2,860 research outputs found

    MagicPairing: Apple's Take on Securing Bluetooth Peripherals

    Full text link
    Device pairing in large Internet of Things (IoT) deployments is a challenge for device manufacturers and users. Bluetooth offers a comparably smooth trust on first use pairing experience. Bluetooth, though, is well-known for security flaws in the pairing process. In this paper, we analyze how Apple improves the security of Bluetooth pairing while still maintaining its usability and specification compliance. The proprietary protocol that resides on top of Bluetooth is called MagicPairing. It enables the user to pair a device once with Apple's ecosystem and then seamlessly use it with all their other Apple devices. We analyze both, the security properties provided by this protocol, as well as its implementations. In general, MagicPairing could be adapted by other IoT vendors to improve Bluetooth security. Even though the overall protocol is well-designed, we identified multiple vulnerabilities within Apple's implementations with over-the-air and in-process fuzzing

    Inside Job: Diagnosing Bluetooth Lower Layers Using Off-the-Shelf Devices

    Full text link
    Bluetooth is among the dominant standards for wireless short-range communication with multi-billion Bluetooth devices shipped each year. Basic Bluetooth analysis inside consumer hardware such as smartphones can be accomplished observing the Host Controller Interface (HCI) between the operating system's driver and the Bluetooth chip. However, the HCI does not provide insights to tasks running inside a Bluetooth chip or Link Layer (LL) packets exchanged over the air. As of today, consumer hardware internal behavior can only be observed with external, and often expensive tools, that need to be present during initial device pairing. In this paper, we leverage standard smartphones for on-device Bluetooth analysis and reverse engineer a diagnostic protocol that resides inside Broadcom chips. Diagnostic features include sniffing lower layers such as LL for Classic Bluetooth and Bluetooth Low Energy (BLE), transmission and reception statistics, test mode, and memory peek and poke

    InternalBlue - Bluetooth Binary Patching and Experimentation Framework

    Full text link
    Bluetooth is one of the most established technologies for short range digital wireless data transmission. With the advent of wearables and the Internet of Things (IoT), Bluetooth has again gained importance, which makes security research and protocol optimizations imperative. Surprisingly, there is a lack of openly available tools and experimental platforms to scrutinize Bluetooth. In particular, system aspects and close to hardware protocol layers are mostly uncovered. We reverse engineer multiple Broadcom Bluetooth chipsets that are widespread in off-the-shelf devices. Thus, we offer deep insights into the internal architecture of a popular commercial family of Bluetooth controllers used in smartphones, wearables, and IoT platforms. Reverse engineered functions can then be altered with our InternalBlue Python framework---outperforming evaluation kits, which are limited to documented and vendor-defined functions. The modified Bluetooth stack remains fully functional and high-performance. Hence, it provides a portable low-cost research platform. InternalBlue is a versatile framework and we demonstrate its abilities by implementing tests and demos for known Bluetooth vulnerabilities. Moreover, we discover a novel critical security issue affecting a large selection of Broadcom chipsets that allows executing code within the attacked Bluetooth firmware. We further show how to use our framework to fix bugs in chipsets out of vendor support and how to add new security features to Bluetooth firmware

    The New Grid

    Get PDF
    The New Grid seeks to provide mobile users with an additional method for off-grid communication, or communication without connection to Internet infrastructure. The motivation for this project was to find another alternative to Internet-dependent communication. Current Internet infrastructure is antiquated; it is expensive to maintain and expand, it has numerous vulnerabilities and high-impact points of failure, and can be rendered unusable for lengthy periods of time by natural disasters or other catastrophes. This current grid will eventually need to be replaced by a more modern, scalable, and adaptive infrastructure. The results of the projects research showed that implementing a library to allow for the creation of mobile peer-to-peer mesh networks could serve as a starting point for a transition from current Internet infrastructure to a more scalable, adaptive, and reliable Internet- independent network grid. Development of The New Grid largely followed the Rational Unified Process, in which the development process is split into four phases: requirements gathering, system design, implementation, and testing. Most of fall quarter was spent outlining functional requirements for the system, designing possible methods of implementation, and researching similar solutions that seek to transition mass mobile communication to a newer, more modern network grid. The New Grid differs from similar solutions because it has been implemented as a modular library. Current systems that allow for off-grid mobile connection exist as independent applications with a defined context and predetermined usability scope. We, the design team, found that implementing the system in the form of a modular library has multiple benefits. Primarily, this implementation would allow The New Grid to be deployed as widely as possible. Developers can both write applications around our library as well as include specific modules into existing applications without impacting other modules or introducing additional overhead into a system. Another benefit of deploying the system as a modular library is adaptability. The current, initial stable build of The New Grid uses Bluetooth Low Energy as its backbone for facilitating communication within large networks of mobile devices; however, this library could use any existing or future communication protocol to facilitate connection as long as a hook is written to allow The New Grid to interface with that protocol. Thus, The New Grid is not limited by which connection protocols currently exist, a property that other similar systems do not possess. The New Grid can be used in any application that requires connection between users. The most common applications would likely be messaging, file sharing, or social networking. While developers may find a variety of uses for The New Grid, its primary purpose is to facilitate reliable connection and secure data transfer in an environment with a large user base. Achieving this goal was proven feasible through research and testing the library with a small cluster of Android devices communicating solely with Bluetooth Low Energy. Expanding this group of a few phones to a larger mesh network of hundreds of devices was shown to be feasible through testing the librarys algorithms and protocols on a large network of virtual devices. As long as developers seek to create applications that allow users to communicate independent of Internet infrastructure, The New Grid will allow smartphone users to communicate off-grid and hopefully spur a switch from infrastructure-dependent mobile communication to user-centric, adaptive, and flexible connection

    Bluetooth Low Energy link layer injection

    Get PDF
    Abstract. Bluetooth Low Energy is a very widely used short-range wireless technology. During the last few years many high visibility Bluetooth related vulnerabilities have been discovered. A significant amount of them have had an impact on implementations of the lowest protocol layers of Bluetooth in firmware running on separate embedded System on Chip dedicated for wireless communication. Bluetooth LE Link Layer implementations have not yet been under systematic fuzzing by vendors as there has been no mature way to inject fuzzed Link Layer packets over the air to the target device. The goal of this thesis was to design and implement a solution for Bluetooth Low Energy Link Layer injection to enable fuzzing of Link Layer implementations with Synopsys Defensics, a commercial fuzzing framework. Two different approaches were designed and implemented. Both approaches used vendor-specific HCI commands and events for providing a convenient way to inject arbitrary Bluetooth Low Energy Link Layer packets over the air to target devices and at the same time retaining the normal functionality of the Bluetooth LE dongle. The solution was evaluated against state of the art in this field and the results show that the solution is on par with state of the art in this field.Bluetooth Low Energy linkkitason injektointi. Tiivistelmä. Bluetooth Low Energy, Bluetoothin vähemmän energiaa kuluttava versio, on erittäin laajasti käytössä oleva lyhyen kantaman langaton tiedonsiirtoteknologia. Viime vuosien aikana julkisuudessa on ollut useita Bluetooth-haavoittuvuuksia. Monet näistä haavoittuvuuksista ovat koskettaneet erityisesti alimpia Bluetooth protokollakerroksia, jotka tyypillisesti toteutetaan langattomalle tiedonsiirrolle erikseen suunnitellulla järjestelmäpiirillä suoritettavassa laiteohjelmistossa. Bluetooth Low Energy linkkitason toteutuksia ei ole laajamittaisesti ja järjestelmällisesti fuzz-testattu laitevalmistajien toimesta, koska tähän mennessä ei ole ollut olemassa yleistä tapaa injektoida fuzzattuja linkkitason Bluetooth Low Energy-paketteja langattomasti testattavaan laitteeseen. Tämän työn tavoitteena oli suunnitella ja toteuttaa ratkaisu Bluetooth LE-linkkitason injektioon. Ratkaisu mahdollistaa Bluetooth Low Energy-linkkitason toteuttavien laitteiden fuzz-testauksen käyttäen kaupallista Synopsys Defensics fuzz testausohjelmistoa. Työssä esitellään kaksi erilaista lähestymistapaa Bluetooth Low Energy-linkkitason injektiomenetelmän toteuttamiseen. Molemmissa tavoissa hyödynnetään valmistajakohtaisia laajennuksia HCI rajapintaan, millä mahdollistetaan vaivaton tapa injektoida Bluetooth LE-linkkitason paketteja langattomasti testattavaan laitteeseen samalla säilyttäen injektioon käytettävän laitteen normaali toimintakyky. Tämän työn puitteissa suunniteltua ja toteutettua ratkaisua vertailtiin alan viimeisimpään kehitykseen ja tulokset osoittavat ratkaisun olevan kilpailukykyinen
    corecore