Professional Documents
Culture Documents
behaviours at the peripheral. To this end, our fuzzer mutates SDP GAP
GATT
Host Host
fields of a layer in the BLE stack and employs a particle RFCOMM SMP ATT
swarm optimization (PSO) to heuristically refine the mutation L2CAP L2CAP
LM LL
probability distribution at both dimensions of each protocol’s Controller Controller
PHY PHY
layers and each layer’s fields. Finally, our framework validates
any response from a peripheral on-the-fly according to a set (a) Classic (b) BLE
of expected packets in each protocol state. This enables it to Figure 1: The Stacks of Bluetooth Classic and BLE
detect security issues beyond crashes, e.g., security bypass.
Our framework distinguishes itself from existing works [6,
15, 24] in view of being automated and comprehensive. Exist- After discussing related work (Section 5), we conclude the
ing works require manual and tedious efforts, such as reverse paper and provide future directions (Section 6).
engineering and attentive inspection of source code, to dis-
cover potential security flaws in the BLE implementation of 2 Overview of Our Framework
specific devices [34]. By contrast, our framework is fully au-
tomated and embraces the capability to uncover more security BLE is the successor of Bluetooth Classic to build a short-
issues than a manual approach. Concurrently, although a few range wireless network with reduced energy consumption and
scattered approaches have been presented in fuzzing Blue- improved usage capability. In this section, we first describe
tooth devices [3, 9, 11, 18], they only cover a fraction of the the BLE model used in our fuzzing and illustrate the chal-
Bluetooth stack. To the best of our knowledge, we compose lenges in developing a systematic fuzzing framework for BLE
the first comprehensive approach for BLE fuzzing that is not protocols with an example. Then we present an overview of
limited to one or several particular layers, e.g., L2CAP or our framework with its main components and workflow.
ATT [3, 11], but fully controls the communication at the Link
Layer (LL) as well as the interaction with the Secure Manager
Protocol (SMP) for encrypted message exchanging. This, in 2.1 The Model of BLE Protocols
turn, establishes the efficacy and viability of our framework We aim to detect implementation flaws in BLE protocols
in fuzzing arbitrary BLE protocol implementations. defined in the Bluetooth Core Specification [36–38]. Particu-
The remainder of this paper is organized as follows. In larly, we study the interactions on Attribute Protocol (ATT),
particular, we present the following contributions. Logical Link Control and Adaptation Protocol (L2CAP), Se-
• We present our fuzzing framework to discover implemen- cure Manager Protocol (SMP), and Link Layer (LL), as shown
tation flaws for BLE protocols (Section 2). in Figure 1. L2CAP and ATT are common to both Bluetooth
• We present the optimization process embodied in our Classic and BLE, while LL and SMP are exclusive to BLE.
fuzzing framework to discover critical security vulnerabil- Figure 2 illustrates the process of establishing the BLE
ities. We also discuss the systematic process of validating connection between a central and a peripheral. Our fuzzer
responses from BLE peripheral (Section 3). works during this process and it is guided by a BLE proto-
• We discuss the implementation specific challenges in our col model we have developed. A simplified representation of
approach and evaluate our fuzzing framework on several the model is presented in Figure 3. Initially, the peripheral
commodity BLE SoCs, including SoCs from NXP, Dia- periodically broadcasts advertisements to nearby devices
log, Texas Instruments, Microchip, ST Microelectronics and the central starts in the scanning state. The central scans
and Cypress, among others. Our evaluation has revealed for such advertisements and gets further information from
11 unknown security vulnerabilities (nicknamed S WEYN - the peripheral such as its name by sending a scan request
T OOTH) and seven non-compliant behaviours. 13 new ( 1 in Figure 2). After receiving a scan response ( 2 in Fig-
common vulnerability exposure (CVE) IDs are assigned ure 2) from the peripheral, the central can choose to start a
and they potentially affect a few hundred types of IoT connection by sending a connection request ( 3 in Fig-
products. As all the vulnerable SoCs have passed the ure 2) and proceeds to the connection state. On receiving
Bluetooth stack certification, our evaluation also clearly an acknowledgment from the peripheral ( 4 in Figure 2),
highlights the incompleteness of the certification process the central proceeds to the initial_setup state (see Fig-
(Section 4). ure 3). As the connection request contains connection
• We evaluate the impact of new vulnerabilities, as discov- parameters relevant to the synchronization and communi-
ered by our framework, on four IoT products (Section 4). cation timing between central and peripheral, after transit-
• We compare our framework with three other fuzzers and ing to initial_setup state, the central requests information
show that our framework is significantly more effective, from the peripheral by sending version request, feature
in terms of finding security vulnerabilities in BLE imple- request, length request and MTU length request ( 5
mentations (Section 4). to 8 in Figure 2) with the intention to know the peripheral’s
list_sec_services
supported LL features and capabilities such as the maximum
length of the packet it can send or receive. Likewise, the pe- gatt_read/write
ripheral also gets the central’s LL information during the
same exchanges. Note that the preceding messages are not Figure 3: Simplified BLE Protocol Model
necessarily sequentially exchanged, because vendors are free
to implement how the peripheral handles such messages. For If legacy_pairing is used, the central and periph-
instance, a peripheral may reply to version before feature. eral may optionally go through the keys distribution
Similarly, the peripheral may choose to directly read some procedure ( 12 in Figure 2) to exchange a long term key
ATT atributes from the central and go to the gatt_server (LTK).Otherwise, in sc_pairing, the LTK is the STK instead.
state or skip the state length before proceeding. To ensure The LTK can then be used by the central to avoid repeating
compatibility with different implementations, we employ sev- the pairing process in subsequent connections and directly go
eral transitions in the state initial_setup for the flexible to the step 11 in Figure 2. In the following stages, the central
message ordering, as shown at the upper-left of Figure 3. and peripheral exchange an LTK based on what has been ne-
After the initial setup is done, the central proceeds to the gotiated in pairing_req and the central reads more services
list_pri_services state. Here it scans for peripheral’s from the peripheral at the state list_sec_services.
main services via the Generic Attribute Profile (GATT) Ser- After LL connection and pairing, the central discovers all
vice Discovery procedure and stores their attributes in a local the peripheral’s available attributes (i.e., information) by per-
array. The central then proceeds to the state pairing_req forming the GATT Primary Service Discovery. This consists
and starts to establish an encrypted communication with the of sending and receiving a number of ATT requests and
peripheral. The central sends a pairing request packet ATT responses ( 13 in Figure 2). so as to fetch predefined
to the peripheral ( 9 in Figure 2), indicating the preferred ATT attributes. In the next state gatt_read/write, we cap-
pairing mode to be used in the next state. If the peripheral ture the read and write of locally stored ATT attributes at the
accepts the pairing mode proposed by the central, it replies list_pri_services and list_sec_services states. This
to the central and both proceed to the smp_pairing state. step is to emulate writing malformed ATT attributes via our
As there are two pairing modes for them to choose, i.e., the fuzzing methodology. Thus, the state gatt_read/write at
Legacy pairing or Secure Connection (SC) pairing via SMP the bottom of Figure 3 is not part of the BLE protocol speci-
exchanges, they go through the pairing procedure from ei- fication. However, it is required to check the behaviour of a
ther the legacy_pairing or sc_pairing state, as shown at peripheral in the presence of malformed ATT attributes.
the middle-right of Figure 3. Once the pairing procedure is
successful, the central derives a sessionKey from a Short 2.2 Problem Formulation with An Example
Term Key (STK) received from smp_pairing, transits to the
ll_encryption state and starts the challenge with the pe- In this paper, we consider developing a systematic fuzzing
ripheral by sending an encryption_req ( 10 in Figure 2). framework that is 1) comprehensive with respect to all BLE
With the peripheral’s response, the central sends an encrypted stack layers, 2) directed as being with an optimization mech-
encryption_res packet by using the obtained sessionKey. anism to maximally expose anomalies in BLE protocol im-
If the peripheral is able to correctly authenticate and decrypt plementations, and 3) applicable to fuzzing any product em-
the encryption_res from the central, it sends another en- bracing BLE SoCs for wireless connectivity. Anomalous be-
crypted encryption_res to the central, indicating that the haviours capture non-compliance against the Bluetooth Core
connection is successfully encrypted. Specification. To guarantee the comprehensiveness of cov-
RX
Optimization Cost Calculation (CFi)
TX
2.a Normal Packet (P)
pairing response
BLE 5. Validation
Peripheral accepts Key size of 253
Central skips pairing
and starts encryption Controller Packet (i) Packet (ii) Packet (iii)
LL Encryption procedure USB Manipulation Redundancy Validation
encryption request Serial ܲௗ௨ ് ܲ
10 3.a Fuzzed Packet (P’)
Peripheral accepts out of order 3.b Well-crafted Packet sent at wrong state (Pdup)
encryption request and crashes
4. Device Response Packet (Pr)
MTU Length LL
and uses the individual mutation probability (50%) to mutate
mtu_length RSP REQ ... Unknown ... such fields. We note that all the fields of one layer shares the
list_pri_services
ATT ATT ATT same mutation probability. This is to reduce the number of
Read Error ... Error ... parameters during the iterative optimization (cf. Line 39 in
SMP Pair. SMP
pairing_request
Failure RSP ... Failure ... Algorithm 1) without losing the efficacy significantly. When
CURRENT STATE
Table 3: Vulnerabilities and SDK versions of the affected V11) are caused due to the lack of handling corner cases
SoCs. * indicates vendors that reported other affected SoCs. in the Bluetooth Core Specification, causing misinterpreta-
Silicon Vendor BLE SoC SDK Ver. Vuln. / Anomalies tions and implementation flaws. A detailed description of the
BLE Version 5.0
Cypress (PSoC 6) CYBLE-416045 2.10 V1,V2 / A7 vulnerabilities is shown in the supplemental material.
Texas Instruments CC2640R2 2.2.3 V5,V6 / A1,A7
Telink* TLSR8258 3.4.0 V10,V11 / A3-A5,A7 Table 4: A Summary of Evaluation Time for Each Device.
STMicroelectronics WB55 1.3.0 V8 / A2,A7
STMicroelectroncis BlueNRG-2 3.1.0 V8 / A2,A7 The connection interval is fixed to 20ms for all devices.
Nordic Semi. nRF51422 11.0.0 A7 Platform Iterations Total Time 1st Crash 1st Anomaly Model Coverage
CY8CPROTO-63 1000 1 h. 06 min. 1 min. <1 min. 27 (50.0%)
Nordic Semi. nRF52840 15.3.0 A7 CY5677 1000 2 h. 27 min. <1 min. 8 min. 29 (53.7%)
BLE Version 4.2 USB-KW41Z 1000 1 h. 30 min. <1 min. 2 min. 24 (44.4%)
Cypress (PSoC 4) CYBL11573 3.60 V1,V2 / A7 DA14681DEVKIT 1000 1 h. 16 min. 10 min. 6 min. 30 (55.5%)
NXP KW41Z 2.2.1 V1,V2 / A1,A7 DA14580DEVKIT 1000 2 h. 7 min. 5 min. 1 min. 32 (59.3%)
Dialog* DA14680 1.0.14.X V3 / A7 CC2640R2 Devkit 1000 1 h. 57 min. 4 min. 1 min. 31 (57.40%)
CC2540 Devkit 1000 1 h. 37 min. 2 min. 19 min. 34 (62.96%)
BLE Version 4.1 Nucleo-WB55 1000 1 h. 45 min. <1 min. 2 min. 26 (48.15%)
Texas Instruments CC2540 1.5.0 V7 / A6,A7 BlueNRG-2 1000 1 h. 14 min. <1 min. 9 min. 30 (55.55%)
Dialog* DA14580 5.0.4 V4 / A7 ATSAMB11 1000 2 h. 39 min. 2 min 10 min. 33 (61.1%)
Microchip ATSAMB11 6.2 V8 / A2,A7 TLSR8258 1000 1 h. 56 min. 5 min. <1 min. 36 (66.67%)
8
T OOTH vulnerabilities, as summarized in Table 2, offers dan-
6
gerous attack vectors against many IoT products. An investi-
4
2
gation of certified products on the Bluetooth Listing site [40]
0 reveals that S WEYN T OOTH is likely to affect ≈480 IoT prod-
0 100 200 300 400 500 600 700 800 900 1000 ucts using the vulnerable SoCs from Table 3. These products
b) Fuzzing Iterations in Telink are mainly applied in Smart Home, Fitness, Entertainment
4 and Consumer Electronics. To raise awareness of the threats
Anomaly count
3
To exploit S WEYN T OOTH on an IoT product, we launch
2 an attack code that captures the exact sequence of packet
1 exchanges in the respective S WEYN T OOTH vulnerability. One
0
such example is an attack code for vulnerability V5 (found in
0 100 200 300 400 500 600 700 800 900 1000 CC2640R2) on CubiTag. Next, we describe, for each chosen
f) Fuzzing Iterations in PSoC 6 IoT product, the impact of the launched attack code.
6 When attacking Fitbit Inspire, the smartwatch freezes
Anomaly count
5 its screen and immediately restarts when the Link Layer Over-
4
flow (V1) is attempted. By contrast, LLID Deadlock stops Fit-
3
2 bit advertisements for several seconds before the smartwatch
1 abruptly restarts. Similarly, when Silent Buffer Overflow is ex-
0 ploited on both Eve Energy and August Smart Lock, users
0 100 200 300 400 500 600 700 800 900 1000
can immediately experience their smart things being restarted
e) Fuzzing Iterations in NXP KW41Z
(e.g., via a beep sound in the smart lock and switching off
4
the light attached to the Eve Energy plug). This is especially
Anomaly count
0 5 Related Work
0 100 200 300 400 500 600 700 800 900 1000
g) Fuzzing Iterations in DA14680 Security is critical for IoT devices [7]. Existing Bluetooth
Figure 9: Fuzzing effectiveness w.r.t. design components vulnerabilities, such as Blueborne [34], BleedingBit [15] and
[2] Greg Banks, Marco Cova, Viktoria Felmetsger, Kevin [12] Serge Gorbunov and Arnold Rosenbloom. AutoFuzz:
Almeroth, Richard Kemmerer, and Giovanni Vigna. Automated network protocol fuzzing framework. IJC-
SNOOZE: Toward a stateful network protocol fuzzer. SNS, 10(8):239, 2010.
In Sokratis K. Katsikas, Javier López, Michael Backes,
Stefanos Gritzalis, and Bart Preneel, editors, Informa- [13] Lee Harrison, Hayawardh Vijayakumar, Rohan Padhye,
tion Security, pages 343–358, Berlin, Heidelberg, 2006. Koushik Sen, Michael Grace, et al. PARTEMU: En-
Springer Berlin Heidelberg. abling dynamic analysis of real-world trustzone soft-
ware using emulation. In 29th USENIX Security Sympo-
[3] Pierre Betouin. Bluetooth stack smasher version 0.6. sium (USENIX Security 20), Boston, MA, August 2020.
http://www.secuobs.com/news/05022006-bluetooth10. USENIX Association.
shtml, May 2006.
[14] Endadul Hoque, Omar Chowdhury, Sze Yiu Chau,
[4] Marcel Böhme, Van-Thuan Pham, and Abhik Roychoud- Cristina Nita-Rotaru, and Ninghui Li. Analyzing oper-
hury. Coverage-based greybox fuzzing as Markov chain. ational behavior of stateful protocol implementations
In Proceedings of the 2016 ACM SIGSAC Conference for detecting semantic bugs. In 2017 47th Annual
on Computer and Communications Security, CCS ’16, IEEE/IFIP International Conference on Dependable
pages 1032–1043, New York, NY, USA, 2016. ACM. Systems and Networks (DSN), pages 627–638, June
2017.
[5] Neal Cardwell, Yuchung Cheng, Lawrence Brakmo,
Matt Mathis, Barath Raghavan, Nandita Dukkipati, [15] Armis Inc. Bleedingbit vulnerability. https://armis.com/
Hsiao keng Jerry Chu, Andreas Terzis, and Tom Herbert. bleedingbit/, 2018.
packetdrill: Scriptable network stack testing, from sock-
ets to packets. In Presented as part of the 2013 USENIX [16] Samuel Jero, Hyojeong Lee, and Cristina Nita-Rotaru.
Annual Technical Conference (USENIX ATC 13), pages Leveraging state information for automated attack dis-
213–218, San Jose, CA, 2013. USENIX. covery in transport protocol implementations. In 2015
45th Annual IEEE/IFIP International Conference on
[6] Damien Cauquil. Btlejuice: The Bluetooth smart MITM Dependable Systems and Networks, pages 1–12, June
framework. DEFCON 24, 2016. https://github.com/ 2015.
DigitalSecurity/btlejuice.
[17] Imtiaz Karim, Fabrizio Cicala, Syed Rafiul Hussain,
[7] Z. Berkay Celik, Patrick McDaniel, and Gang Tan. Sote- Omar Chowdhury, and Elisa Bertino. Opening pandora’s
ria: Automated IoT safety and security analysis. In 2018 box through atfuzzer: dynamic analysis of at interface
USENIX Annual Technical Conference (USENIX ATC for android smartphones. In Proceedings of the 35th An-
18), pages 147–158, Boston, MA, July 2018. USENIX nual Computer Security Applications Conference, pages
Association. 529–543, 2019.
[8] Jiongyi Chen, Wenrui Diao, Qingchuan Zhao, Chaoshun [18] Seulbae Kim, Seunghoon Woo, Heejo Lee, and Hakjoo
Zuo, Zhiqiang Lin, XiaoFeng Wang, Wing Cheong Lau, Oh. Poster: Iotcube: an automated analysis platform for
Menghan Sun, Ronghai Yang, and Kehuan Zhang. IoT- finding security vulnerabilities. In Symposium on Poster
Fuzzer: Discovering memory corruptions in IoT through presented at Security and Privacy (SP). IEEE, 2017.
app-based fuzzing. In 25th Annual Network and Dis-
tributed System Security Symposium, NDSS 2018, San [19] Su Yong Kim, Sangho Lee, Insu Yun, Wen Xu, Byoungy-
Diego, California, USA, February 2018. oung Lee, Youngtae Yun, and Taesoo Kim. CAB-Fuzz:
Practical concolic testing techniques for COTS operat-
[9] Hou-Fu Cheng and Yu-Qing Zhang. Bluetooth OBEX ing systems. In 2017 USENIX Annual Technical Con-
vulnerability discovery technique based on fuzzing. ference (USENIX ATC 17), pages 689–701, Santa Clara,
Computer Engineering, 34(19):151–153, 2008. CA, July 2017. USENIX Association.
[27] Madanlal Musuvathi and Dawson R. Engler. Model [39] Bluetooth SIG. Bluetooth certification guideline:
checking large network protocol implementations. In Qualify your product. https://www.bluetooth.com/
Proceedings of the 1st Conference on Symposium on Net- develop-with-bluetooth/qualification-listing/, 2019.
worked Systems Design and Implementation - Volume 1,
NSDI’04, page 12, USA, 2004. USENIX Association. [40] Bluetooth SIG. View previously qualified designs and
declared products, January 2020. https://launchstudio.
[28] Joshua Pereyda. boofuzz: Network protocol fuzzing bluetooth.com/Listings/Search.
for humans. https://github.com/jtpereyda/boofuzz, April
2017. [41] Agilent Technologies. Bluetooth R manufacturing test:
A guide to getting started. https://testunlimited.com/pdf/
[29] Van-Thuan Pham, Marcel Böhme, and Abhik Roychoud- an/5988-5412EN.pdf, 2006. Application Note 1333-4.
hury. Model-based whitebox fuzzing for program bi-
naries. In Proceedings of the 31st IEEE/ACM Interna- [42] Octavian Udrea, Cristian Lumezanu, and Jeffrey S Fos-
tional Conference on Automated Software Engineering, ter. Rule-based static analysis of network protocol im-
ASE 2016, page 543–553, New York, NY, USA, 2016. plementations. Information and Computation, 206(2-
Association for Computing Machinery. 4):130–157, 2008.