Bluetooth insecurity : New ways to audit your Bluetooth devices
BSS - Bluetooth Stack Smasher

Pierre BETOUIN - pierre _dot_ betouin _at_ security-labs _dot_ org
Page last updated: Thu Mar 16 20:30 GMT+1 2006
Download BSS (Bluetooth Stack Smasher)

Recently, Bluetooth security has become a new source of interest for many people involved in IT security. Although forsaken by now - in particular for short ranges reasons - Bluetooth security touches more and more people : almost every device manufactured nowadays has a native Bluetooth support : cellular phones, laptops, digital assistants, cameras...
Mobility evolution allows almost all users to get an instant connection wherever they want, whenever they require it, to check mails, chat, or link their devices together (headsets, GPS systems, and so on). This unquestionably creates new security threats. If security was still so obscure for many people few years ago, it should now be considered by everyone owning a wireless capable device (802.11, Bluetooth...).
Who wouldn't care about getting huge phone bills, revealing his address book or calendar to anyone, or being owned walking in the street or drinking a coffee in a pub ?

Trifinite group was the first to reveal Bluetooth attacks, such as BlueBug or BlueSnarf.
This paper describes existing attacks, and introduces a new way to assess Bluetooth enabled devices using a low level fuzzer. Security on such devices is indeed very difficult to estimate because of the use of proprietary technologies. Security analysis can be lead by using reverse engineering techniques (disassembly for instance) but fuzzing remains the quickest and easiest way to "stress" Bluetooth implementations.
Exhaustive analysis won't be realized using the fuzzer presented below : deeper studies would require a complete disassembly work but I have been really astonnished of the number of devices crashing or presenting irrational behaviours.

BSS (Bluetooth Stack Smasher) is a L2CAP layer fuzzer, distributed under GPL licence. Feel free to add new things to this project (check TODO file). Current version is 0.8.
BSS requires the standard bluetooth library.

Ollie Whitehouse gave me a huge help on new BSS releases. We plan to add together several new modes to BSS soon.

BSS Usage

./bss [-i iface] [-d delay] [-c] [-v] [-x] [-P0] [-q] [-o]
[-s size] [-m mode] [-p pad_byte] [-M maxcrash_count]

[-i iface] Optional output interface (format hci[X] - check 'hciconfig -a')

[-d delay] Optional delay (miliseconds). Default is 500ms

[-c] Continue even on errors we would normally exit on (except malloc)

This overrides -x in most places

[-v] Verbose debugging

[-x] Exit on potential crashes that also don't respond to secondary l2ping's

[-P0] Do not perform L2CAP ping (some hosts don't respond to such packets

This overrides -x in most places

[-q] Quiet mode - print minimal output

[-o] Generate replay_packet.c automatically

[-s size] L2CAP packet size (bytes)

[-M value] Max crash count before exiting (Mode 13)

[-p value] Padding value (modes 1-12)

Modes :

0 All mode listed below

1 L2CAP_COMMAND_REJ

2 L2CAP_CONN_REQ

3 L2CAP_CONN_RSP

4 L2CAP_CONF_REQ

5 L2CAP_CONF_RSP

6 L2CAP_DISCONN_REQ

7 L2CAP_DISCONN_RSP

8 L2CAP_ECHO_REQ

9 L2CAP_ECHO_RSP

10 L2CAP_INFO_REQ

11 L2CAP_INFO_RSP

12 L2CAP full header fuzzing (-s : payload size) [9610 tests]

13 Random Fuzzing (infinite loop: break with ctrl-c)

BSS Examples

./bss -M 0 -m 13 -s 10 EF:F0:00:00:00:00

Now isolate the packet you think caused it, then if you had autogenerate test
case on (-o) do the following:
[1] If you generated the test case go into the 'replay_packet' dir [2] locate the testcase file
[3] ./makereplay [file - minus extension]
i.e. ./makereplay replay_l2cap_packet_11022005101938.0
[4] ./replay [bdaddr]

and try this packet against your equipment :
./replay EF:F0:00:00:00:00

see ./replay_packet/README for more details

Related links

Article on "Bluetooth insecurity" (French) - Pierre BETOUIN ( pierre _dot_ betouin _at_ security-labs _dot_ org )
Article on "Bluetooth insecurity (PDF)" (French) - Pierre BETOUIN ( pierre _dot_ betouin _at_ security-labs _dot_ org )
Sony/Ericsson display reset exploit - Pierre BETOUIN ( pierre _dot_ betouin _at_ security-labs _dot_ org )
Nokia N70 Denial of service advisory and PoC - Pierre BETOUIN ( pierre _dot_ betouin _at_ security-labs _dot_ org )
hcidump DoS advisory & proof of concept - Pierre BETOUIN ( pierre _dot_ betouin _at_ security-labs _dot_ org )

Back to Homepage

[-i iface]	Optional output interface (format hci[X] - check 'hciconfig -a')
[-d delay]	Optional delay (miliseconds). Default is 500ms
[-c]	Continue even on errors we would normally exit on (except malloc)
	This overrides -x in most places
[-v]	Verbose debugging
[-x]	Exit on potential crashes that also don't respond to secondary l2ping's
[-P0]	Do not perform L2CAP ping (some hosts don't respond to such packets
	This overrides -x in most places
[-q]	Quiet mode - print minimal output
[-o]	Generate replay_packet.c automatically
[-s size]	L2CAP packet size (bytes)
[-M value]	Max crash count before exiting (Mode 13)
[-p value]	Padding value (modes 1-12)

0	All mode listed below
1	L2CAP_COMMAND_REJ
2	L2CAP_CONN_REQ
3	L2CAP_CONN_RSP
4	L2CAP_CONF_REQ
5	L2CAP_CONF_RSP
6	L2CAP_DISCONN_REQ
7	L2CAP_DISCONN_RSP
8	L2CAP_ECHO_REQ
9	L2CAP_ECHO_RSP
10	L2CAP_INFO_REQ
11	L2CAP_INFO_RSP
12	L2CAP full header fuzzing (-s : payload size) [9610 tests]
13	Random Fuzzing (infinite loop: break with ctrl-c)

Bluetooth insecurity : New ways to audit your Bluetooth devicesBSS - Bluetooth Stack Smasher

Bluetooth insecurity : New ways to audit your Bluetooth devices
BSS - Bluetooth Stack Smasher