Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/sgxgsx/bluetoolkit

BlueToolkit is an extensible Bluetooth Classic vulnerability testing framework that helps uncover new and old vulnerabilities in Bluetooth-enabled devices. Could be used in the vulnerability research, penetration testing and bluetooth hacking. We also collected and classified Bluetooth vulnerabilities in an "Awesome Bluetooth Security" way
https://github.com/sgxgsx/bluetoolkit

List: bluetoolkit

awesome awesome-list bluetooth bluetooth-classic bluetooth-hacking bluetooth-security bluetooth-toolkit exploit information-security penetration-testing pentesting security security-tools wireless-security

Last synced: 3 months ago
JSON representation

BlueToolkit is an extensible Bluetooth Classic vulnerability testing framework that helps uncover new and old vulnerabilities in Bluetooth-enabled devices. Could be used in the vulnerability research, penetration testing and bluetooth hacking. We also collected and classified Bluetooth vulnerabilities in an "Awesome Bluetooth Security" way

Awesome Lists containing this project

README

        

# BlueToolkit


BlueToolkit

Extensible Bluetooth Classic vulnerability testing framework based on simple YAML DSL.



Documentation
Install
Usage
Supported Exploits
Bluetooth Classic and BLE vulnerabilities and attacks
Results
Hardware

---

BlueToolkit is an extensible Bluetooth Classic vulnerability testing framework that helps uncover new and old vulnerabilities in Bluetooth-enabled devices.

It works by executing templated exploits one by one and verifying appropriate properties based on the template logic. The toolkit is extensible and allows new research to be added to the centralized testing toolkit.
There are 43 Bluetooth exploits available in the toolkit, from known public exploits and tools to custom-developed ones.

The framework works in a Black-box fashion, but it is also possible to operate the toolkit in a Gray-box fashion. For that one needs to extend the framework and connect it to the Operating System of the target so that it would be possible to observe Bluetooth logs and guarantee no false positives.

Also, we have already used our framework and were able to find [64 new vulnerabilities](#results) in 22 cars (Audi, BMW, Chevrolet, Honda, Hyundai, Mercedes-Benz, Mini, Opel, Polestar, Renault, Skoda, Toyota, VW, Tesla).

We have a [dedicated repository](https://github.com/sgxgsx) that provides various types of vulnerability templates.

In addition to that, you can use MAP Account hijack attack to [elevate privileges](https://github.com/sgxgsx/mapAccountHijack) for the already established connections or as a chain in MitM and DoS attacks.

#### Credit

This work has been done at [Cyber Defence Campus](https://www.cydcampus.admin.ch/en) and [System Security Group at ETH Zurich](https://syssec.ethz.ch/).

# Install BlueToolkit

BlueToolkit has 2 installation stages: general and specific module installation.
The general installation downloads the code, modules and tools available in the toolkit and tries to set up modules that do not require human interaction. The specific module installation requires a human to verify that the needed hardware is connected to the device on which the toolkit is being installed.

## Install
We provide 2 installation options: virtual machine or Ubuntu/Debian.

VM Installation

Prerequisites:
* Virtualbox https://www.virtualbox.org
* vagrant https://developer.hashicorp.com/vagrant/install?product_intent=vagrant

```sh
git clone https://github.com/sgxgsx/BlueToolkit --recurse-submodules
cd BlueToolkit/vagrant
vagrant up
```

After Installation:
* You need to allow the virtual machine to access the Bluetooth module or additional hardware through USB, which requires you to do the following:
* USB support is already switched on, that's why open VirtualBox
* Find a running virtual machine and click on "Show"
* Click on "Devices" -> "USB"
* You will be presented with multiple devices that you can switch on for the virtual machine
* Tick any device that you need (Bluetooth module, hardware, phone) or tick all devices to be sure.

Ubuntu/Debian Installation
Installation:

```sh
sudo mkdir /usr/share/BlueToolkit
sudo chown $USER:$USER /usr/share/BlueToolkit
git clone https://github.com/sgxgsx/BlueToolkit /usr/share/BlueToolkit --recurse-submodules
chmod +x /usr/share/BlueToolkit/install.sh
/usr/share/BlueToolkit/install.sh
```

Windows and MacOS Installation
You could try to install the toolkit on WSL or MacOS directly.
Alternatively, use the VM installation option.

### Specific Module Install

Virtual Machine

* Verify that the hardware is connected to the machine
* Verify that you allowed the hardware to be shown to the VM in the USB settings
* Then depending on the hardware that you need to install do the following:

```sh
vagrant ssh
cd /usr/share/BlueToolkit/installation/
ls -al
```

* Find a script for your hardware and execute it
```sh
./{HARDWARE}_installation.sh
```

Linux

* Verify that the hardware is connected to the machine
* Then depending on the hardware that you need to install do the following:

```sh
cd /usr/share/BlueToolkit/installation/
ls -la
```

* Then find a script for your hardware and execute it
```sh
./{HARDWARE}_installation.sh
```

### Usage

```sh
sudo -E env PATH=$PATH bluekit -h
```

This will display help information for the tool. Here are all the parameters it supports.

```console
usage: bluekit [-h] [-t TARGET] [-l] [-c] [-ct] [-ch] [-v VERBOSITY] [-ex EXCLUDEEXPLOITS [EXCLUDEEXPLOITS ...]] [-e EXPLOITS [EXPLOITS ...]] [-r] [-re] [-rej] [-hh HARDWARE [HARDWARE ...]] ...

positional arguments:
rest

options:
-h, --help show this help message and exit
-t TARGET, --target TARGET
target MAC address
-l, --listexploits List exploits or not
-c, --checksetup Check whether Braktooth is available and setup
-ct, --checktarget Check connectivity and availability of the target
-ch, --checkpoint Start from a checkpoint
-v VERBOSITY, --verbosity VERBOSITY
Verbosity level
-ex EXCLUDEEXPLOITS [EXCLUDEEXPLOITS ...], --excludeexploits EXCLUDEEXPLOITS [EXCLUDEEXPLOITS ...]
Exclude exploits, example --exclude exploit1, exploit2
-e EXPLOITS [EXPLOITS ...], --exploits EXPLOITS [EXPLOITS ...]
Scan only for provided --exploits exploit1, exploit2; --exclude is not taken into account
-r, --recon Run a recon script
-re, --report Create a report for a target device
-rej, --reportjson Create a report for a target device
-hh HARDWARE [HARDWARE ...], --hardware HARDWARE [HARDWARE ...]
Scan only for provided exploits based on hardware --hardware hardware1 hardware2; --exclude and --exploit are not taken into account

EXAMPLES:
Run bluekit recon:
$ sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF -r

Run bluekit connectivity check:
$ sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF -ct

Run bluekit with a specific exploit:
$ sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF -e invalid_max_slot

Run bluekit with specific exploits:
$ sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF -e invalid_max_slot au_rand_flooding internalblue_knob

Run bluekit and list all available exploits:
$ sudo -E env PATH=$PATH bluekit -l

Documentation is available at: https://github.com/sgxgsx/BlueToolkit/wiki
```

# Available Bluetooth Vulnerabilities and Attacks

BlueToolkit automatically downloads all vulnerability and hardware templates. [**BlueToolkit templates**](https://github.com/sgxgsx/templates) repository provides a full list of ready-to-use templates.
Additionally, you can write your own templates and checks as well as add new hardware by following BlueToolkit's [templating guide](https://github.com/sgxgsx/Bluetoolkit/wiki/Templating)
The YAML reference syntax is available [here](https://github.com/sgxgsx/BlueToolkit/wiki/YAMLreference)

We collected and classified Bluetooth vulnerabilities in an "Awesome Bluetooth Security" way. We used the following sources - ACM, IEEE SP, Blackhat, DEFCON, Car Hacking Village, NDSS, and Google Scholars. Looked for the following keywords in Search Engines such as Google, Baidu, Yandex, Bing - Bluetooth security toolkit, Bluetooth exploits github, Bluetooth security framework, bluetooth pentesting toolkit. We also parsed all Github repositories based on the following parameters - topic:bluetooth topic:exploit, topic:bluetooth topic:security.

### Currently BlueToolkit check the following vulnerabilities and attacks:

For manual attacks refer to the [documentation](https://github.com/sgxgsx/BlueToolkit/wiki/Manual-Exploits).

| Vulnerability | Category | Type | Verification type | Hardware req. | Tested |
|----------------------------------------------| :---: | :---: | :---: | :---: | :---: |
| Always pairable | Chaining | Chaining | Manual | | ✓ |
| Only vehicle can initiate a connection | Chaining | Chaining | Manual | | ✓ |
| Fast reboot | Chaining | Chaining | Manual | | ✓ |
| SC not supported | Chaining | Info | Automated | | ✓ |
| possible check for BLUR | Chaining | Info | Automated | | ✓ |
| My name is keyboard | Critical | RCE | Semi-automated | | ✓ |
| CVE-2017-0785 | Critical | Memory leak | Automated | | ✓ |
| CVE-2018-19860 | Critical | Memory execution | Automated | | ✓ |
| V13 Invalid Max Slot Type | DoS | DoS | Automated | ✓ | ✓ |
| V3 Duplicated IOCAP | DoS | DoS | Automated | ✓ | ✓ |
| NiNo check | MitM | MitM | Semi-automated | | ✓ |
| Legacy pairing used | MitM | MitM | Automated | | ✓ |
| KNOB | MitM | MiTM | Semi-automated | ✓ | ✓ |
| CVE-2018-5383 | MitM | MiTM | Automated | ✓ | ✓ |
| Method Confusion attack | MitM | MiTM | Automated | | ✓ |
| SSP supported <= 4.0 weak crypto or SSP at all | MitM | Info/MitM | Automated | | ✓ |
| CVE-2020-24490 | Critical | DoS | Automated | | ✓ |
| CVE-2017-1000250 | Critical | Info leak | Automated | | ✓ |
| CVE-2020-12351 | Critical | RCE/DoS | Automated | | ✓ |
| CVE-2017-1000251 | Critical | RCE/DoS | Automated | | ✓ |
| V1 Feature Pages Execution | Critical | RCE/DoS | Automated | ✓ | ✓ |
| Unknown duplicated encapsulated payload | DoS | DoS | Automated | ✓ | ✓ |
| V2 Truncated SCO Link Request | DoS | DoS | Automated | ✓ | ✓ |
| V4 Feature Resp. Flooding | DoS | DoS | Automated | ✓ | ✓ |
| V5 LMP Auto Rate Overflow | DoS | DoS | Automated | ✓ | ✓ |
| V6 LMP 2-DH1 Overflow | DoS | DoS | Automated | ✓ | ✓ |
| V7 LMP DM1 Overflow | DoS | DoS | Automated | ✓ | ✓ |
| V8 Truncated LMP Accepted | DoS | DoS | Automated | ✓ | ✓ |
| V9 Invalid Setup Complete | DoS | DoS | Automated | ✓ | ✓ |
| V10 Host Conn. Flooding | DoS | DoS | Automated | ✓ | ✓ |
| V11 Same Host Connection | DoS | DoS | Automated | ✓ | ✓ |
| V12 AU Rand Flooding | DoS | DoS | Automated | ✓ | ✓ |
| V14 Max Slot Length Overflow | DoS | DoS | Automated | ✓ | ✓ |
| V15 Invalid Timing Accuracy | DoS | DoS | Automated | ✓ | ✓ |
| V16 Paging Scan Deadlock | DoS | DoS | Automated | ✓ | ✓ |
| Unknown wrong encapsulated payload | DoS | DoS | Automated | ✓ | ✓ |
| Unknown sdp unknown element type | DoS | DoS | Automated | ✓ | ✓ |
| Unknown sdp oversized element size | DoS | DoS | Automated | ✓ | ✓ |
| Unknown feature req ping pong | DoS | DoS | Automated | ✓ | ✓ |
| Unknown lmp invalid transport | DoS | DoS | Automated | ✓ | ✓ |
| CVE-2020-12352 | Critical | Info leak | Automated | | ✓ |

### Novel attacks
These attacks a novel/new and are tested by the framework

| Vulnerability | Category | Type | Verification type | Hardware req. | Tested |
|----------------------------------------------| :---: | :---: | :---: | :---: | :---: |
| Insecure NC implementation | MitM | MitM | Manual | | ✓ |
| Vehicular NiNo | MitM | Info | Manual | | ✓ |
| Contact Extractor | Critical | BAC | Manual | | ✓ |

### Vulnerabilities to be added soon
| Vulnerability | Category | Type | Verification type | Hardware req. | Tested | Scheduled to be added |
|----------------------------------------------| :---: | :---: | :---: | :---: | :---: | :---: |
| BLUR | MitM | ? | - | ✓ | | ✓ |
| BIAS | MitM | ? | - | ✓ | | ✓ |
| BLUFFS | MitM | ? | - | ✓ | | ✓ |
| BlueRepli | Critical | BAC | - | | | |
| CVE-2020-26555 | MitM | MiTM | - | | | |

# Bluetooth Vulnerabilities and Attacks

Additionally, we found the following Bluetooth Classic and Bluetooth Low Energy (BLE) vulnerabilities. The table has the following information about the attacks and vulnerabilities - name, type either implementation-specific, protocol-specific or affecting a BT profile, Bluetooth Type (BLE, BT, BT + BLE), BT versions affected, number of exploits, year released, CVE if available, CVSS if available, Hardware if required, Proof of Concept if available and additional information in the comment section with additional links or explanation.

| Exp. Family | Name | Type | BT Type | BT ver | exp. # | Year | CVE | CVSS | Hardware | PoC | Link | Comment |
| -------------- | ----------------------------------- | ----- | ---------- | ------------------ | --------------- | ---- | -------------------------------------------------------------------- | ---- | ------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| | Qualcomm WSA8835 attck | Imp | BLE | | 1 | 2023 | | | | | [https://www.cvedetails.com/cve/CVE-2023-21647/?q=CVE-2023-21647](https://www.cvedetails.com/cve/CVE-2023-21647/?q=CVE-2023-21647) | Improper GATT packet verification |
| | Auth bypass, spoofing | Imp | BLE | | 1 | 2022 | | | | | [https://fmsh-seclab.github.io/](https://fmsh-seclab.github.io/) | Authentication Bypass by Spoofing in Tesla Keys |
| | unauth MITM | Prot | BLE | 4.0 - 5.3 | 1 | 2022 | | | | | [https://www.cvedetails.com/cve/CVE-2022-25836/](https://www.cvedetails.com/cve/CVE-2022-25836/) | Check CVE for details, relies on Method Confusion |
| | BLE Proximity Auth relay | Rel | BLE | 4.0 - 5.3 | 1 | 2022 | | | | | [https://research.nccgroup.com/2022/05/15/technical-advisory-tesla-ble-phone-as-a-key-passive-entry-vulnerable-to-relay-attacks/](https://github.com/Matheus-Garbelini/sweyntooth_bluetooth_low_energy_attacks) | BLE Proximity Authentication Vulnerable to Relay Attacks |
| | Sniffle | Snif | BLE | 4.0-5.0 | 1 | 2022 | | | TI CC1352/CC26x2 | [https://github.com/nccgroup/Sniffle](https://github.com/nccgroup/Sniffle) | | |
| | InjectaBLE | Prot | BLE | 4.0 - 5.2 | 1 | 2021 | | | nRF52840 | [https://github.com/RCayre/injectable-firmware](https://github.com/RCayre/injectable-firmware) | [https://hal.laas.fr/hal-03193297v2/document](https://hal.laas.fr/hal-03193297v2/document) | MITM, Send malicious packets, post-exploitation after the session was established/hijacked (Imp and model specific) |
| | jacknimble | Imp | BLE | | | 2020 | | | nRF52840 | [https://github.com/darkmentorllc/jackbnimble](https://github.com/darkmentorllc/jackbnimble) | [https://i.blackhat.com/USA-20/Wednesday/us-20-Kovah-Finding-New-Bluetooth-Low-Energy-Exploits-Via-Reverse-Engineering-Multiple-Vendors-Firmwares.pdf](https://i.blackhat.com/USA-20/Wednesday/us-20-Kovah-Finding-New-Bluetooth-Low-Energy-Exploits-Via-Reverse-Engineering-Multiple-Vendors-Firmwares.pdf) | 3 exploits for specific hardware, CVE-2020-15531 |
| | SweynTooth | Imp | BLE | | 12 | 2020 | | | nRF52840 | https://github.com/Matheus-Garbelini/sweyntooth_bluetooth_low_energy_attacks | https://asset-group.github.io/disclosures/sweyntooth/ | |
| | BlueDoor | Prot | BLE | 4.0 - 5.2 | 1 | 2020 | | | nRF51822 | | [http://tns.thss.tsinghua.edu.cn/~jiliang/publications/MOBISYS2020_BlueDoor.pdf](http://tns.thss.tsinghua.edu.cn/~jiliang/publications/MOBISYS2020_BlueDoor.pdf) | MITM |
| | Downgrade attack | Prot | BLE | 4.2 - 5.0 | 1 | 2020 | | | TICC2640 & Adafruit Bluefruit LE Sniffe | | [https://www.usenix.org/system/files/sec20-zhang-yue.pdf](https://www.usenix.org/system/files/sec20-zhang-yue.pdf) | MITM through downgrade (SCO) CVE-2020-35473 |
| | BLESA | Spoof | BLE | | 1 | 2020 | | | | | [https://www.usenix.org/system/files/woot20-paper-wu.pdf](https://www.usenix.org/system/files/woot20-paper-wu.pdf) | Spoofing to establish MITM and disable encryption |
| SweynTooth | Cypress PSoc 4 BLE | Imp | BLE | | 1 | 2019 | | | | | [https://www.cvedetails.com/cve/CVE-2019-16336/?q=CVE-2019-16336](https://www.cvedetails.com/cve/CVE-2019-16336/?q=CVE-2019-16336) | DoS |
| SweynTooth | Cypress PSoc 4 BLE | Imp | BLE | | 1 | 2019 | | | | | [https://www.cvedetails.com/cve/CVE-2019-17061/?q=CVE-2019-17061](https://www.cvedetails.com/cve/CVE-2019-17061/?q=CVE-2019-17061) | Buffer Overflow |
| SweynTooth | NXP KW41Z up to 2.2.1 | Imp | BLE | | 1 | 2019 | | | | | [https://www.cvedetails.com/cve/CVE-2019-17060/?q=CVE-2019-17060](https://www.cvedetails.com/cve/CVE-2019-17060/?q=CVE-2019-17060) | BLE Link layer buffer overflow |
| SweynTooth | STMicroelectronics BLE Stack | Imp | BLE | | 1 | 2019 | | | | | [https://www.cvedetails.com/cve/CVE-2019-19192/?q=CVE-2019-19192](https://www.cvedetails.com/cve/CVE-2019-19192/?q=CVE-2019-19192) | through 1.3.1 for STM32WB5x devices does not properly handle consecutive ATT requests on reception |
| | Co-located app BLE | | BLE | | 1 | 2019 | | | | Theory | [https://www.usenix.org/system/files/sec19-sivakumaran_0.pdf](https://www.usenix.org/system/files/sec19-sivakumaran_0.pdf) | Co-located apps can get BLE data, and thus exfiltrate needed info??? can we do a relay with it? |
| | BleedingBit | Imp | BLE | 4.2 - 5.0 | 1 | 2018 | | | | | https://www.armis.com/research/bleedingbit/ | |
| | GATTacking | Prot | BLE | 4.0 | 1 | 2016 | | | CSR 8510-based USB dongle | [https://github.com/securing/gattacker](https://github.com/securing/gattacker) | [https://www.blackhat.com/docs/us-16/materials/us-16-Jasek-GATTacking-Bluetooth-Smart-Devices-Introducing-a-New-BLE-Proxy-Tool.pdf](https://www.blackhat.com/docs/us-16/materials/us-16-Jasek-GATTacking-Bluetooth-Smart-Devices-Introducing-a-New-BLE-Proxy-Tool.pdf) | MITM BLE |
| | Crackle | Prot | BLE | 4 | 1 | 2013 | | | | [https://github.com/mikeryan/crackle](https://github.com/mikeryan/crackle) | [https://www.usenix.org/system/files/conference/woot13/woot13-ryan.pdf](https://www.usenix.org/system/files/conference/woot13/woot13-ryan.pdf) | crack ble encryption |
| Bluez | MynameIsKeyboard | Imp | BT | | 1 | 2023 | [CVE-2023-45866](https://www.cvedetails.com/cve/CVE-2023-45866/) | 8.8 | | [https://github.com/marcnewlin/hi_my_name_is_keyboard](https://github.com/marcnewlin/hi_my_name_is_keyboard) | \- | CVE-2023-45866, CVE-2023-45866, CVE-2023-45866 |
| Antonioli | BLUFFS | Prot | BT | 4.2-5.2 | 6 | 2023 | [CVE-2023-24023](https://www.cvedetails.com/cve/CVE-2023-24023/) | 6.8 | CYW920819EVB-02 | [https://github.com/francozappa/bluffs](https://github.com/francozappa/bluffs) | | |
| | \- | Prot | BT | | 1 | 2022 | | | | | [https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9833777](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9833777) | Cross-stack illegal access attack (formal methods) + CVE-2020-26560 and CVE-2020-15802 mentioned in other entries |
| | BlackTooth | Prot | BT | | 1 | 2022 | | | CYW920819EVB-02 | | [https://dl.acm.org/doi/pdf/10.1145/3548606.3560668](https://dl.acm.org/doi/pdf/10.1145/3548606.3560668) | 1 new attack (connection stage) + KNOB and other attacks that were reused |
| | BLAP | Prot | BT | | 1 | 2022 | | | | Theory | [https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9833575](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9833575) | Extract Link Key from the HCI dump needs physical access to the car (applicable in car sharing only) |
| | Blue's Clues | Prot | BT | <=5.3 | | 2022 | [CVE-2022-24695](https://www.cvedetails.com/cve/CVE-2022-24695/) | 4.3 | Ubertooth & USRP B210 SDR | [https://github.com/TylerTucker/BluesClues](https://github.com/TylerTucker/BluesClues) | [https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10179358](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10179358) | CVE-2022-24695 affects Privacy, defeats non-discoverable feature of BT/EDR |
| | unauth MITM | Prot | BT | 1.0B-5.3 | 1 | 2022 | [CVE-2022-25837](https://www.cvedetails.com/cve/CVE-2022-25837/) | 7.5 | | | [https://www.cvedetails.com/cve/CVE-2022-25837/](https://www.cvedetails.com/cve/CVE-2022-25837/) | Check CVE for details, relies on Method Confusion, CVE-2022-25837 |
| Braktooth | BrakTooth | Imp | BT | 3.0 - 5.2 | 16 | 2021 | [CVE-2021-28139](https://www.cvedetails.com/cve/CVE-2021-28139/) | 8.8 | ESP-WROVER-KIT | [https://github.com/Matheus-Garbelini/braktooth_esp32_bluetooth_classic_attacks](https://github.com/Matheus-Garbelini/braktooth_esp32_bluetooth_classic_attacks) | https://asset-group.github.io/disclosures/braktooth/ | |
| | BleedingTooth BadChoice | Imp | BT | 4.2-5.2 | 1 | 2020 | [CVE-2020-12352](https://www.cvedetails.com/cve/CVE-2020-12352/) | 6.5 | | [https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq](https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq) | [https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html](https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html) | Information leak |
| | BleedingTooth BadKarma | Imp | BT | 5.0 | 1 | 2020 | [CVE-2020-12351](https://www.cvedetails.com/cve/CVE-2020-12351/) | 8.8 | | [https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq](https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq) | [https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html](https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html) | stack-based info leak BlueZ |
| | BleedingTooth BadVibes | Imp | BT | 5.0+ | 1 | 2020 | [CVE-2020-24490](https://www.cvedetails.com/cve/CVE-2020-24490/) | 6.5 | | [https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649](https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649) | [https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html](https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html) | Requires BT 5.0 and higher |
| | Snapdragon Auto CVEs | Imp | BT | | 4 | 2020 | | | | | [https://www.cvedetails.com/cve/CVE-2020-3703/?q=CVE-2020-3703](https://www.cvedetails.com/cve/CVE-2020-3703/?q=CVE-2020-3703) | CVE-2020-11156 Snapdragon Auto, no exploits CVE-2020-11154 CVE-2020-11155, CVE-2020-3703 |
| | BlueRepli | Imp | BT | | 1 | 2020 | | | | No exploit so far | [https://i.blackhat.com/USA-20/Wednesday/us-20-Xu-Stealthily-Access-Your-Android-Phones-Bypass-The-Bluetooth-Authentication.pdf](https://i.blackhat.com/USA-20/Wednesday/us-20-Xu-Stealthily-Access-Your-Android-Phones-Bypass-The-Bluetooth-Authentication.pdf) | [https://github.com/DasSecurity-HatLab/BlueRepli-Plus](https://github.com/DasSecurity-HatLab/BlueRepli-Plus) |
| | UberTooth | Snif | BT | ALL | 1 | 2020 | | | Ubertooth | [https://github.com/greatscottgadgets/ubertooth](https://github.com/greatscottgadgets/ubertooth) | [https://ubertooth.readthedocs.io/en/latest/](https://ubertooth.readthedocs.io/en/latest/) | Sniffing |
| Antonioli | BIAS | Prot | BT | <=5.0 | 4 | 2019 | [CVE-2020-10135](https://www.cvedetails.com/cve/CVE-2020-10135/) | 5.4 | CYW920819, possibly CYW920819M2EVB-01 | [https://github.com/francozappa/bias](https://github.com/francozappa/bias) | [https://francozappa.github.io/about-bias/](https://francozappa.github.io/about-bias/) | CVE-2020-10135 |
| | MITM SSP BT 5.0 | Prot | BT | 5 | 1 | 2018 | | | | | [https://link.springer.com/article/10.1007/s00779-017-1081-6](https://link.springer.com/article/10.1007/s00779-017-1081-6) | passkey entry association model is vulnerable to the MITM |
| BlueBorne | CVE-2017-0785 | Imp | BT | | 1 | 2017 | [CVE-2017-0785](https://www.cvedetails.com/cve/CVE-2017-0785/) | 6.5 | | | | |
| BlueBorne | CVE-2017-1000251 | Imp | BT | 5 | 4 | 2017 | [CVE-2017-1000251](https://www.cvedetails.com/cve/CVE-2017-1000251/) | 8.0 | | [https://github.com/ArmisSecurity/blueborne](https://github.com/ArmisSecurity/blueborne) | [https://www.armis.com/research/blueborne/](https://github.com/Matheus-Garbelini/braktooth_esp32_bluetooth_classic_attacks) | |
| | Lexus BT Heap Overflow | Imp | BT | | 1 | 2017 | [CVE-2020-5551](https://www.cvedetails.com/cve/CVE-2020-5551/) | 8.8 | | Theory | [https://keenlab.tencent.com/en/2020/03/30/Tencent-Keen-Security-Lab-Experimental-Security-Assessment-on-Lexus-Cars/](https://keenlab.tencent.com/en/2020/03/30/Tencent-Keen-Security-Lab-Experimental-Security-Assessment-on-Lexus-Cars/) | RCE in Lexus (LC, LS, NX, RC, RC F), TOYOTA CAMRY, and TOYOTA SIENNA manufactured not in Japan from Oct. 2016 to Oct. 2019 |
| | BlueEar | Snif | BT | ALL | 1 | 2016 | | | Ubertooth (2) | [https://github.com/albazrqa/BluEar](https://github.com/albazrqa/BluEar) | [https://www.cs.cityu.edu.hk/~jhuan9/papers/blueear16mobisys.pdf](https://www.cs.cityu.edu.hk/~jhuan9/papers/blueear16mobisys.pdf) | Sniffing, extending the code of Ubertooth |
| | CVE-2018-19860 | Imp | BT | | 1 | 2014 | [CVE-2018-19860](https://www.cvedetails.com/cve/CVE-2018-19860/) | 8.8 | Nexus 5 (internalblue) | internalblue Nexus 5 examples | | Imp. specific attacks on Broadcom chips BCM4335C0, BCM43438A1, and some other from 2012-2014 (DoS) |
| | NINO MITM attack | Prot | BT | | 2 | 2010 | | | Nexus 5 (internalblue) | Theory + a PoC from internalblue + easy exploit similar to method confusion | [https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5374082](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5374082) | NINO - no input no output (mitm + out-of-band mitm attacks). https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=4401672 |
| | Attacks on Pairing | Prot | BT | 2.1 | 1 | 2008 | | | | | [https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=ac095564c820f02b2793694018d419ce99279de0](https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=ac095564c820f02b2793694018d419ce99279de0) | MITM, attack on 2.1 |
| | Cracking Bluetooth PIN | Brute | BT | | 1 | 2005 | | | | Theory | [https://www.usenix.org/legacy/event/mobisys05/tech/full_papers/shaked/shaked.pdf](https://www.usenix.org/legacy/event/mobisys05/tech/full_papers/shaked/shaked.pdf) | 6 |
| | Key extraction | | BT | 1.0B | 1 | 2001 | | | | | [https://link.springer.com/chapter/10.1007/3-540-45353-9_14](https://link.springer.com/chapter/10.1007/3-540-45353-9_14) | Old attack on very old version 1.0B |
| | BadBluetooth | Prot | BT + adj | | 1 | 2019 | | | | Theory | [https://staff.ie.cuhk.edu.hk/~khzhang/my-papers/2019-ndss-bluetooth.pdf](https://staff.ie.cuhk.edu.hk/~khzhang/my-papers/2019-ndss-bluetooth.pdf) | Too high assumptions (malicious app installed + compromised device) |
| BlueMirror | BlueMirror BT Mesh profile brute | Prot | BT Profile | 2.1-5.2 | 1 | 2021 | [CVE-2020-26556](https://www.cvedetails.com/cve/CVE-2020-26556/) | 7.5 | | | | Brute-force insufficient random AuthValue in BT Mesh 1.0 and 1.0.1 to complete authentication |
| BlueMirror | BlueMirror BT Mesh profile brute 2 | Prot | BT Profile | 2.1-5.2 | 1 | 2021 | [CVE-2020-26557](https://www.cvedetails.com/cve/CVE-2020-26557/) | 7.5 | | | | Determine Authvalue in BT Mesh 1.0 and 1.0.1 via brute-force attack |
| BlueMirror | BlueMirror BT Mesh profile no brute | Prot | BT Profile | 2.1-5.2 | 1 | 2021 | [CVE-2020-26559](https://www.cvedetails.com/cve/CVE-2020-26559/) | 8.8 | | | | Auth bypass in Mesh profile 1.0, 1.0.1, can determine authvalue and other data without brute-force |
| BlueMirror | BlueMirror BT Mesh profile | Prot | BT Profile | 1.0B-5.2 | 1 | 2020 | [CVE-2020-26560](https://www.cvedetails.com/cve/CVE-2020-26560/) | 8.1 | | | [https://kb.cert.org/vuls/id/799380](https://kb.cert.org/vuls/id/799380) | CVE-2020-26560 - Auth bypass in Mesh profile 1.0, 1.0.1  https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9474325 |
| BlueMirror | BlueMirror Legacy pairing | Prot | BT/BLE | 2.1-5.2 | 1 | 2021 | [CVE-2020-26555](https://www.cvedetails.com/cve/CVE-2020-26555/) | 5.4 | | | [https://kb.cert.org/vuls/id/799380](https://kb.cert.org/vuls/id/799380) | Complete pairing without knowledge of the PIN  https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9474325     https://www.ieee-security.org/TC/SP2021/SPW2021/WOOT21/files/woot21-claverie-slides.pdf |
| BlueMirror | BlueMirror passkey leak | Prot | BT/BLE | 2.1-5.2 | 1 | 2021 | [CVE-2020-26558](https://www.cvedetails.com/cve/CVE-2020-26558/) | 4.2 | | | | MitM attacker can determine passkey value through reflection of the public key (can leak passkey value 1 bit at a time) |
| Antonioli | BLURTooth | Prot | BT/BLE | 4.2, 5.0, 5.1, 5.2 | 4 | 2020 | [CVE-2020-15802](https://www.cvedetails.com/cve/CVE-2020-15802/) | 5.9 | | [https://github.com/francozappa/blur](https://github.com/francozappa/blur) | [https://hexhive.epfl.ch/BLURtooth/](https://hexhive.epfl.ch/BLURtooth/) | CVE-2020-15802 |
| | Fixed Coord. Inv. Attack | Imp | BT/BLE | 2.1-5.2 | 1 | 2019 | [CVE-2018-5383](https://www.cvedetails.com/cve/CVE-2018-5383/) | | Nexus 5 (internalblue) or CY5677 | internalblue Nexus 5 examples | [https://biham.cs.technion.ac.il/BT/](https://biham.cs.technion.ac.il/BT/) | MITM exploiting crypto (implementation/protocol attack) CVE-2018-5383 |
| Antonioli | KNOB | Prot | BT/BLE | <=5.0 | 1 | 2019 | [CVE-2019-9506](https://www.cvedetails.com/cve/CVE-2019-9506/) | 8.1 | Nexus 5 (internalblue) | [https://github.com/francozappa/knob](https://github.com/francozappa/knob) | [https://knobattack.com/](https://knobattack.com/) | [CVE-2019-9506](https://vuldb.com/?source_cve.140090) |
| | Ghost attack | Prot | BT/BLE? | | 2 | 2023 | | | | | [https://www.ndss-symposium.org/wp-content/uploads/2023/02/ndss2023_s119_paper.pdf](https://www.ndss-symposium.org/wp-content/uploads/2023/02/ndss2023_s119_paper.pdf) | Ghost attack and group guessing attack |
| | Qualcomm 9206 | Imp | BT/BLE? | | 1 | 2022 | [CVE-2022-40503](https://www.cvedetails.com/cve/CVE-2022-40503/) | 8.2 | | | [https://www.cvedetails.com/cve/CVE-2022-40503/?q=CVE-2022-40503](https://www.cvedetails.com/cve/CVE-2022-40503/?q=CVE-2022-40503) | Buffer overread in A2DP profile |
| | Qualcomm APQ8009 | Imp | BT/BLE? | | 1 | 2022 | [CVE-2022-40537](https://www.cvedetails.com/cve/CVE-2022-40537/) | 7.3 | | | [https://www.cvedetails.com/cve/CVE-2022-40537/?q=CVE-2022-40537](https://www.cvedetails.com/cve/CVE-2022-40537/?q=CVE-2022-40537) | Memory corruption while processing AVRC_PDU_GET_PLAYER_APP_VALUE_TEXT AVRCP response |
| | Qualcomm WSA8815 | Imp | BT/BLE? | | 1 | 2022 | [CVE-2022-33280](https://www.cvedetails.com/cve/CVE-2022-33280/) | 7.3 | | | [https://www.cvedetails.com/cve/CVE-2022-33280/?q=CVE-2022-33280](https://www.cvedetails.com/cve/CVE-2022-33280/?q=CVE-2022-33280) | Memory corruption while processing AVRCP packet |
| | Qualcomm WSA8835 | Imp | BT/BLE? | | 1 | 2022 | [CVE-2022-33255](https://www.cvedetails.com/cve/CVE-2022-33255/) | 8.2 | | | [https://www.cvedetails.com/cve/CVE-2022-33255/?q=CVE-2022-33255](https://www.cvedetails.com/cve/CVE-2022-33255/?q=CVE-2022-33255) | Bluetooth HOST Buffer overread while processing GetFolderItems, GetItemAttributes |
| | Qualcomm WSA8835 | Imp | BT/BLE? | | 1 | 2022 | [CVE-2022-22088](https://www.cvedetails.com/cve/CVE-2022-22088/) | 9.8 | | | [https://www.cvedetails.com/cve/CVE-2022-22088/?q=CVE-2022-22088](https://www.cvedetails.com/cve/CVE-2022-22088/?q=CVE-2022-22088) | Bluetooth Host Buffer overflow while processing response from remote |
| | SnapDragon Auto | Imp | BT/BLE? | | 1 | 2021 | [CVE-2021-35068](https://www.cvedetails.com/cve/CVE-2021-35068/) | 9.8 | | | [https://www.cvedetails.com/cve/CVE-2021-35068/?q=CVE-2021-35068](https://www.cvedetails.com/cve/CVE-2021-35068/?q=CVE-2021-35068) | Null pointer dereference while freeing the HFP profile |
| | Method Confusion | Prot | BT/BLE? | 2.1-5.2 | 1 | 2020 | [CVE-2020-10134](https://www.cvedetails.com/cve/CVE-2020-10134/) | 6.3 | huge selection with different capabilities. | [https://github.com/maxdos64/BThack](https://github.com/maxdos64/BThack) | [https://www.sec.in.tum.de/i20/publications/method-confusion-attack-on-bluetooth-pairing/@@download/file/conference-proceeding.pdf](https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=web&cd=&ved=0CDcQw7AJahcKEwjAl4iK06KBAxUAAAAAHQAAAAAQAg&url=https%3A%2F%2Fwww.sec.in.tum.de%2Fi20%2Fpublications%2Fmethod-confusion-attack-on-bluetooth-pairing%2F%40%40download%2Ffile%2Fconference-proceeding.pdf&psig=AOvVaw1agi3H7gzMi_e-3uKrzh10&ust=1694524247587644&opi=89978449) | MITM between 2 BLE or BR/EDR devices. Strange hardware needed, CVE-2020-10134 |
| | BlueSnarf revisited | Imp | OBEX | | 1 | 2011 | | | | | [https://inria.hal.science/hal-01587858/document](https://inria.hal.science/hal-01587858/document) | OBEX path traversal (FTP) |

The YAML DSL reference syntax is available [here](SYNTAX-REFERENCE.md).

## Results from testing

We tested 22 cars from the following manufacturers and were able to find 60+ new vulnerabilities in them:
Audi, BMW, Chevrolet, Honda, Hyundai, Mercedes-Benz, Mini, Opel, Polestar, Renault, Skoda, Toyota, VW, Tesla.

We responsibly disclosed all of the vulnerabilities. All manufacturers had time to fix the vulnerabilities but not all of them did or wanted to!

| Manufacturer | Model | Year | BT version | Vuln Type | Vulnerability | Status | Comment |
|---------------|-----------------|------|------------|-----------|----------------------------------------|-----------------------------------------------|----------------------------------------------------------------------------------------------|
| Audi | A5 | 2020 | 4,2 | Chaining | IVI is not rebootable | | |
| Audi | A5 | 2020 | 4,2 | Chaining | Not only IVI can initiate a connection | | |
| Audi | A5 | 2020 | 4,2 | Chaining | Always Pairable | | |
| Audi | E-tron | 2020 | 4,2 | Chaining | IVI is not rebootable | | |
| Audi | E-tron | 2020 | 4,2 | Chaining | Not only IVI can initiate a connection | | |
| Audi | E-tron | 2020 | 4,2 | Chaining | Always Pairable | | |
| BMW | X2 | 2021 | 4 | Chaining | IVI is not rebootable | | |
| BMW | X2 | 2021 | 4 | Chaining | Not only IVI can initiate a connection | | |
| BMW | X2 | 2021 | 4 | Chaining | SC not supported | | |
| Chevrolet | Corvette | 2018 | 3 | Chaining | IVI is not rebootable | | |
| Chevrolet | Corvette | 2018 | 3 | Chaining | Not only IVI can initiate a connection | | |
| Chevrolet | Corvette | 2018 | 3 | Chaining | SC not supported | | |
| Honda | e | 2020 | 5 | Chaining | IVI is not rebootable | | |
| Honda | e | 2020 | 5 | Chaining | Not only IVI can initiate a connection | | |
| Honda | e | 2020 | 5 | Chaining | Always Pairable | | |
| Hyundai | Kona | 2022 | 5 | Chaining | IVI is not rebootable | | |
| Hyundai | Kona | 2022 | 5 | Chaining | Not only IVI can initiate a connection | | |
| Hyundai | Kona | 2022 | 5 | Chaining | SC not supported | | |
| Hyundai | Kona | 2022 | 5 | Chaining | Always Pairable | | |
| Mercedes-Benz | Sprinter 316CDI | 2021 | 4,2 | Chaining | IVI is not rebootable | | |
| Mercedes-Benz | Sprinter 316CDI | 2021 | 4,2 | Chaining | Not only IVI can initiate a connection | | |
| Mercedes-Benz | Sprinter 316CDI | 2021 | 4,2 | Chaining | SC not supported | | |
| Mini | Cooper S | 2022 | 5 | Chaining | IVI is not rebootable | | |
| Mini | Cooper S | 2022 | 5 | Chaining | Not only IVI can initiate a connection | | |
| Mini | Cooper S | 2022 | 5 | Chaining | SC not supported | | |
| Opel | Astra | 2019 | 4,1 | Chaining | IVI is not rebootable | | |
| Opel | Astra | 2019 | 4,1 | Chaining | SC not supported | | |
| Polestar | Polestar 2 | 2022 | 4,2 | Chaining | SC not supported | | Not fully tested! |
| Renault | Megane | 2016 | 2,1 | Chaining | IVI is not rebootable | | |
| Renault | Megane | 2016 | 2,1 | Chaining | Not only IVI can initiate a connection | | |
| Renault | Megane | 2016 | 2,1 | Chaining | SC not supported | | |
| Renault | Megane | 2021 | 4,2 | Chaining | IVI is not rebootable | | |
| Renault | Megane | 2021 | 4,2 | Chaining | Not only IVI can initiate a connection | | |
| Renault | Megane | 2021 | 4,2 | Chaining | SC not supported | | |
| Renault | ZOE | 2021 | 4,2 | Chaining | IVI is not rebootable | | |
| Renault | ZOE | 2021 | 4,2 | Chaining | Not only IVI can initiate a connection | | |
| Renault | ZOE | 2021 | 4,2 | Chaining | SC not supported | | |
| Skoda | Octavia | 2015 | 3 | Chaining | IVI is not rebootable | | Not fully tested! |
| Skoda | Octavia | 2015 | 3 | Chaining | SC not supported | | Not fully tested! |
| Skoda | Octavia | 2019 | 3 | Chaining | SC not supported | | Not fully tested! |
| Skoda | Octavia | 2022 | 4,2 | Chaining | Not only IVI can initiate a connection | | |
| Skoda | Octavia | 2022 | 4,2 | Chaining | Always Pairable | | |
| Toyota | Corolla | 2023 | 5,1 | Chaining | Not only IVI can initiate a connection | | |
| VW | Caddy | 2023 | 4,2 | Chaining | IVI is not rebootable | | |
| VW | Caddy | 2023 | 4,2 | Chaining | Not only IVI can initiate a connection | | |
| VW | Caddy | 2023 | 4,2 | Chaining | Always Pairable | | |
| VW | ID.3 | 2022 | 4,2 | Chaining | Not only IVI can initiate a connection | | |
| VW | ID.3 | 2022 | 4,2 | Chaining | Always Pairable | | |
| VW | T6.1 | 2021 | 4,1 | Chaining | IVI is not rebootable | | |
| VW | T6.1 | 2021 | 4,1 | Chaining | Not only IVI can initiate a connection | | |
| VW | T6.1 | 2021 | 4,1 | Chaining | SC not supported | | |
| VW | T6.1 | 2021 | 4,1 | Chaining | Always Pairable | | |
| Opel | Astra | 2019 | 4,1 | Critical | CVE-2018-19860 | Fixed in new versions | |
| Renault | Megane | 2021 | 4,2 | Critical | Contact extractor | Unknown | |
| Renault | ZOE | 2021 | 4,2 | Critical | Contact extractor | Unknown | |
| Skoda | Octavia | 2015 | 3 | Critical | CVE-2018-19860 | Acknowledged. Working on a fix | Not fully tested! |
| Skoda | Octavia | 2015 | 3 | Critical | Contact extractor | Acknowledged. Working on a fix | Not fully tested! |
| VW | T6.1 | 2021 | 4,1 | Critical | Contact extractor | Acknowledged. Working on a fix | |
| Audi | A5 | 2020 | 4,2 | DoS | invalid_max_slot | Acknowledged. Working on a fix | (probably known) (Broadcom - Cypress) |
| BMW | X2 | 2021 | 4 | DoS | au_rand_flooding | Acknowledged. Fixed in new hardware | |
| BMW | X2 | 2021 | 4 | DoS | truncated_sco_request | Acknowledged. Fixed in new hardware | (unknown) Texas Instruments |
| BMW | X2 | 2021 | 4 | DoS | invalid_timing_accuracy | Acknowledged. Fixed in new hardware | (unknown) Texas Instruments |
| Chevrolet | Corvette | 2018 | 3 | DoS | lmp_overflow_2dh1 | Unknown | (unknown) (Qualcomm) |
| Chevrolet | Corvette | 2018 | 3 | DoS | invalid_timing_accuracy | Unknown | (known WCN3990) (Qualcomm) |
| Mercedes-Benz | Sprinter 316CDI | 2021 | 4,2 | DoS | invalid_max_slot | Unknown | (unknown) Marvell Technology |
| Mini | Cooper S | 2022 | 5 | DoS | au_rand_flooding | Acknowledged. Fixed in new hardware | |
| Mini | Cooper S | 2022 | 5 | DoS | lmp_auto_rate_overflow | Acknowledged. Fixed in new hardware | False positive probably - recovered after 40 seconds |
| Opel | Astra | 2019 | 4,1 | DoS | lmp_overflow_dm1 | Acknowledged. But might be discarded? | (unknown) (chip problem Cypress) |
| Opel | Astra | 2019 | 4,1 | DoS | invalid_timing_accuracy | Acknowledged. But might be discarded? | (unknown) (chip problem Cypress) |
| Opel | Astra | 2019 | 4,1 | DoS | truncated_lmp_accepted | Acknowledged. But might be discarded? | (unknown) (chip problem Cypress) |
| Polestar | Polestar 2 | 2022 | 4,2 | DoS | duplicated_encapsulated_payload | Acknowledged. Had problems reproducing | Not fully tested! (unknown) (Qualcomm) |
| Renault | Megane | 2016 | 2,1 | DoS | invalid_timing_accuracy | Unknown | Might be a false positive as this is the data from the first run !!!!! |
| Renault | Megane | 2021 | 4,2 | DoS | au_rand_flooding | Unknown | (unknown) (Marvell Technology) |
| Renault | Megane | 2021 | 4,2 | DoS | lmp_invalid_transport | Unknown | (unknown) (Marvell Technology) |
| Renault | Megane | 2021 | 4,2 | DoS | lmp_max_slot_overflow | Unknown | (unknown) (Marvell Technology) |
| Renault | Megane | 2021 | 4,2 | DoS | invalid_max_slot | Unknown | (unknown) (Marvell Technology) |
| Renault | Megane | 2021 | 4,2 | DoS | truncated_sco_request | Unknown | (unknown) (Marvell Technology) |
| Renault | Megane | 2021 | 4,2 | DoS | sdp_unknown_element | Unknown | (unknown) (Marvell Technology) |
| Renault | Megane | 2021 | 4,2 | DoS | duplicated_encapsulated_payload | Unknown | (unknown) (Marvell Technology) |
| Renault | ZOE | 2021 | 4,2 | DoS | invalid_max_slot | Unknown | |
| Toyota | Corolla | 2023 | 5,1 | DoS | feature_req_ping_pong | Acknowledged | Marvell technology chip has an actual vulnerability (unknown before) |
| Toyota | Corolla | 2023 | 5,1 | DoS | wrong_encapsulated_payload | Acknowledged | Marvell technology chip has an actual vulnerability (unknown before) |
| Toyota | Corolla | 2023 | 5,1 | DoS | duplicated_iocap | Acknowledged | Marvell technology chip has an actual vulnerability (unknown before) |
| Toyota | Corolla | 2023 | 5,1 | DoS | lmp_overflow_dm1 | Acknowledged | Marvell technology chip has an actual vulnerability (unknown before) |
| Toyota | Corolla | 2023 | 5,1 | DoS | sdp_oversized_element_size | Acknowledged | Marvell technology chip has an actual vulnerability (unknown before) |
| Toyota | Corolla | 2023 | 5,1 | DoS | duplicated_encapsulated_payload | Acknowledged | Marvell technology chip has an actual vulnerability (unknown before) |
| Toyota | Corolla | 2023 | 5,1 | DoS | invalid_max_slot | Acknowledged | Marvell technology chip has an actual vulnerability (unknown before) |
| Toyota | Corolla | 2023 | 5,1 | DoS | invalid_timing_accuracy | Acknowledged | Marvell technology chip has an actual vulnerability (unknown before) |
| Audi | A5 | 2020 | 4,2 | MitM | Insecure NC implementation | Acknowledged. Fixing in a new firmw. version | |
| Audi | A5 | 2020 | 4,2 | MitM | KNOB | Acknowledged. Fixing in a new firmw. version | |
| Audi | E-tron | 2020 | 4,2 | MitM | Insecure NC implementation | Acknowledged. Fixing in a new firmw. version | |
| BMW | X2 | 2021 | 4 | MitM | NiNo | Acknowledged. Working on a fix | |
| BMW | X2 | 2021 | 4 | MitM | CVE-2018-5383 | Acknowledged. Not fixing, fixed in new hardw. | |
| BMW | X2 | 2021 | 4 | MitM | Insecure NC implementation | Acknowledged. Working on a fix | |
| BMW | X2 | 2021 | 4 | MitM | E0 Algorithm is used (due to BT vers) | Acknowledged. Working on a fix | |
| Chevrolet | Corvette | 2018 | 3 | MitM | KNOB | Unknown | |
| Chevrolet | Corvette | 2018 | 3 | MitM | E0 Algorithm is used (due to BT vers) | Unknown | |
| Honda | e | 2020 | 5 | MitM | NiNo | Acknowledged | |
| Honda | e | 2020 | 5 | MitM | Insecure NC implementation | Acknowledged | |
| Honda | e | 2020 | 5 | MitM | KNOB | Acknowledged | |
| Honda | e | 2020 | 5 | MitM | Vehicular NiNo | Acknowledged | |
| Hyundai | Kona | 2022 | 5 | MitM | Insecure NC implementation | Unknown | |
| Mini | Cooper S | 2022 | 5 | MitM | NiNo | Acknowledged. Working on a fix | |
| Mini | Cooper S | 2022 | 5 | MitM | Insecure NC implementation | Acknowledged. Working on a fix | |
| Renault | Megane | 2016 | 2,1 | MitM | NiNo | Unknown | |
| Renault | Megane | 2016 | 2,1 | MitM | CVE-2018-5383 | Unknown | |
| Renault | Megane | 2016 | 2,1 | MitM | KNOB | Unknown | |
| Renault | Megane | 2016 | 2,1 | MitM | Legacy Pairing enabled | Unknown | code 0000 |
| Renault | Megane | 2016 | 2,1 | MitM | E0 Algorithm is used (due to BT vers) | Unknown | |
| Renault | Megane | 2016 | 2,1 | MitM | SSP not supported | Unknown | |
| Renault | Megane | 2021 | 4,2 | MitM | Insecure NC implementation | Unknown | |
| Renault | Megane | 2021 | 4,2 | MitM | NiNo | Unknown | Might have been marked as vulnerable due to Vehicular NiNo (should be checked independently) |
| Renault | Megane | 2021 | 4,2 | MitM | Vehicular NiNo | Unknown | |
| Renault | ZOE | 2021 | 4,2 | MitM | NiNo | Unknown | Might have been marked as vulnerable due to Vehicular NiNo (should be checked independently) |
| Renault | ZOE | 2021 | 4,2 | MitM | Insecure NC implementation | Unknown | |
| Renault | ZOE | 2021 | 4,2 | MitM | Vehicular NiNo | Unknown | |
| Skoda | Octavia | 2015 | 3 | MitM | KNOB | Acknowledged. | Not fully tested! |
| Skoda | Octavia | 2015 | 3 | MitM | E0 Algorithm is used (due to BT vers) | Acknowledged. | Not fully tested! |
| Skoda | Octavia | 2019 | 3 | MitM | KNOB | Acknowledged. | Not fully tested! |
| Skoda | Octavia | 2019 | 3 | MitM | E0 Algorithm is used (due to BT vers) | Acknowledged. | Not fully tested! |
| Tesla | Model Y | 2023 | 5,2 | MitM | Vehicular NiNo | Not fixing. Usability feature | |
| VW | ID.3 | 2022 | 4,2 | MitM | Vehicular NiNo | Acknowledged. Fixing in a new firmw. version | |
| VW | T6.1 | 2021 | 4,1 | MitM | KNOB | Acknowledged. Fixing in a new firmw. version | |
| VW | T6.1 | 2021 | 4,1 | MitM | NiNo | Acknowledged. Fixing in a new firmw. version | |
| VW | T6.1 | 2021 | 4,1 | MitM | Vehicular NiNo | Acknowledged. Fixing in a new firmw. version | |
| VW | T6.1 | 2021 | 4,1 | MitM | CVE-2018-5383 | Acknowledged. Fixing in a new firmw. version | |
| Tesla | Model Y | 2023 | 5,2 | | Accidental crash (on BT connection) | Not reproduced |

## Novel Attacks

#### Insecure NC Implementation

The IVI system does not properly implement the Numeric Comparison authentication protocol as in the core specification of the Bluetooth which makes a link to be non-authenticated and thus vulnerable to the NiNo, Method Confusion and custom MitM attacks.

There are 3 possible variations:
1. The IVI/device doesn't require a confirmation for pairing (e.g. no button to confirm the pairing) (Renault, Hyundai cars)
2. The static number is always shown. (BMW, Mini cars)
3. The IVI shows a pairing window without a pairing number to compare. (Audi)

There are 2 possible reasons:
1. State problem
2. Design problem

In case of the state problem an adversary needs to connect to the IVI(other device) with a capability other than DisplayYesNo and the IVI should try to execute a broken Numeric Comparison and not Passkey or Just Works.

In case of a design problem, one simply needs to observe the pairing process and what is required of a used on a target device (IVI).

Examples of vulnerable cars:
ExampleInsecureNC

For the PoC steps please consult [contact extractor documentation](https://github.com/sgxgsx/BlueToolkit/wiki/Manual-Exploits)

#### Vehicular NiNo
The vehicle allows connections to a device with no input or output capabilities. According to the specification if one of the devices has a NoInputNoOutput capability, then the pairing mode used is named Just Works and such a link should be considered unauthenticated and vulnerable to MitM attacks. This results in an adjacent adversary being able to execute a practical attack and establish a MitM position.

Important distinction: In this case, the vehicle doesn't allow NoInputNoOutput devices to initiate a connection to the IVI, but fails to check the same for a connection initiated by the IVI. The attack window is smaller than in a usual NiNo attack but still exists.

Note on NiNo devices in the vehicular domain:
In the vehicular domain, the usage of NiNo devices such as headphones is not frequent if legal at all while driving. When it comes to the smartphone domain a connection to such devices is considered a feature and a usability trade-off to enable wireless headphones for example. As such a use-case is not present in the vehicular domain then it's better to disallow connection from such devices, which many of the manufacturers do already.

For the PoC steps please consult [contact extractor documentation](https://github.com/sgxgsx/BlueToolkit/wiki/Manual-Exploits)

#### Contact Extractor attack

The vehicle IVI system allows a physical adversary to extract previously shared through Bluetooth contacts. This happens due to incorrect handling of access control for newly created BT sessions for already known MAC addresses.

Examples of vulnerable cars:
ExampleRenault

For the PoC steps please consult [contact extractor documentation](https://github.com/sgxgsx/BlueToolkit/wiki/Manual-Exploits)

## Hardware

To test all vulnerabilities one would need to buy additional hardware:

* ESP-WROVER-KIT-VE for Braktooth vulnerabilities
* Nexus5 (phone) for Internalblue-based vulnerabilities. It also could be substituted by CYW20735, but an additional hardware profile would be needed and 2 exploits won't be reproducible.
* CYW920819M2EVB-01 for BIAS, BLUR and BLUFFS attacks

### Running Bluetoolkit

See https://github.com/sgxgsx/BlueToolkit/wiki for details on running BlueToolkit

### License

BlueToolkit is distributed under [MIT License](https://github.com/sgxgsx/Bluetoolkit/blob/main/LICENSE.md)