Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/maxdos64/BThack

Last synced: about 2 months ago
JSON representation

Host: GitHub
URL: https://github.com/maxdos64/BThack
Owner: maxdos64
Created: 2020-09-04T07:31:02.000Z (about 4 years ago)
Default Branch: master
Last Pushed: 2021-01-07T16:54:45.000Z (over 3 years ago)
Last Synced: 2024-07-25T03:32:38.652Z (2 months ago)
Language: C
Size: 848 KB
Stars: 5
Watchers: 2
Forks: 3
Open Issues: 1
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-bluetooth-security - Site - article/sp/2021/893400a213/1mbmHzm2Q6c) | No Video | [SIG Notice](https://www.bluetooth.com/learn-about-bluetooth/bluetooth-technology/bluetooth-security/method-vulnerability/) | BR/EDR/LE | CVE-2020-10134 | (<a name="notable_vulnerabilities"></a>Notable Vulnerabilities)

README

# BThack - PoC of the Method Confusion Attack on Bluetooth Pairing

### Original paper: [Method Confusion Attack on Bluetooth Pairing](https://www.computer.org/csdl/proceedings-article/sp/2021/893400a213/1mbmHzm2Q6c)

## Affected devices + Threat status
CVE: [CERT report](https://kb.cert.org/vuls/id/534195)
Bluetooth SIG: [SIG security alert](https://www.bluetooth.com/learn-about-bluetooth/bluetooth-technology/bluetooth-security/reporting-security/)
Apple: [iOS / IPadOS](https://support.apple.com/en-us/HT211168)
Google: ...

*Every pairing between any BLE devices using Numeric Comparison or Passkey Entry is vulnerable to the Method Confusion attack.*

#### Fix
Currently there is **no fix available** that would not massively affect backwards compatibility to older Bluetooth devices.

Device vendors can only try to educate their users about the threat and visualize the utilized pairing method prominently *(providing aware and versed users the possibility to detect an ongoing attack)*.

This is of course just a mild mitigation and entirely **defeats the idea of a simple and secure TOFU establishment**.

Bluetooths security model has to be considered **broken** until a solution is found.
We are following the decisions of the Bluetooth SIG closely.

## PoC - BThack
This PoC is intended to make reproduction of the issue as easy as possible.
If you encounter any difficulties or find a description to imprecise please reach out so we can improve.

### Structure of the BThack framework

* **[UI interface](https://github.com/maxdos64/BThack/blob/master/attack.py)** - Python script with some pleasant(?) graphics to control the whole framework
* **[Controller interaction](https://github.com/lupinglui/btstack/tree/bthack_mods)** - Customized version of the [BTstack](https://github.com/bluekitchen/btstack) library
* **[Numeric on Passkey implementation](https://github.com/maxdos64/BThack/tree/master/NoP)** - C program that utelizes the custom BTstack library
* **[Passkey on Numeric implementation](https://github.com/maxdos64/BThack/tree/master/PoN)** - C program that utelizes the custom BTstack library
* **[Jamming implementation](https://github.com/maxdos64/btlejack/tree/disable_fix)** - Customized version of btlejack and btlejack-firmware

### Usage
0. ==**Please check this repo out using 'git clone --recurse-submodules'**==
1. Run the Makefiles in the subdirectories of the desired attack variants (pon, nop, full_mitm) + run the discovery/Makefile
2. Connect 2 USB Bluetooth controller that are compatible with BTstack ([list](https://github.com/bluekitchen/btstack#evaluation-platforms)) - they should appear under `lsusb` *(Ensure that the Responder advertises using BLE not BR/EDR)*

You have two different complexities of the attack available:

##### A. Attack without suppressing the original victims advertisements:
1. Enter the folder of the desired attack variant
2. Call the respective binary (nop, pon, full_mitm); provide the target address and the lsusb-identifiers of your dongles

##### B. Attack with suppressing the original victims advertisements:
1. Add at least 3 micro:bit devices if you want to suppress victim advertisments
2. Start the [attack.py](https://github.com/maxdos64/BThack/blob/master/attack.py) script
3. Select your devices and the attack mode ('auto' selects the optimal method dynamically)

#### Simulate victim devices
To simulate BLE victims you may use the programs `initiator` and `responder` in the folder full_mitm

##### Suppressing victim advertisements
In order to lead a realistic victim-Initiator into attempting the pairing with our MitM-Responder the framework offers the option to selectively jam the advertisement messages of the victim-Responder. In this case at least 3 [BBC:microbits](https://microbit.org/) are required as they contain the
[nrf5x](https://www.nordicsemi.com/Products/Low-power-short-range-wireless/nRF51822) chip that is utelized for jamming. For this option you are also required to flash the microbits with our customized version of the btlejack-firmware (See Readme in the respective subfolder)

### Troubleshooting
Unfortunately it happens regularly that devices get stuck in the execution of their modified firmware.
We are trying to slowly narrow down these issues and fix them. For now, we recommend to stop the software; powercycle the devices; and restart the software.