Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


a comprehensive analysis report of blue brone attacks based on bluetooth protocol vulnerabilities

Posted by barkins at 2020-03-01

I. overview

With the opening of the Internet of things era, the number of devices using Bluetooth communication protocol is increasing. Recently, Internet of things security company armis Labs has disclosed an attack vector, bluebrone, which claims that attackers can use a series of Bluetooth related security vulnerabilities to control remote devices with Bluetooth functions in certain scenarios, steal victim data, conduct man in the middle attack and worm infect other devices after infecting one device. This attack mode does not need to apply for authentication authorization from users It is harmful. For this reason, an Tian microelectronics, embedded security lab and an Tian mobile security company formed a joint analysis team to carefully analyze the whole attack process and make a threat summary.

2、 Attack context

Bluetooth protocol is a common protocol used in short and medium distance wireless communication. However, due to its huge rules, complex architecture and many functional modules, and some functions allow manufacturers to customize, many Bluetooth devices do not choose a relatively safe encrypted communication mode. In addition, some devices cannot perform specific identity authentication process due to their own nature (for example, Bluetooth headset does not The "key input" security mode is implemented because there is no keyboard input interface on the headset device). This is the two direct causes of this Bluetooth security threat.

The attack first needs to know the Bluetooth address of the target device. Because many users are used to turning on the Bluetooth device by default, it is convenient for attackers to scan and obtain the address. In addition, in mobile phones, computers and other devices, the Bluetooth address is very close to or exactly the same as the wireless WiFi address, which makes it easy for attackers to push out the address of the target Bluetooth device by sniffing the wireless network packet.

Unlike other drivers, each operating system has only one Bluetooth protocol stack, which leads to the discovery of a vulnerability that will affect a series of devices based on this system.

3、 Security breach

The main modules of Bluetooth protocol stack and the vulnerability distribution of this security threat (as shown in Figure 3.1):

Figure 3.1 vulnerability distribution

For the rce (remote control execution) vulnerability in the (cve-2017-1000251) Linux kernel, an attacker can use this overflow vulnerability to send malformed packets to the L2CAP layer of the Bluetooth protocol, maliciously configure the target device, and prepare for the next attack.

For the (cve-2017-1000250) Linux BlueZ (Bluetooth protocol stack) information disclosure vulnerability, due to the lack of Bluetooth protocol in the design specification, the SDP continuity based on SDP module will be completely controlled by the attacker in some Linux and Android systems under the premise of the above kernel overflow vulnerability, and further heap overflow attacks will be carried out.

For (cve-2017-0785) Android information disclosure vulnerability, similar to the vulnerability on Linux BlueZ, an attacker can repeatedly transmit instructions on Android devices by using "continuous mode" to bypass count verification and ASLR (address space layout) by exploiting the overflow vulnerability of an integer number of records in SDP server The effect of the protection mechanism.

The SSP (secure simple pairing) security mode introduced by Bluetooth protocol provides the following four authentication methods (as shown in Figure 3.2):

Figure 3.2 SSP certification method

Because many Bluetooth devices or remote devices to be connected do not have external input interfaces and display capabilities, they will adopt the method of "only compare and not confirm authentication", which can not carry out reliable identity authentication process. When an attacker attacks a device using Android system (some versions of Android system are valid), the scenario is based on the situation that the other device has the ability to display and input, but the attacker's device does not have the ability to input and display (the attacker can construct this state by himself). Therefore, he can remotely initiate a connection request that does not need to interact with the user of the target device, and then establish Connect and communicate; for devices using Windows operating system (some versions of windows system are valid), the attacker uses the same principle to initiate the connection request of "no input and display capability - no need for mitm (man in the middle) protection", and then complete the authentication and subsequent communication. Because the attacker has completed identity authentication, and Bluetooth has the highest privilege in almost all operating systems, the attacker has the ability to access many high privilege services, and further control the target device.

BNEP (Bluetooth network encapsulation protocol )It can use the function of Bluetooth protocol to realize network sharing (for example, a computer connected to the wired network can build its own hotspot and turn on Bluetooth, so that a mobile phone can connect to this computer through Bluetooth to realize the sharing network), and it can add the header tag of data packet to realize the function including extra control instructions. In addition, this protocol layer can support the construction of pan (personal area network) and provide corresponding traffic control functions.

For (cve-2017-0781) Android rec vulnerability, due to a logic error in the code logic part of message processing of BNEP service on Android, subsequent buffer size filling is unlimited after the heap overflow of 8 bytes is triggered.

For the (cve-2017-0782) Android rec vulnerability, because the BNEP service on Android has an integer overflow vulnerability with a record length value in the code logic part of the control frame packet processing, and subsequent codes do not strictly check the value and restrictions, this vulnerability can be used to bypass the MTU (maximum transmisson) in the process of packet transmission Unit, maximum transfer unit) size limit.

The above two vulnerabilities allow attackers to establish a BNEP connection based on the previous vulnerability, and then make use of the heap overflow vulnerability caused by the control instructions to make remote control code executed. Through the malicious code exploited by the vulnerability, based on the permission of service, the attacker can access the file system (phonebook, document, photo, etc.) of the mobile phone, and can also connect with the target device by simulating the keyboard, mouse and other devices to achieve deeper control. The attacker can even build his own agent to realize the purpose of "worm" type intrusion into other devices through Bluetooth interface.

For (cve-2017-0783) Android information disclosure security vulnerability and (cve-2017-8628) windows information disclosure security vulnerability, an attacker can build pan self-organized network, and set himself as nap (network access point), and then set DHCP (Dynamic Host Configuration Protocol) server to construct malicious relay for mitm attack. In addition, the pan protocol document has not been updated since 2003, and it is still v1.0, which results in a lack of security.

Because some functions of Bluetooth protocol allow manufacturers to customize, including some core functions, so Apple has customized a variety of rules, and together with Bluetooth protocol, it has constructed L2CAP protocol layer, that is, Apple has developed its Bluetooth proprietary protocol. This protocol prohibits the "just works" mode under the non user interaction authentication and the connection construction of some services, unless authorized by the user, which greatly reduces the attack area. However, the embedding of various custom protocols also causes some security risks. In the design mode based on Apple's proprietary "pipe dream" protocol, code reuse creates a new attack surface.

For (cve-2017-14315) apple rec vulnerability, leap (low energy audio protocol) is based on Bluetooth low The voice control command transmission of energy (low power Bluetooth) has a logic vulnerability in the message source verification. The default length of the incoming control command is 104 (0x68). The lax verification of the incoming command size can lead to a heap overflow vulnerability, which makes the remote control code executed on the Bluetooth protocol stack of IOS.

4、 Scope of influence

According to the analysis, the following versions of the operating system will be affected:

Linux: Linux kernel 3.3-rc1 to Linux kernel 4.13.1;

Windows: Microsoft Windows Server 2016, Windows Server 2008 SP2, windows RT 8.1, windows 8.1, Windows 7 SP1, Microsoft Windows 10, windows 10 version 1511, windows 10 version 1607, windows 10 version 1703;

Android: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0;

IOS: iPhone, iPad, iPod in IOS 9.3.5 and below, Apple TV 7.2.2 and below (IOS 10 release).

Bluetooth authentication mechanisms in the following security modes will be affected:

Just works: only compare the authentication mode without confirmation.

Note: Bluetooth headset, Bluetooth and other devices based on other systems are not affected in principle and can be used normally. But the attacker will forge that his device is a Bluetooth peripheral that only supports "just works" mode to connect to the victim's computer / mobile phone (the target user uses the above system), which does not need to interact with the user, and will connect to his device without the user's knowledge.

5、 Safety advice

1. Please upgrade the system to the latest version by yourself and install the updated patch in time. For users with high security requirements, if the corresponding system / patch has not been released, it is recommended to wait for the system update or patch upgrade before using the Bluetooth device (Android 8.1 system will be released on October 4);

2. In daily life, turn off the Bluetooth device when it is not used (this combined attack mode cannot attack when Bluetooth is not turned on);

3. Because Bluetooth is a medium and short distance wireless communication protocol, it is not recommended to use Bluetooth devices in public and other untrusted scenarios before installing updates and patches;

4. It is strongly recommended not to use Bluetooth shared network (including BNEP and pan);

5. Other suggestions: in daily life, in the face of devices without external input and display functions (i.e. devices with the default authentication mode of "just works", such as some Bluetooth headsets, Bluetooth mouse, etc.), when you can't trust this device or can't determine whether it's safe (such as the Bluetooth audio in a coffee shop on the road), please don't actively connect this device.

6、 The study of an Tian

Antan has long been concerned about new threats in hardware peripherals, signals and other fields, as well as the security protection of medium and short-range wireless communication. In 2004, Antan established the microelectronics and embedded security laboratory, and carried out many research and exploration for 2.4G wireless signals, Bluetooth, industrial short-range protocols, time signals, etc. some research and development achievements have been made in xcon, ISF, xdef and other important industries over the years A speech was delivered at the conference to show the research results, which also attracted the attention of relevant enterprises and units to the security threat of the Internet of things. Antian mobile security company has done a lot of research work on the Internet of things security links such as the Internet of vehicles, and provided internal research reports to the competent departments.

At the recent xcon security summit, the engineers of Antan micro embedded introduced the security mechanism of Bluetooth 4.0 communication and the construction process of machine learning prediction model. Taking the Bluetooth 4.0 communication process as an example, through tracking frequency hopping by radio equipment, capturing and cracking the data keyed in by Bluetooth keyboard, the encrypted communication data, cracked plaintext information and the traffic characteristics recorded at the same time are compared and analyzed, revealing the relationship between the three and the threat of information disclosure that can be brought about, and at the same time, a simple example shows the security risk.

Figure 6.1 research on peripheral equipment, short-range communication and other related fields

Recommended reading

Xcon summit | Antian engineers analyze the security threats of Bluetooth 4.0