BlueToolkit: The Extensible Framework for Bluetooth Security Testing

by ddos ·

BlueToolkit

BlueToolkit is an extensible Bluetooth Classic vulnerability testing framework that helps uncover new and old vulnerabilities in Bluetooth-enabled devices.

It works by executing templated exploits one by one and verifying appropriate properties based on the template logic. The toolkit is extensible and allows new research to be added to the centralized testing toolkit. There are 43 Bluetooth exploits available in the toolkit, from known public exploits and tools to custom-developed ones.

The framework works in a Black-box fashion, but it is also possible to operate the toolkit in a Gray-box fashion. For that one needs to extend the framework and connect it to the Operating System of the target so that it would be possible to observe Bluetooth logs and guarantee no false positives.

Available Bluetooth Vulnerabilities and Attacks

BlueToolkit automatically downloads all vulnerability and hardware templates. BlueToolkit templates repository provides a full list of ready-to-use templates. Additionally, you can write your own templates and checks as well as add new hardware by following BlueToolkit’s templating guide The YAML reference syntax is available here

We collected and classified Bluetooth vulnerabilities in an “Awesome Bluetooth Security” way. We used the following sources – ACM, IEEE SP, Blackhat, DEFCON, Car Hacking Village, NDSS, and Google Scholars. Looked for the following keywords in Search Engines such as Google, Baidu, Yandex, Bing – Bluetooth security toolkit, Bluetooth exploits github, Bluetooth security framework, Bluetooth pentesting toolkit. We also parsed all Github repositories based on the following parameters – topic:bluetooth topic:exploit, topic:bluetooth topic:security.

Currently, BlueToolkit checks the following vulnerabilities and attacks:

Vulnerability Category Type Verification type Hardware req. Tested
Always pairable Chaining Chaining Manual
Only vehicle can initiate a connection Chaining Chaining Manual
Fast reboot Chaining Chaining Manual
SC not supported Chaining Info Automated
possible check for BLUR Chaining Info Automated
My name is keyboard Critical RCE Semi-automated
CVE-2017-0785 Critical Memory leak Automated
CVE-2018-19860 Critical Memory execution Automated
V13 Invalid Max Slot Type DoS DoS Automated
V3 Duplicated IOCAP DoS DoS Automated
NiNo check MitM MitM Semi-automated
Legacy pairing used MitM MitM Automated
KNOB MitM MiTM Semi-automated
CVE-2018-5383 MitM MiTM Automated
Method Confusion attack MitM MiTM Automated
SSP supported <= 4.0 weak crypto or SSP at all MitM Info/MitM Automated
CVE-2020-24490 Critical DoS Automated
CVE-2017-1000250 Critical Info leak Automated
CVE-2020-12351 Critical RCE/DoS Automated
CVE-2017-1000251 Critical RCE/DoS Automated
V1 Feature Pages Execution Critical RCE/DoS Automated
Unknown duplicated encapsulated payload DoS DoS Automated
V2 Truncated SCO Link Request DoS DoS Automated
V4 Feature Resp. Flooding DoS DoS Automated
V5 LMP Auto Rate Overflow DoS DoS Automated
V6 LMP 2-DH1 Overflow DoS DoS Automated
V7 LMP DM1 Overflow DoS DoS Automated
V8 Truncated LMP Accepted DoS DoS Automated
V9 Invalid Setup Complete DoS DoS Automated
V10 Host Conn. Flooding DoS DoS Automated
V11 Same Host Connection DoS DoS Automated
V12 AU Rand Flooding DoS DoS Automated
V14 Max Slot Length Overflow DoS DoS Automated
V15 Invalid Timing Accuracy DoS DoS Automated
V16 Paging Scan Deadlock DoS DoS Automated
Unknown wrong encapsulated payload DoS DoS Automated
Unknown sdp unknown element type DoS DoS Automated
Unknown sdp oversized element size DoS DoS Automated
Unknown feature req ping pong DoS DoS Automated
Unknown lmp invalid transport DoS DoS Automated
CVE-2020-12352 Critical Info leak Automated

Install & Use

Copyright (c) 2024 sgxgsx

Tags: Bluetooth