BlueToolkit: The Extensible Framework for Bluetooth Security Testing
BlueToolkit
BlueToolkit is an extensible Bluetooth Classic vulnerability testing framework that helps uncover new and old vulnerabilities in Bluetooth-enabled devices.
It works by executing templated exploits one by one and verifying appropriate properties based on the template logic. The toolkit is extensible and allows new research to be added to the centralized testing toolkit. There are 43 Bluetooth exploits available in the toolkit, from known public exploits and tools to custom-developed ones.
The framework works in a Black-box fashion, but it is also possible to operate the toolkit in a Gray-box fashion. For that one needs to extend the framework and connect it to the Operating System of the target so that it would be possible to observe Bluetooth logs and guarantee no false positives.
Available Bluetooth Vulnerabilities and Attacks
BlueToolkit automatically downloads all vulnerability and hardware templates. BlueToolkit templates repository provides a full list of ready-to-use templates. Additionally, you can write your own templates and checks as well as add new hardware by following BlueToolkit’s templating guide The YAML reference syntax is available here
We collected and classified Bluetooth vulnerabilities in an “Awesome Bluetooth Security” way. We used the following sources – ACM, IEEE SP, Blackhat, DEFCON, Car Hacking Village, NDSS, and Google Scholars. Looked for the following keywords in Search Engines such as Google, Baidu, Yandex, Bing – Bluetooth security toolkit, Bluetooth exploits github, Bluetooth security framework, Bluetooth pentesting toolkit. We also parsed all Github repositories based on the following parameters – topic:bluetooth topic:exploit, topic:bluetooth topic:security.
Currently, BlueToolkit checks the following vulnerabilities and attacks:
| Vulnerability | Category | Type | Verification type | Hardware req. | Tested |
|---|---|---|---|---|---|
| Always pairable | Chaining | Chaining | Manual | ✓ | |
| Only vehicle can initiate a connection | Chaining | Chaining | Manual | ✓ | |
| Fast reboot | Chaining | Chaining | Manual | ✓ | |
| SC not supported | Chaining | Info | Automated | ✓ | |
| possible check for BLUR | Chaining | Info | Automated | ✓ | |
| My name is keyboard | Critical | RCE | Semi-automated | ✓ | |
| CVE-2017-0785 | Critical | Memory leak | Automated | ✓ | |
| CVE-2018-19860 | Critical | Memory execution | Automated | ✓ | |
| V13 Invalid Max Slot Type | DoS | DoS | Automated | ✓ | ✓ |
| V3 Duplicated IOCAP | DoS | DoS | Automated | ✓ | ✓ |
| NiNo check | MitM | MitM | Semi-automated | ✓ | |
| Legacy pairing used | MitM | MitM | Automated | ✓ | |
| KNOB | MitM | MiTM | Semi-automated | ✓ | ✓ |
| CVE-2018-5383 | MitM | MiTM | Automated | ✓ | ✓ |
| Method Confusion attack | MitM | MiTM | Automated | ✓ | |
| SSP supported <= 4.0 weak crypto or SSP at all | MitM | Info/MitM | Automated | ✓ | |
| CVE-2020-24490 | Critical | DoS | Automated | ✓ | |
| CVE-2017-1000250 | Critical | Info leak | Automated | ✓ | |
| CVE-2020-12351 | Critical | RCE/DoS | Automated | ✓ | |
| CVE-2017-1000251 | Critical | RCE/DoS | Automated | ✓ | |
| V1 Feature Pages Execution | Critical | RCE/DoS | Automated | ✓ | ✓ |
| Unknown duplicated encapsulated payload | DoS | DoS | Automated | ✓ | ✓ |
| V2 Truncated SCO Link Request | DoS | DoS | Automated | ✓ | ✓ |
| V4 Feature Resp. Flooding | DoS | DoS | Automated | ✓ | ✓ |
| V5 LMP Auto Rate Overflow | DoS | DoS | Automated | ✓ | ✓ |
| V6 LMP 2-DH1 Overflow | DoS | DoS | Automated | ✓ | ✓ |
| V7 LMP DM1 Overflow | DoS | DoS | Automated | ✓ | ✓ |
| V8 Truncated LMP Accepted | DoS | DoS | Automated | ✓ | ✓ |
| V9 Invalid Setup Complete | DoS | DoS | Automated | ✓ | ✓ |
| V10 Host Conn. Flooding | DoS | DoS | Automated | ✓ | ✓ |
| V11 Same Host Connection | DoS | DoS | Automated | ✓ | ✓ |
| V12 AU Rand Flooding | DoS | DoS | Automated | ✓ | ✓ |
| V14 Max Slot Length Overflow | DoS | DoS | Automated | ✓ | ✓ |
| V15 Invalid Timing Accuracy | DoS | DoS | Automated | ✓ | ✓ |
| V16 Paging Scan Deadlock | DoS | DoS | Automated | ✓ | ✓ |
| Unknown wrong encapsulated payload | DoS | DoS | Automated | ✓ | ✓ |
| Unknown sdp unknown element type | DoS | DoS | Automated | ✓ | ✓ |
| Unknown sdp oversized element size | DoS | DoS | Automated | ✓ | ✓ |
| Unknown feature req ping pong | DoS | DoS | Automated | ✓ | ✓ |
| Unknown lmp invalid transport | DoS | DoS | Automated | ✓ | ✓ |
| CVE-2020-12352 | Critical | Info leak | Automated | ✓ |
Install & Use
Copyright (c) 2024 sgxgsx
