Pierre BETOUIN - pierre _dot_ betouin _at_ security-labs _dot_ org
Page last updated: Fri Feb 03 10:15 GMT 2006
Recently, Bluetooth security has become a new source of interest for many people involved in IT security.
Although forsaken by now - in particular for short ranges reasons - Bluetooth security touches more and more people : almost every device manufactured nowadays has a native Bluetooth support : cellular phones, laptops, digital assistants, cameras...
Mobility evolution allows almost all users to get an instant connection wherever they want, whenever they require it, to check mails, chat, or link their devices together (headsets, GPS systems, and so on). This unquestionably creates new security threats.
If security was still so obscure for many people few years ago, it should now be considered by everyone owning a wireless capable device
(802.11, Bluetooth...).
Who wouldn't care about getting huge phone bills, revealing his address book or calendar to anyone, or being owned walking in the street or drinking a coffee
in a pub ?
Trifinite group was the first to reveal Bluetooth attacks, such as BlueBug or BlueSnarf.
This paper describes existing attacks, and introduces a new way to assess Bluetooth enabled devices using a low lever fuzzer.
Security on such devices is indeed very difficult to estimate because of the use of proprietary technologies. Security analysis
can be lead by using reverse engineering techniques (disassembly for instance) but fuzzing remains the quickest and
easiest way to "stress" Bluetooth implementations.
Exhaustive analysis won't be realized using the fuzzer presented below : deeper studies would require a complete disassembly work but I have been really astonnished of the number of devices crashing or presenting irrational behaviours.
BSS (Bluetooth Stack Smasher) is a L2CAP layer fuzzer, distributed under GPL licence. Current version is 0.6.
BSS requires the standard bluetooth library.
BSS Usage
Usage: ./bss [-s size] [-m mode] [-p pad_byte for modes 1-11] [-M maxcrash]
Modes :
0 All mode listed below 1 L2CAP_COMMAND_REJ 2 L2CAP_CONN_REQ 3 L2CAP_CONN_RSP 4 L2CAP_CONF_REQ 5 L2CAP_CONF_RSP 6 L2CAP_DISCONN_REQ 7 L2CAP_DISCONN_RSP 8 L2CAP_ECHO_REQ 9 L2CAP_ECHO_RSP 10 L2CAP_INFO_REQ 11 L2CAP_INFO_RSP 12 L2CAP Random Fuzzing (-s: max_size) (-M: crashcount)
BSS Example
./bss -s 100 -m 12 -M 0 XX:XX:XX:XX:XX:XX
This example sends short random (mode 12) packets (maxsize is set to 100 bytes), in an infinite loop (-M 0).
More information about BSS use is available in the REAME file.
Related links
Article on "Bluetooth insecurity" (French) - Pierre BETOUIN ( pierre _dot_ betouin _at_ security-labs _dot_ org )
Sony/Ericsson display reset exploit - Pierre BETOUIN ( pierre _dot_ betouin _at_ security-labs _dot_ org )
hcidump DoS advisory & proof of concept - Pierre BETOUIN ( pierre _dot_ betouin _at_ security-labs _dot_ org )