Concept if available and additional information in the comment section with additional links or explanation.

Exp. Family	Name	Type	BT Type	BT ver	exp. #	Year	CVE	CVSS	Hardware	PoC	Link	Comment
	Qualcomm WSA8835 attck	Imp	BLE		1	2023					https://www.cvedetails.com/cve/CVE-2023-21647/?q=CVE-2023-21647	Improper GATT packet verification
	Auth bypass, spoofing	Imp	BLE		1	2022					https://fmsh-seclab.github.io/	Authentication Bypass by Spoofing in Tesla Keys
	unauth MITM	Prot	BLE	4.0 - 5.3	1	2022					https://www.cvedetails.com/cve/CVE-2022-25836/	Check CVE for details, relies on Method Confusion
	BLE Proximity Auth relay	Rel	BLE	4.0 - 5.3	1	2022					https://research.nccgroup.com/2022/05/15/technical-advisory-tesla-ble-phone-as-a-key-passive-entry-vulnerable-to-relay-attacks/	BLE Proximity Authentication Vulnerable to Relay Attacks
	Sniffle	Snif	BLE	4.0-5.0	1	2022			TI CC1352/CC26x2	https://github.com/nccgroup/Sniffle
	InjectaBLE	Prot	BLE	4.0 - 5.2	1	2021			nRF52840	https://github.com/RCayre/injectable-firmware	https://hal.laas.fr/hal-03193297v2/document	MITM, Send malicious packets, post-exploitation after the session was established/hijacked (Imp and model specific)
	jacknimble	Imp	BLE			2020			nRF52840	https://github.com/darkmentorllc/jackbnimble	https://i.blackhat.com/USA-20/Wednesday/us-20-Kovah-Finding-New-Bluetooth-Low-Energy-Exploits-Via-Reverse-Engineering-Multiple-Vendors-Firmwares.pdf	3 exploits for specific hardware, CVE-2020-15531
	SweynTooth	Imp	BLE		12	2020			nRF52840	https://github.com/Matheus-Garbelini/sweyntooth_bluetooth_low_energy_attacks	https://asset-group.github.io/disclosures/sweyntooth/
	BlueDoor	Prot	BLE	4.0 - 5.2	1	2020			nRF51822		http://tns.thss.tsinghua.edu.cn/~jiliang/publications/MOBISYS2020_BlueDoor.pdf	MITM
	Downgrade attack	Prot	BLE	4.2 - 5.0	1	2020			TICC2640 & Adafruit Bluefruit LE Sniffe		https://www.usenix.org/system/files/sec20-zhang-yue.pdf	MITM through downgrade (SCO) CVE-2020-35473
	BLESA	Spoof	BLE		1	2020					https://www.usenix.org/system/files/woot20-paper-wu.pdf	Spoofing to establish MITM and disable encryption
SweynTooth	Cypress PSoc 4 BLE	Imp	BLE		1	2019					https://www.cvedetails.com/cve/CVE-2019-16336/?q=CVE-2019-16336	DoS
SweynTooth	Cypress PSoc 4 BLE	Imp	BLE		1	2019					https://www.cvedetails.com/cve/CVE-2019-17061/?q=CVE-2019-17061	Buffer Overflow
SweynTooth	NXP KW41Z up to 2.2.1	Imp	BLE		1	2019					https://www.cvedetails.com/cve/CVE-2019-17060/?q=CVE-2019-17060	BLE Link layer buffer overflow
SweynTooth	STMicroelectronics BLE Stack	Imp	BLE		1	2019					https://www.cvedetails.com/cve/CVE-2019-19192/?q=CVE-2019-19192	through 1.3.1 for STM32WB5x devices does not properly handle consecutive ATT requests on reception
	Co-located app BLE		BLE		1	2019				Theory	https://www.usenix.org/system/files/sec19-sivakumaran_0.pdf	Co-located apps can get BLE data, and thus exfiltrate needed info??? can we do a relay with it?
	BleedingBit	Imp	BLE	4.2 - 5.0	1	2018					https://www.armis.com/research/bleedingbit/
	GATTacking	Prot	BLE	4.0	1	2016			CSR 8510-based USB dongle	https://github.com/securing/gattacker	https://www.blackhat.com/docs/us-16/materials/us-16-Jasek-GATTacking-Bluetooth-Smart-Devices-Introducing-a-New-BLE-Proxy-Tool.pdf	MITM BLE
	Crackle	Prot	BLE	4	1	2013				https://github.com/mikeryan/crackle	https://www.usenix.org/system/files/conference/woot13/woot13-ryan.pdf	crack ble encryption
Bluez	MynameIsKeyboard	Imp	BT		1	2023	CVE-2023-45866	8.8		https://github.com/marcnewlin/hi_my_name_is_keyboard	-	CVE-2023-45866, CVE-2023-45866, CVE-2023-45866
Antonioli	BLUFFS	Prot	BT	4.2-5.2	6	2023	CVE-2023-24023	6.8	CYW920819EVB-02	https://github.com/francozappa/bluffs
	-	Prot	BT		1	2022					https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9833777	Cross-stack illegal access attack (formal methods) + CVE-2020-26560 and CVE-2020-15802 mentioned in other entries
	BlackTooth	Prot	BT		1	2022			CYW920819EVB-02		https://dl.acm.org/doi/pdf/10.1145/3548606.3560668	1 new attack (connection stage) + KNOB and other attacks that were reused
	BLAP	Prot	BT		1	2022				Theory	https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9833575	Extract Link Key from the HCI dump needs physical access to the car (applicable in car sharing only)
	Blue's Clues	Prot	BT	<=5.3		2022	CVE-2022-24695	4.3	Ubertooth & USRP B210 SDR	https://github.com/TylerTucker/BluesClues	https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10179358	CVE-2022-24695 affects Privacy, defeats non-discoverable feature of BT/EDR
	unauth MITM	Prot	BT	1.0B-5.3	1	2022	CVE-2022-25837	7.5			https://www.cvedetails.com/cve/CVE-2022-25837/	Check CVE for details, relies on Method Confusion, CVE-2022-25837
Braktooth	BrakTooth	Imp	BT	3.0 - 5.2	16	2021	CVE-2021-28139	8.8	ESP-WROVER-KIT	https://github.com/Matheus-Garbelini/braktooth_esp32_bluetooth_classic_attacks	https://asset-group.github.io/disclosures/braktooth/
	BleedingTooth BadChoice	Imp	BT	4.2-5.2	1	2020	CVE-2020-12352	6.5		https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq	https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html	Information leak
	BleedingTooth BadKarma	Imp	BT	5.0	1	2020	CVE-2020-12351	8.8		https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq	https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html	stack-based info leak BlueZ
	BleedingTooth BadVibes	Imp	BT	5.0+	1	2020	CVE-2020-24490	6.5		https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649	https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html	Requires BT 5.0 and higher
	Snapdragon Auto CVEs	Imp	BT		4	2020					https://www.cvedetails.com/cve/CVE-2020-3703/?q=CVE-2020-3703	CVE-2020-11156 Snapdragon Auto, no exploits CVE-2020-11154 CVE-2020-11155, CVE-2020-3703
	BlueRepli	Imp	BT		1	2020				No exploit so far	https://i.blackhat.com/USA-20/Wednesday/us-20-Xu-Stealthily-Access-Your-Android-Phones-Bypass-The-Bluetooth-Authentication.pdf	https://github.com/DasSecurity-HatLab/BlueRepli-Plus
	UberTooth	Snif	BT	ALL	1	2020			Ubertooth	https://github.com/greatscottgadgets/ubertooth	https://ubertooth.readthedocs.io/en/latest/	Sniffing
Antonioli	BIAS	Prot	BT	<=5.0	4	2019	CVE-2020-10135	5.4	CYW920819, possibly CYW920819M2EVB-01	https://github.com/francozappa/bias	https://francozappa.github.io/about-bias/	CVE-2020-10135
	MITM SSP BT 5.0	Prot	BT	5	1	2018					https://link.springer.com/article/10.1007/s00779-017-1081-6	passkey entry association model is vulnerable to the MITM
BlueBorne	CVE-2017-0785	Imp	BT		1	2017	CVE-2017-0785	6.5
BlueBorne	CVE-2017-1000251	Imp	BT	5	4	2017	CVE-2017-1000251	8.0		https://github.com/ArmisSecurity/blueborne	https://www.armis.com/research/blueborne/
	Lexus BT Heap Overflow	Imp	BT		1	2017	CVE-2020-5551	8.8		Theory	https://keenlab.tencent.com/en/2020/03/30/Tencent-Keen-Security-Lab-Experimental-Security-Assessment-on-Lexus-Cars/	RCE in Lexus (LC, LS, NX, RC, RC F), TOYOTA CAMRY, and TOYOTA SIENNA manufactured not in Japan from Oct. 2016 to Oct. 2019
	BlueEar	Snif	BT	ALL	1	2016			Ubertooth (2)	https://github.com/albazrqa/BluEar	https://www.cs.cityu.edu.hk/~jhuan9/papers/blueear16mobisys.pdf	Sniffing, extending the code of Ubertooth
	CVE-2018-19860	Imp	BT		1	2014	CVE-2018-19860	8.8	Nexus 5 (internalblue)	internalblue Nexus 5 examples		Imp. specific attacks on Broadcom chips BCM4335C0, BCM43438A1, and some other from 2012-2014 (DoS)
	NINO MITM attack	Prot	BT		2	2010			Nexus 5 (internalblue)	Theory + a PoC from internalblue + easy exploit similar to method confusion	https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5374082	NINO - no input no output (mitm + out-of-band mitm attacks). https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=4401672
	Attacks on Pairing	Prot	BT	2.1	1	2008					https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=ac095564c820f02b2793694018d419ce99279de0	MITM, attack on 2.1
	Cracking Bluetooth PIN	Brute	BT		1	2005				Theory	https://www.usenix.org/legacy/event/mobisys05/tech/full_papers/shaked/shaked.pdf	6
	Key extraction		BT	1.0B	1	2001					https://link.springer.com/chapter/10.1007/3-540-45353-9_14	Old attack on very old version 1.0B
	BadBluetooth	Prot	BT + adj		1	2019				Theory	https://staff.ie.cuhk.edu.hk/~khzhang/my-papers/2019-ndss-bluetooth.pdf	Too high assumptions (malicious app installed + compromised device)
BlueMirror	BlueMirror BT Mesh profile brute	Prot	BT Profile	2.1-5.2	1	2021	CVE-2020-26556	7.5				Brute-force insufficient random AuthValue in BT Mesh 1.0 and 1.0.1 to complete authentication
BlueMirror	BlueMirror BT Mesh profile brute 2	Prot	BT Profile	2.1-5.2	1	2021	CVE-2020-26557	7.5				Determine Authvalue in BT Mesh 1.0 and 1.0.1 via brute-force attack
BlueMirror	BlueMirror BT Mesh profile no brute	Prot	BT Profile	2.1-5.2	1	2021	CVE-2020-26559	8.8				Auth bypass in Mesh profile 1.0, 1.0.1, can determine authvalue and other data without brute-force
BlueMirror	BlueMirror BT Mesh profile	Prot	BT Profile	1.0B-5.2	1	2020	CVE-2020-26560	8.1			https://kb.cert.org/vuls/id/799380	CVE-2020-26560 - Auth bypass in Mesh profile 1.0, 1.0.1  https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9474325
BlueMirror	BlueMirror Legacy pairing	Prot	BT/BLE	2.1-5.2	1	2021	CVE-2020-26555	5.4			https://kb.cert.org/vuls/id/799380	Complete pairing without knowledge of the PIN  https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9474325     https://www.ieee-security.org/TC/SP2021/SPW2021/WOOT21/files/woot21-claverie-slides.pdf
BlueMirror	BlueMirror passkey leak	Prot	BT/BLE	2.1-5.2	1	2021	CVE-2020-26558	4.2				MitM attacker can determine passkey value through reflection of the public key (can leak passkey value 1 bit at a time)
Antonioli	BLURTooth	Prot	BT/BLE	4.2, 5.0, 5.1, 5.2	4	2020	CVE-2020-15802	5.9		https://github.com/francozappa/blur	https://hexhive.epfl.ch/BLURtooth/	CVE-2020-15802
	Fixed Coord. Inv. Attack	Imp	BT/BLE	2.1-5.2	1	2019	CVE-2018-5383		Nexus 5 (internalblue) or CY5677	internalblue Nexus 5 examples	https://biham.cs.technion.ac.il/BT/	MITM exploiting crypto (implementation/protocol attack) CVE-2018-5383
Antonioli	KNOB	Prot	BT/BLE	<=5.0	1	2019	CVE-2019-9506	8.1	Nexus 5 (internalblue)	https://github.com/francozappa/knob	https://knobattack.com/	CVE-2019-9506
	Ghost attack	Prot	BT/BLE?		2	2023					https://www.ndss-symposium.org/wp-content/uploads/2023/02/ndss2023_s119_paper.pdf	Ghost attack and group guessing attack
	Qualcomm 9206	Imp	BT/BLE?		1	2022	CVE-2022-40503	8.2			https://www.cvedetails.com/cve/CVE-2022-40503/?q=CVE-2022-40503	Buffer overread in A2DP profile
	Qualcomm APQ8009	Imp	BT/BLE?		1	2022	CVE-2022-40537	7.3			https://www.cvedetails.com/cve/CVE-2022-40537/?q=CVE-2022-40537	Memory corruption while processing AVRC_PDU_GET_PLAYER_APP_VALUE_TEXT AVRCP response
	Qualcomm WSA8815	Imp	BT/BLE?		1	2022	CVE-2022-33280	7.3			https://www.cvedetails.com/cve/CVE-2022-33280/?q=CVE-2022-33280	Memory corruption while processing AVRCP packet
	Qualcomm WSA8835	Imp	BT/BLE?		1	2022	CVE-2022-33255	8.2			https://www.cvedetails.com/cve/CVE-2022-33255/?q=CVE-2022-33255	Bluetooth HOST Buffer overread while processing GetFolderItems, GetItemAttributes
	Qualcomm WSA8835	Imp	BT/BLE?		1	2022	CVE-2022-22088	9.8			https://www.cvedetails.com/cve/CVE-2022-22088/?q=CVE-2022-22088	Bluetooth Host Buffer overflow while processing response from remote
	SnapDragon Auto	Imp	BT/BLE?		1	2021	CVE-2021-35068	9.8			https://www.cvedetails.com/cve/CVE-2021-35068/?q=CVE-2021-35068	Null pointer dereference while freeing the HFP profile
	Method Confusion	Prot	BT/BLE?	2.1-5.2	1	2020	CVE-2020-10134	6.3	huge selection with different capabilities.	https://github.com/maxdos64/BThack	https://www.sec.in.tum.de/i20/publications/method-confusion-attack-on-bluetooth-pairing/@@download/file/conference-proceeding.pdf	MITM between 2 BLE or BR/EDR devices. Strange hardware needed, CVE-2020-10134
	BlueSnarf revisited	Imp	OBEX		1	2011					https://inria.hal.science/hal-01587858/document	OBEX path traversal (FTP)

The YAML DSL reference syntax is available here.

Results from testing

We tested 22 cars from the following manufacturers and were able to find 60+ new vulnerabilities in them: Audi, BMW, Chevrolet, Honda, Hyundai, Mercedes-Benz, Mini, Opel, Polestar, Renault, Skoda, Toyota, VW, Tesla.

We responsibly disclosed all of the vulnerabilities. All manufacturers had time to fix the vulnerabilities but not all of them did or wanted to!

Manufacturer	Model	Year	BT version	Vuln Type	Vulnerability	Status	Comment
Audi	A5	2020	4,2	Chaining	IVI is not rebootable
Audi	A5	2020	4,2	Chaining	Not only IVI can initiate a connection
Audi	A5	2020	4,2	Chaining	Always Pairable
Audi	E-tron	2020	4,2	Chaining	IVI is not rebootable
Audi	E-tron	2020	4,2	Chaining	Not only IVI can initiate a connection
Audi	E-tron	2020	4,2	Chaining	Always Pairable
BMW	X2	2021	4	Chaining	IVI is not rebootable
BMW	X2	2021	4	Chaining	Not only IVI can initiate a connection
BMW	X2	2021	4	Chaining	SC not supported
Chevrolet	Corvette	2018	3	Chaining	IVI is not rebootable
Chevrolet	Corvette	2018	3	Chaining	Not only IVI can initiate a connection
Chevrolet	Corvette	2018	3	Chaining	SC not supported
Honda	e	2020	5	Chaining	IVI is not rebootable
Honda	e	2020	5	Chaining	Not only IVI can initiate a connection
Honda	e	2020	5	Chaining	Always Pairable
Hyundai	Kona	2022	5	Chaining	IVI is not rebootable
Hyundai	Kona	2022	5	Chaining	Not only IVI can initiate a connection
Hyundai	Kona	2022	5	Chaining	SC not supported
Hyundai	Kona	2022	5	Chaining	Always Pairable
Mercedes-Benz	Sprinter 316CDI	2021	4,2	Chaining	IVI is not rebootable
Mercedes-Benz	Sprinter 316CDI	2021	4,2	Chaining	Not only IVI can initiate a connection
Mercedes-Benz	Sprinter 316CDI	2021	4,2	Chaining	SC not supported
Mini	Cooper S	2022	5	Chaining	IVI is not rebootable
Mini	Cooper S	2022	5	Chaining	Not only IVI can initiate a connection
Mini	Cooper S	2022	5	Chaining	SC not supported
Opel	Astra	2019	4,1	Chaining	IVI is not rebootable
Opel	Astra	2019	4,1	Chaining	SC not supported
Polestar	Polestar 2	2022	4,2	Chaining	SC not supported		Not fully tested!
Renault	Megane	2016	2,1	Chaining	IVI is not rebootable
Renault	Megane	2016	2,1	Chaining	Not only IVI can initiate a connection
Renault	Megane	2016	2,1	Chaining	SC not supported
Renault	Megane	2021	4,2	Chaining	IVI is not rebootable
Renault	Megane	2021	4,2	Chaining	Not only IVI can initiate a connection
Renault	Megane	2021	4,2	Chaining	SC not supported
Renault	ZOE	2021	4,2	Chaining	IVI is not rebootable
Renault	ZOE	2021	4,2	Chaining	Not only IVI can initiate a connection
Renault	ZOE	2021	4,2	Chaining	SC not supported
Skoda	Octavia	2015	3	Chaining	IVI is not rebootable		Not fully tested!
Skoda	Octavia	2015	3	Chaining	SC not supported		Not fully tested!
Skoda	Octavia	2019	3	Chaining	SC not supported		Not fully tested!
Skoda	Octavia	2022	4,2	Chaining	Not only IVI can initiate a connection
Skoda	Octavia	2022	4,2	Chaining	Always Pairable
Toyota	Corolla	2023	5,1	Chaining	Not only IVI can initiate a connection
VW	Caddy	2023	4,2	Chaining	IVI is not rebootable
VW	Caddy	2023	4,2	Chaining	Not only IVI can initiate a connection
VW	Caddy	2023	4,2	Chaining	Always Pairable
VW	ID.3	2022	4,2	Chaining	Not only IVI can initiate a connection
VW	ID.3	2022	4,2	Chaining	Always Pairable
VW	T6.1	2021	4,1	Chaining	IVI is not rebootable
VW	T6.1	2021	4,1	Chaining	Not only IVI can initiate a connection
VW	T6.1	2021	4,1	Chaining	SC not supported
VW	T6.1	2021	4,1	Chaining	Always Pairable
Opel	Astra	2019	4,1	Critical	CVE-2018-19860	Fixed in new versions
Renault	Megane	2021	4,2	Critical	Contact extractor	Unknown
Renault	ZOE	2021	4,2	Critical	Contact extractor	Unknown
Skoda	Octavia	2015	3	Critical	CVE-2018-19860	Acknowledged. Working on a fix	Not fully tested!
Skoda	Octavia	2015	3	Critical	Contact extractor	Acknowledged. Working on a fix	Not fully tested!
VW	T6.1	2021	4,1	Critical	Contact extractor	Acknowledged. Working on a fix
Audi	A5	2020	4,2	DoS	invalid_max_slot	Acknowledged. Working on a fix	(probably known) (Broadcom - Cypress)
BMW	X2	2021	4	DoS	au_rand_flooding	Acknowledged. Fixed in new hardware
BMW	X2	2021	4	DoS	truncated_sco_request	Acknowledged. Fixed in new hardware	(unknown) Texas Instruments
BMW	X2	2021	4	DoS	invalid_timing_accuracy	Acknowledged. Fixed in new hardware	(unknown) Texas Instruments
Chevrolet	Corvette	2018	3	DoS	lmp_overflow_2dh1	Unknown	(unknown) (Qualcomm)
Chevrolet	Corvette	2018	3	DoS	invalid_timing_accuracy	Unknown	(known WCN3990) (Qualcomm)
Mercedes-Benz	Sprinter 316CDI	2021	4,2	DoS	invalid_max_slot	Unknown	(unknown) Marvell Technology
Mini	Cooper S	2022	5	DoS	au_rand_flooding	Acknowledged. Fixed in new hardware
Mini	Cooper S	2022	5	DoS	lmp_auto_rate_overflow	Acknowledged. Fixed in new hardware	False positive probably - recovered after 40 seconds
Opel	Astra	2019	4,1	DoS	lmp_overflow_dm1	Acknowledged. But might be discarded?	(unknown) (chip problem Cypress)
Opel	Astra	2019	4,1	DoS	invalid_timing_accuracy	Acknowledged. But might be discarded?	(unknown) (chip problem Cypress)
Opel	Astra	2019	4,1	DoS	truncated_lmp_accepted	Acknowledged. But might be discarded?	(unknown) (chip problem Cypress)
Polestar	Polestar 2	2022	4,2	DoS	duplicated_encapsulated_payload	Acknowledged. Had problems reproducing	Not fully tested! (unknown) (Qualcomm)
Renault	Megane	2016	2,1	DoS	invalid_timing_accuracy	Unknown	Might be a false positive as this is the data from the first run !!!!!
Renault	Megane	2021	4,2	DoS	au_rand_flooding	Unknown	(unknown) (Marvell Technology)
Renault	Megane	2021	4,2	DoS	lmp_invalid_transport	Unknown	(unknown) (Marvell Technology)
Renault	Megane	2021	4,2	DoS	lmp_max_slot_overflow	Unknown	(unknown) (Marvell Technology)
Renault	Megane	2021	4,2	DoS	invalid_max_slot	Unknown	(unknown) (Marvell Technology)
Renault	Megane	2021	4,2	DoS	truncated_sco_request	Unknown	(unknown) (Marvell Technology)
Renault	Megane	2021	4,2	DoS	sdp_unknown_element	Unknown	(unknown) (Marvell Technology)
Renault	Megane	2021	4,2	DoS	duplicated_encapsulated_payload	Unknown	(unknown) (Marvell Technology)
Renault	ZOE	2021	4,2	DoS	invalid_max_slot	Unknown
Toyota	Corolla	2023	5,1	DoS	feature_req_ping_pong	Acknowledged	Marvell technology chip has an actual vulnerability (unknown before)
Toyota	Corolla	2023	5,1	DoS	wrong_encapsulated_payload	Acknowledged	Marvell technology chip has an actual vulnerability (unknown before)
Toyota	Corolla	2023	5,1	DoS	duplicated_iocap	Acknowledged	Marvell technology chip has an actual vulnerability (unknown before)
Toyota	Corolla	2023	5,1	DoS	lmp_overflow_dm1	Acknowledged	Marvell technology chip has an actual vulnerability (unknown before)
Toyota	Corolla	2023	5,1	DoS	sdp_oversized_element_size	Acknowledged	Marvell technology chip has an actual vulnerability (unknown before)
Toyota	Corolla	2023	5,1	DoS	duplicated_encapsulated_payload	Acknowledged	Marvell technology chip has an actual vulnerability (unknown before)
Toyota	Corolla	2023	5,1	DoS	invalid_max_slot	Acknowledged	Marvell technology chip has an actual vulnerability (unknown before)
Toyota	Corolla	2023	5,1	DoS	invalid_timing_accuracy	Acknowledged	Marvell technology chip has an actual vulnerability (unknown before)
Audi	A5	2020	4,2	MitM	Insecure NC implementation	Acknowledged. Fixing in a new firmw. version
Audi	A5	2020	4,2	MitM	KNOB	Acknowledged. Fixing in a new firmw. version
Audi	E-tron	2020	4,2	MitM	Insecure NC implementation	Acknowledged. Fixing in a new firmw. version
BMW	X2	2021	4	MitM	NiNo	Acknowledged. Working on a fix
BMW	X2	2021	4	MitM	CVE-2018-5383	Acknowledged. Not fixing, fixed in new hardw.
BMW	X2	2021	4	MitM	Insecure NC implementation	Acknowledged. Working on a fix
BMW	X2	2021	4	MitM	E0 Algorithm is used (due to BT vers)	Acknowledged. Working on a fix
Chevrolet	Corvette	2018	3	MitM	KNOB	Unknown
Chevrolet	Corvette	2018	3	MitM	E0 Algorithm is used (due to BT vers)	Unknown
Honda	e	2020	5	MitM	NiNo	Acknowledged
Honda	e	2020	5	MitM	Insecure NC implementation	Acknowledged
Honda	e	2020	5	MitM	KNOB	Acknowledged
Honda	e	2020	5	MitM	Vehicular NiNo	Acknowledged
Hyundai	Kona	2022	5	MitM	Insecure NC implementation	Unknown
Mini	Cooper S	2022	5	MitM	NiNo	Acknowledged. Working on a fix
Mini	Cooper S	2022	5	MitM	Insecure NC implementation	Acknowledged. Working on a fix
Renault	Megane	2016	2,1	MitM	NiNo	Unknown
Renault	Megane	2016	2,1	MitM	CVE-2018-5383	Unknown
Renault	Megane	2016	2,1	MitM	KNOB	Unknown
Renault	Megane	2016	2,1	MitM	Legacy Pairing enabled	Unknown	code 0000
Renault	Megane	2016	2,1	MitM	E0 Algorithm is used (due to BT vers)	Unknown
Renault	Megane	2016	2,1	MitM	SSP not supported	Unknown
Renault	Megane	2021	4,2	MitM	Insecure NC implementation	Unknown
Renault	Megane	2021	4,2	MitM	NiNo	Unknown	Might have been marked as vulnerable due to Vehicular NiNo (should be checked independently)
Renault	Megane	2021	4,2	MitM	Vehicular NiNo	Unknown
Renault	ZOE	2021	4,2	MitM	NiNo	Unknown	Might have been marked as vulnerable due to Vehicular NiNo (should be checked independently)
Renault	ZOE	2021	4,2	MitM	Insecure NC implementation	Unknown
Renault	ZOE	2021	4,2	MitM	Vehicular NiNo	Unknown
Skoda	Octavia	2015	3	MitM	KNOB	Acknowledged.	Not fully tested!
Skoda	Octavia	2015	3	MitM	E0 Algorithm is used (due to BT vers)	Acknowledged.	Not fully tested!
Skoda	Octavia	2019	3	MitM	KNOB	Acknowledged.	Not fully tested!
Skoda	Octavia	2019	3	MitM	E0 Algorithm is used (due to BT vers)	Acknowledged.	Not fully tested!
Tesla	Model Y	2023	5,2	MitM	Vehicular NiNo	Not fixing. Usability feature
VW	ID.3	2022	4,2	MitM	Vehicular NiNo	Acknowledged. Fixing in a new firmw. version
VW	T6.1	2021	4,1	MitM	KNOB	Acknowledged. Fixing in a new firmw. version
VW	T6.1	2021	4,1	MitM	NiNo	Acknowledged. Fixing in a new firmw. version
VW	T6.1	2021	4,1	MitM	Vehicular NiNo	Acknowledged. Fixing in a new firmw. version
VW	T6.1	2021	4,1	MitM	CVE-2018-5383	Acknowledged. Fixing in a new firmw. version
Tesla	Model Y	2023	5,2		Accidental crash (on BT connection)	Not reproduced

Novel Attacks

Insecure NC Implementation

The IVI system does not properly implement the Numeric Comparison authentication protocol as in the core specification of the Bluetooth which makes a link to be non-authenticated and thus vulnerable to the NiNo, Method Confusion and custom MitM attacks.

There are 3 possible variations:

1. The IVI/device doesn't require a confirmation for pairing (e.g. no button to confirm the pairing) (Renault, Hyundai cars)
2. The static number is always shown. (BMW, Mini cars)
3. The IVI shows a pairing window without a pairing number to compare. (Audi)

There are 2 possible reasons:

1. State problem
2. Design problem

In case of the state problem an adversary needs to connect to the IVI(other device) with a capability other than DisplayYesNo and the IVI should try to execute a broken Numeric Comparison and not Passkey or Just Works.

In case of a design problem, one simply needs to observe the pairing process and what is required of a used on a target device (IVI).

Examples of vulnerable cars:

For the PoC steps please consult contact extractor documentation

Vehicular NiNo

The vehicle allows connections to a device with no input or output capabilities. According to the specification if one of the devices has a NoInputNoOutput capability, then the pairing mode used is named Just Works and such a link should be considered unauthenticated and vulnerable to MitM attacks. This results in an adjacent adversary being able to execute a practical attack and establish a MitM position.

Important distinction: In this case, the vehicle doesn't allow NoInputNoOutput devices to initiate a connection to the IVI, but fails to check the same for a connection initiated by the IVI. The attack window is smaller than in a usual NiNo attack but still exists.

Note on NiNo devices in the vehicular domain: In the vehicular domain, the usage of NiNo devices such as headphones is not frequent if legal at all while driving. When it comes to the smartphone domain a connection to such devices is considered a feature and a usability trade-off to enable wireless headphones for example. As such a use-case is not present in the vehicular domain then it's better to disallow connection from such devices, which many of the manufacturers do already.

For the PoC steps please consult contact extractor documentation

Contact Extractor attack

The vehicle IVI system allows a physical adversary to extract previously shared through Bluetooth contacts. This happens due to incorrect handling of access control for newly created BT sessions for already known MAC addresses.

Examples of vulnerable cars:

For the PoC steps please consult contact extractor documentation

Hardware

To test all vulnerabilities one would need to buy additional hardware:

• ESP-WROVER-KIT-VE for Braktooth vulnerabilities
• Nexus5 (phone) for Internalblue-based vulnerabilities. It also could be substituted by CYW20735, but an additional hardware profile would be needed and 2 exploits won't be reproducible.
• CYW920819M2EVB-01 for BIAS, BLUR and BLUFFS attacks

Running Bluetoolkit

See https://github.com/sgxgsx/BlueToolkit/wiki for details on running BlueToolkit

License

Shield:

BlueToolkit is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

For inquiries contact at https://linktr.ee/schwytz