bluetoolkit

BlueToolkit is an extensible Bluetooth Classic vulnerability testing framework that helps uncover new and old vulnerabilities in Bluetooth-enabled devices. Could be used in the vulnerability research, penetration testing and bluetooth hacking. We also collected and classified Bluetooth vulnerabilities in an "Awesome Bluetooth Security" way
https://github.com/sgxgsx/bluetoolkit

Last synced: 4 days ago
JSON representation

Install
- Usage
  - **BlueToolkit templates** - to-use templates.
  - templating guide
  - here
  - templating guide
  - here
  - templating guide
  - here
- Vulnerabilities to be added soon
  - https://www.cvedetails.com/cve/CVE-2022-25836/
  - http://tns.thss.tsinghua.edu.cn/~jiliang/publications/MOBISYS2020_BlueDoor.pdf
  - https://www.usenix.org/system/files/sec20-zhang-yue.pdf - 2020-35473 |
  - https://www.usenix.org/system/files/woot20-paper-wu.pdf
  - https://www.cvedetails.com/cve/CVE-2019-16336/?q=CVE-2019-16336
  - https://www.cvedetails.com/cve/CVE-2019-17061/?q=CVE-2019-17061
  - https://www.cvedetails.com/cve/CVE-2019-17060/?q=CVE-2019-17060
  - https://www.cvedetails.com/cve/CVE-2019-19192/?q=CVE-2019-19192
  - https://www.usenix.org/system/files/sec19-sivakumaran_0.pdf - located apps can get BLE data, and thus exfiltrate needed info??? can we do a relay with it? |
  - https://github.com/securing/gattacker - 16/materials/us-16-Jasek-GATTacking-Bluetooth-Smart-Devices-Introducing-a-New-BLE-Proxy-Tool.pdf](https://www.blackhat.com/docs/us-16/materials/us-16-Jasek-GATTacking-Bluetooth-Smart-Devices-Introducing-a-New-BLE-Proxy-Tool.pdf) | MITM BLE |
  - https://github.com/mikeryan/crackle - ryan.pdf](https://www.usenix.org/system/files/conference/woot13/woot13-ryan.pdf) | crack ble encryption |
  - CVE-2023-45866 - | CVE-2023-45866, CVE-2023-45866, CVE-2023-45866 |
  - CVE-2023-24023 - 02 | [https://github.com/francozappa/bluffs](https://github.com/francozappa/bluffs) | | |
  - https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9833777 - stack illegal access attack (formal methods) + CVE-2020-26560 and CVE-2020-15802 mentioned in other entries |
  - https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9833575
  - CVE-2022-24695 - 2022-24695 affects Privacy, defeats non-discoverable feature of BT/EDR |
  - CVE-2022-25837 - 2022-25837/](https://www.cvedetails.com/cve/CVE-2022-25837/) | Check CVE for details, relies on Method Confusion, CVE-2022-25837 |
  - CVE-2021-28139 - WROVER-KIT | [https://github.com/Matheus-Garbelini/braktooth_esp32_bluetooth_classic_attacks](https://github.com/Matheus-Garbelini/braktooth_esp32_bluetooth_classic_attacks) | https://asset-group.github.io/disclosures/braktooth/ | |
  - CVE-2020-12352 - research/security/advisories/GHSA-7mh3-gq28-gfrq](https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq) | [https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html](https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html) | Information leak |
  - CVE-2020-12351 - research/security/advisories/GHSA-7mh3-gq28-gfrq](https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq) | [https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html](https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html) | stack-based info leak BlueZ |
  - CVE-2020-24490 - research/security/advisories/GHSA-ccx2-w2r4-x649](https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649) | [https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html](https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html) | Requires BT 5.0 and higher |
  - https://www.cvedetails.com/cve/CVE-2020-3703/?q=CVE-2020-3703 - 2020-11156 Snapdragon Auto, no exploits CVE-2020-11154 CVE-2020-11155, CVE-2020-3703 |
  - https://i.blackhat.com/USA-20/Wednesday/us-20-Xu-Stealthily-Access-Your-Android-Phones-Bypass-The-Bluetooth-Authentication.pdf - HatLab/BlueRepli-Plus](https://github.com/DasSecurity-HatLab/BlueRepli-Plus) |
  - https://github.com/greatscottgadgets/ubertooth
  - CVE-2020-10135 - 01 | [https://github.com/francozappa/bias](https://github.com/francozappa/bias) | [https://francozappa.github.io/about-bias/](https://francozappa.github.io/about-bias/) | CVE-2020-10135 |
  - https://link.springer.com/article/10.1007/s00779-017-1081-6
  - CVE-2017-0785
  - CVE-2017-1000251 - Garbelini/braktooth_esp32_bluetooth_classic_attacks) | |
  - CVE-2020-5551 - Keen-Security-Lab-Experimental-Security-Assessment-on-Lexus-Cars/](https://keenlab.tencent.com/en/2020/03/30/Tencent-Keen-Security-Lab-Experimental-Security-Assessment-on-Lexus-Cars/) | RCE in Lexus (LC, LS, NX, RC, RC F), TOYOTA CAMRY, and TOYOTA SIENNA manufactured not in Japan from Oct. 2016 to Oct. 2019 |
  - https://github.com/albazrqa/BluEar
  - CVE-2018-19860 - 2014 (DoS) |
  - https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5374082 - no input no output (mitm + out-of-band mitm attacks). https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=4401672 |
  - https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=ac095564c820f02b2793694018d419ce99279de0
  - https://www.usenix.org/legacy/event/mobisys05/tech/full_papers/shaked/shaked.pdf
  - https://link.springer.com/chapter/10.1007/3-540-45353-9_14
  - https://staff.ie.cuhk.edu.hk/~khzhang/my-papers/2019-ndss-bluetooth.pdf
  - CVE-2020-26556 - force insufficient random AuthValue in BT Mesh 1.0 and 1.0.1 to complete authentication |
  - CVE-2020-26557 - force attack |
  - CVE-2020-26559 - force |
  - CVE-2020-26560 - 2020-26560 - Auth bypass in Mesh profile 1.0, 1.0.1 https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9474325 |
  - CVE-2020-26555 - security.org/TC/SP2021/SPW2021/WOOT21/files/woot21-claverie-slides.pdf |
  - CVE-2020-26558
  - CVE-2020-15802 - 2020-15802 |
  - CVE-2018-5383 - 2018-5383 |
  - CVE-2019-9506 - 2019-9506](https://vuldb.com/?source_cve.140090) |
  - https://www.ndss-symposium.org/wp-content/uploads/2023/02/ndss2023_s119_paper.pdf
  - CVE-2022-40503 - 2022-40503/?q=CVE-2022-40503](https://www.cvedetails.com/cve/CVE-2022-40503/?q=CVE-2022-40503) | Buffer overread in A2DP profile |
  - CVE-2022-40537 - 2022-40537/?q=CVE-2022-40537](https://www.cvedetails.com/cve/CVE-2022-40537/?q=CVE-2022-40537) | Memory corruption while processing AVRC_PDU_GET_PLAYER_APP_VALUE_TEXT AVRCP response |
  - CVE-2022-33280 - 2022-33280/?q=CVE-2022-33280](https://www.cvedetails.com/cve/CVE-2022-33280/?q=CVE-2022-33280) | Memory corruption while processing AVRCP packet |
  - CVE-2022-33255 - 2022-33255/?q=CVE-2022-33255](https://www.cvedetails.com/cve/CVE-2022-33255/?q=CVE-2022-33255) | Bluetooth HOST Buffer overread while processing GetFolderItems, GetItemAttributes |
  - CVE-2022-22088 - 2022-22088/?q=CVE-2022-22088](https://www.cvedetails.com/cve/CVE-2022-22088/?q=CVE-2022-22088) | Bluetooth Host Buffer overflow while processing response from remote |
  - CVE-2021-35068 - 2021-35068/?q=CVE-2021-35068](https://www.cvedetails.com/cve/CVE-2021-35068/?q=CVE-2021-35068) | Null pointer dereference while freeing the HFP profile |
  - CVE-2020-10134 - confusion-attack-on-bluetooth-pairing/@@download/file/conference-proceeding.pdf](https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=web&cd=&ved=0CDcQw7AJahcKEwjAl4iK06KBAxUAAAAAHQAAAAAQAg&url=https%3A%2F%2Fwww.sec.in.tum.de%2Fi20%2Fpublications%2Fmethod-confusion-attack-on-bluetooth-pairing%2F%40%40download%2Ffile%2Fconference-proceeding.pdf&psig=AOvVaw1agi3H7gzMi_e-3uKrzh10&ust=1694524247587644&opi=89978449) | MITM between 2 BLE or BR/EDR devices. Strange hardware needed, CVE-2020-10134 |
  - https://inria.hal.science/hal-01587858/document
- Currently BlueToolkit check the following vulnerabilities and attacks:
  - documentation
TODO List
- Vulnerabilities to be added soon
  - https://www.cvedetails.com/cve/CVE-2023-21647/?q=CVE-2023-21647
  - https://fmsh-seclab.github.io/
  - https://research.nccgroup.com/2022/05/15/technical-advisory-tesla-ble-phone-as-a-key-passive-entry-vulnerable-to-relay-attacks/
  - https://github.com/nccgroup/Sniffle
  - https://github.com/RCayre/injectable-firmware - 03193297v2/document](https://hal.laas.fr/hal-03193297v2/document) | MITM, Send malicious packets, post-exploitation after the session was established/hijacked (Imp and model specific) |
  - https://github.com/darkmentorllc/jackbnimble - 20/Wednesday/us-20-Kovah-Finding-New-Bluetooth-Low-Energy-Exploits-Via-Reverse-Engineering-Multiple-Vendors-Firmwares.pdf](https://i.blackhat.com/USA-20/Wednesday/us-20-Kovah-Finding-New-Bluetooth-Low-Energy-Exploits-Via-Reverse-Engineering-Multiple-Vendors-Firmwares.pdf) | 3 exploits for specific hardware, CVE-2020-15531 |
Hardware
- License
  - MIT License

Programming Languages

C 6 JavaScript 1 Python 1

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Awesome

bluetoolkit

Install

Usage

Vulnerabilities to be added soon

Currently BlueToolkit check the following vulnerabilities and attacks:

TODO List

Vulnerabilities to be added soon

Hardware

License