Top Banner
SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini 1 , Chundong Wang 2 , Sudipta Chattopadhyay 1 , Sun Sumei 3 , Ernest Kurniawan 3 USENIX Annual Technical Conference 2020, July 15-17 Track 2, The One on the Edge 1 Singapore University of Technology and Design (SUTD) 2 ShanghaiTech University. Work partly done when C. Wang worked at SUTD 3 Institute for Infocomm Research, A*Star Partially sponsored by Keysight Technologies
37

SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

Sep 28, 2020

Download

Documents

dariahiddleston
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

SweynTooth: Unleashing Mayhem over Bluetooth Low Energy

Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,Sun Sumei3, Ernest Kurniawan3

USENIX Annual Technical Conference 2020, July 15-17Track 2, The One on the Edge

1 Singapore University of Technology and Design (SUTD)2 ShanghaiTech University. Work partly done when C. Wang worked at SUTD3 Institute for Infocomm Research, A*Star

Partially sponsored by Keysight Technologies

Page 2: SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

Affected SoC Vendors (not exhaustive)

A family of over dozen new vulnerabilities in Bluetooth Low Energy (BLE) implementationsNamed after Sweyn Forkbeard who revolted against his father King Harald Bluetooth.

Open Source BLE Stack (not exhaustive)

2

Why the Mayhem?

Many IoTs affected

Page 3: SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

Comprehensive testing equipment is expensive!More complexityMore vulnerabilities!

3

A look into Bluetooth flavours - Past Vulnerabilities

Latest Attacks Affected stack• [2017] BlueBorne (Classic)• [2018] BleedingBit (BLE)• [2019] Invalid Curve Attack (Classic/BLE)• [2019] Knob (Classic)• [2020] Bias (Classic)

Is everything well tested?

Our Target

Page 4: SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

SmartWatch

SmartphoneDevice roles – Central vs peripheral

4

Bluetooth Low Energy OverviewCan we test BLE security ourselves with off the shelve hardware?

Central

Peripheral

Connects to

Standard Testing Equipment

Advertises

Our target

Ellisys Bluetooth Explorer (Over $10k)

Can we avoid this setup?

Page 5: SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

SmartWatch

SmartphoneDevice roles – Central vs peripheral

5

Bluetooth Low Energy Overview

Field Preamble Access Address

Link Layer Header PDU Length PDU

Payload CRC

Layer Radio Link Layer Link Layer Link Layer Host Layers Link Layer

Radio 2.4Ghz (GFSK)Link Layer (LL)

GATTATTSMP

ApplicationGAP

L2CAP

BLE StackCan we test BLE security ourselves with off the shelve hardware?

Central

Peripheral

Connects to

BLE Frame

Advertises

Our target

Host

Controller

User

HCI

Host cannot access Link Layer via HCI!How can we manipulate arbitrary LL fields?

Page 6: SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

SmartWatch

SmartphoneDevice roles – Central vs peripheral

6

Bluetooth Low Energy OverviewCan we test BLE security ourselves with off the shelve hardware?

Central

Peripheral

Connects to

Advertises

Our target

Main BLE Exchanges

1.

2.

3.

1. Peripheral switches from advertisement channels to data channels;2. Pairing procedure is perfomed acording to devices capabilities;3. Link Layer encryption (managed only by the controller).

From adv. channel to data channel

Page 7: SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

3. Analyse Data

1. Generate Input

2. Run Application

Report Bugs

Next attemptBlack/grey box software

Crashes

Testing Security by Fuzzing

Output

Inject Input

Feedback

Is it possible to apply fuzzing to lower-level over the air communication?

Challenges:1. Full control over BLE Link Layer (Including manipulation of the connection procedure)2. What feedback metric to use? Most BLE stack implementation is closed source.3. BLE is a heavily stateful protocol, simply mutating the input is not enough.4. How to detect crashes or anomalies when fuzzing over the air?

7

Page 8: SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

8

BluetoothController

USBSerial-CDC

Introducing a non-compliant controller implementation!

Internal Design

Setup

nRF52_driver_firmware.hex

No HCI allowed here!

(~10-11USD)

Page 9: SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

Fuzzing&

Optimization

Protocol Model (State Machine)

Anomaly Report & Cost Calculation

Normal Packet (P )

3.a Fuzzed Packet (P’)

4. Device Response Packet (Pr)

1. Initialization MBLE

3.b Well-crafted Packet sent at wrong state (Pdup)

BluetoothController

USBSerial-CDC

TX

RX

(Smart Home, Wearables,

Trackers, etc.)

Peripheral

(iv)

2.b Mutation probabilities

9

Fuzzer Arquitecture Overview

PacketRedundancy

(ii)Packet Manipulation

(i) Packet Validation

(iii)

Page 10: SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

10

Fuzzing BLE Layers - Fields mutation

Packet Manipulation

(i)

Page 11: SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

11

Fuzzing BLE Layers - Out of order sequences

PacketRedundancy

(ii)TX PKT 1

Transmission

Packet History

PeripheralAdvertises

Protocol Model

1

Page 12: SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

12

Fuzzing BLE Layers - Out of order sequences

PacketRedundancy

(ii) TX PKT 1 Transmission

Packet History

PeripheralAdvertises

Protocol Model

TX PKT 22

Page 13: SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

13

Fuzzing BLE Layers - Out of order sequences

PacketRedundancy

(ii)TX PKT 1

Transmission

Packet History

TX PKT 2TX PKT 3 Peripheral

AdvertisesProtocol Model

3

Page 14: SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

14

Fuzzing BLE Layers - Out of order sequences

PacketRedundancy

(ii)TX PKT 1

Transmission

Packet History

TX PKT 2TX PKT 3

Picked by random chance

PeripheralAdvertises

Protocol Model

3

Page 15: SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

15

Fuzzing BLE Layers - Out of order sequences

PacketRedundancy

(ii)Peripheral

AdvertisesTransmission

Packet History

TX PKT 2TX PKT 3TX PKT 1 Sent after packet 3

Protocol Model TX PKT 1

3

Page 16: SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

16

Fuzzing BLE Layers - Out of order sequences

PacketRedundancy

(ii)

TX PKT 1

PeripheralAdvertisesTransmission

Packet History

TX PKT 2TX PKT 3

Protocol Model

TX PKT 13

Page 17: SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

17

Fuzzing BLE Layers - Out of order sequences

PacketRedundancy

(ii)

TX PKT 1

PeripheralAdvertisesTransmission

Packet History

TX PKT 2TX PKT 3TX PKT 4

Redundant packets are not saved in packet history again

Protocol Model

4

Page 18: SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

18

Validation Strategy - Exemplified

Packet Validation

Valid and invalid responses

Page 19: SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

19

Validation Strategy - Exemplified

NXP LLID Deadlock(CVE-2019-17060)

Packet Validation

Valid and invalid responses

Page 20: SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

20

Validation Strategy - Exemplified

Packet Validation

Mixed Valid and invalid responses

Page 21: SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

21

Validation Strategy - Exemplified

Packet Validation

Mixed Valid and invalid responses

Page 22: SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

Validation Strategy - Exemplified

Packet Validation

Mixed Valid and invalid responses

Key Size Overflow(CVE-2019-19196)

22

Page 23: SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

State N.

23

Optimization

Fuzzing&

Optimization

(iv)Peripheral

Start of new iteration

Central(Fuzzer)

State Machine(Protocol Model)

Mutation Probabilities

State 1.

State 2.

Transmission

Reception

Particle Swarm Optimization(PSO)

Cost Function:Total number of anomalies & crashes

Page 24: SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

24

Evaluation - Setup

SoCs BLE SDK

User Code

SDK APIBLE Stack

Programmer

BLE SoC

Static Library (binary blob)

Some SoCskeep parts of the stack in the read-only memory (ROM)

BLE Firmware Layout

Saved to non-volatile or static random-access memory

Page 25: SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

2. Modify the sample code to enable SMP, serial output & flash it

3. Configure the fuzzer with BLE Public

address of the target

4. Run the fuzzer

5. Get reports & captures of

anomalies or crashes

6. Manually verify if anomalies are

security bypass

7. Create PoC & report vulnerability

(SweynTooth github)

1. Get SoC Development Board

25

Evaluation - Setup

Serial outputnot required, but recommended

Target BLE SoC Dev. Kits

BlueNRG-2DA14580

DA14680

CC2640R2

KW41Z

CY5677

CY8CPROTO-63

SAMB11ESP32

TLSR8258CC2540

nRF51422

nRF52840

WB55

Page 26: SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

26

Evaluation - Comparison

Qualitative comparison with publicly available tools

• BT Classic only. Adaption was needed for comparison;• Only a subset of L2CAP is available for BLE;• Previous Bluetooth fuzzers detect crashes, but not logic problems (anomalies);• Link Layer was not supported by other fuzzers.

Page 27: SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

27

Evaluation

Anomalies vs iteration Summary of Evaluation Time for Each Device (*channel hop Interval = 20ms)

*Same as Connection Interval

Page 28: SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

28

Evaluation

Anomalies vs iteration Summary of Evaluation Time for Each Device (*channel hop Interval = 20ms)

Repeated anomaly in differente states(LLID Deadlock)

Repeated anomaly in different states (Multiple Version indication response)

*Same as Connection Interval

Page 29: SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

29

Impact - Non-compliance in the wild!

*Test scripts are available on https://github.com/Matheus-Garbelini/sweyntooth_bluetooth_low_energy_attacks/tree/master/extras*Details of all vulnerabilities & non-compliances on https://asset-group.github.io/disclosures/sweyntooth/

1st SweynTooth disclosure(9th February, 2020)*DHCheck reported later

Page 30: SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

30

Impact - Non-compliance in the wild!

*Test scripts are available on https://github.com/Matheus-Garbelini/sweyntooth_bluetooth_low_energy_attacks/tree/master/extras*Details of all vulnerabilities & non-compliances on https://asset-group.github.io/disclosures/sweyntooth/

Security bypass issues were found to be a mishandling of A1 - Encryption setup happens during SMP pairing procedure

1st SweynTooth disclosure(9th February, 2020)*DHCheck reported later

Page 31: SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

31

Impact - Non-compliance in the wild!

*Test scripts are available on https://github.com/Matheus-Garbelini/sweyntooth_bluetooth_low_energy_attacks/tree/master/extras*Details of all vulnerabilities & non-compliances on https://asset-group.github.io/disclosures/sweyntooth/

Widely spread non-compliance.hopIncrement is a fundamental field used during the connection procedure. Certification didn't catch it?

1st SweynTooth disclosure(9th February, 2020)*DHCheck reported later

Page 32: SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

32

Impact - Non-compliance in the wild!

*Test scripts are available on https://github.com/Matheus-Garbelini/sweyntooth_bluetooth_low_energy_attacks/tree/master/extras*Details of all vulnerabilities & non-compliances on https://asset-group.github.io/disclosures/sweyntooth/

2nd SweynTooth disclosure(13th July, 2020)

Page 33: SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

33

Some affected IoT products

ImpactCubiTag: Public Key Crash (Deadlock)

https://youtu.be/Iw8sIBLWE_w

Page 34: SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

• Disclosure window of 90 days, starting since the last communicated SoC vendor;• Second batch of SweynTooth vulnerabilities privately shared in advance with CSA and HSA, Singapore;• Bluetooth SIG has also requested early access to the non-disclosed information of the 2nd batch (13th July, 2020);• As far as we now, only one vendor has yet to create a firmware patch!

34

Disclosure process

Exploits repository (GitHub)Asset Research Website

Public Disclosure(9th February, 2020) https://github.com/Matheus-Garbelini/sweyntooth_bluetooth_low_energy_attacks

Page 35: SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

35

Conclusion

• Certification does not prevent against bad implementation nor guarantee an BLE stack to be free of non-compliances.

• Procedures which conflict with each other could be better clarified on the standard (i.g., unexpected encryption response) to avoid related security bypass attacks.

• Over-the-air fuzzing is still a good way to find many wireless bugs, given it a proper control over the lowest layers of the target wireless protocol.

• What about other wireless technologies? BLE Mesh, Wi-Fi EasyMesh, 5G, NB-IoT? More fuzzing tool are needed.

• Lesson learned. Product vendors may rethink their solution and give it more priority for SoC vendors with greater security response and easier patching process.

• The fuzzer is available open source upon request to [email protected]

Page 36: SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

36

Thank you

Questions?Feel free to reach us by our email [email protected]

Page 37: SweynTooth: Unleashing Mayhem over Bluetooth Low Energy...SweynTooth: Unleashing Mayhem over Bluetooth Low Energy Matheus Eduardo Garbelini1, Chundong Wang2, Sudipta Chattopadhyay1,

37

Final Remark: Get Ready for BLE ExperimentationWhat if I want to experiment with BLE myself?

Simplest Setup: Scapy Python API to get you started with BLE experimentation is available on our GitHub repo.Use of our custom firmware requires a nRF52840 Dongle (~10-11USD). Works on Linux, OSX and Windows distros.

nRF52_driver_firmware.hex

driver.send(ll_bytes)

driver.receive() Target BLE PeripheralBLE