InternalBlue - Bluetooth Binary Patching and Experimentation Framework

Bluetooth is one of the most established technologies for short range digital wireless data transmission. With the advent of wearables and the Internet of Things (IoT), Bluetooth has again gained importance, which makes security research and protocol optimizations imperative. Surprisingly, there is a lack of openly available tools and experimental platforms to scrutinize Bluetooth. In particular, system aspects and close to hardware protocol layers are mostly uncovered. We reverse engineer multiple Broadcom Bluetooth chipsets that are widespread in off-the-shelf devices. Thus, we offer deep insights into the internal architecture of a popular commercial family of Bluetooth controllers used in smartphones, wearables, and IoT platforms. Reverse engineered functions can then be altered with our InternalBlue Python framework---outperforming evaluation kits, which are limited to documented and vendor-defined functions. The modified Bluetooth stack remains fully functional and high-performance. Hence, it provides a portable low-cost research platform. InternalBlue is a versatile framework and we demonstrate its abilities by implementing tests and demos for known Bluetooth vulnerabilities. Moreover, we discover a novel critical security issue affecting a large selection of Broadcom chipsets that allows executing code within the attacked Bluetooth firmware. We further show how to use our framework to fix bugs in chipsets out of vendor support and how to add new security features to Bluetooth firmware

Byzantine Attack and Defense in Cognitive Radio Networks: A Survey

The Byzantine attack in cooperative spectrum sensing (CSS), also known as the spectrum sensing data falsification (SSDF) attack in the literature, is one of the key adversaries to the success of cognitive radio networks (CRNs). In the past couple of years, the research on the Byzantine attack and defense strategies has gained worldwide increasing attention. In this paper, we provide a comprehensive survey and tutorial on the recent advances in the Byzantine attack and defense for CSS in CRNs. Specifically, we first briefly present the preliminaries of CSS for general readers, including signal detection techniques, hypothesis testing, and data fusion. Second, we analyze the spear and shield relation between Byzantine attack and defense from three aspects: the vulnerability of CSS to attack, the obstacles in CSS to defense, and the games between attack and defense. Then, we propose a taxonomy of the existing Byzantine attack behaviors and elaborate on the corresponding attack parameters, which determine where, who, how, and when to launch attacks. Next, from the perspectives of homogeneous or heterogeneous scenarios, we classify the existing defense algorithms, and provide an in-depth tutorial on the state-of-the-art Byzantine defense schemes, commonly known as robust or secure CSS in the literature. Furthermore, we highlight the unsolved research challenges and depict the future research directions.Comment: Accepted by IEEE Communications Surveys and Tutoiral

Resilient networking in wireless sensor networks

This report deals with security in wireless sensor networks (WSNs), especially in network layer. Multiple secure routing protocols have been proposed in the literature. However, they often use the cryptography to secure routing functionalities. The cryptography alone is not enough to defend against multiple attacks due to the node compromise. Therefore, we need more algorithmic solutions. In this report, we focus on the behavior of routing protocols to determine which properties make them more resilient to attacks. Our aim is to find some answers to the following questions. Are there any existing protocols, not designed initially for security, but which already contain some inherently resilient properties against attacks under which some portion of the network nodes is compromised? If yes, which specific behaviors are making these protocols more resilient? We propose in this report an overview of security strategies for WSNs in general, including existing attacks and defensive measures. In this report we focus at the network layer in particular, and an analysis of the behavior of four particular routing protocols is provided to determine their inherent resiliency to insider attacks. The protocols considered are: Dynamic Source Routing (DSR), Gradient-Based Routing (GBR), Greedy Forwarding (GF) and Random Walk Routing (RWR)

Bluetooth Low Energy link layer injection

Abstract. Bluetooth Low Energy is a very widely used short-range wireless technology. During the last few years many high visibility Bluetooth related vulnerabilities have been discovered. A significant amount of them have had an impact on implementations of the lowest protocol layers of Bluetooth in firmware running on separate embedded System on Chip dedicated for wireless communication. Bluetooth LE Link Layer implementations have not yet been under systematic fuzzing by vendors as there has been no mature way to inject fuzzed Link Layer packets over the air to the target device. The goal of this thesis was to design and implement a solution for Bluetooth Low Energy Link Layer injection to enable fuzzing of Link Layer implementations with Synopsys Defensics, a commercial fuzzing framework. Two different approaches were designed and implemented. Both approaches used vendor-specific HCI commands and events for providing a convenient way to inject arbitrary Bluetooth Low Energy Link Layer packets over the air to target devices and at the same time retaining the normal functionality of the Bluetooth LE dongle. The solution was evaluated against state of the art in this field and the results show that the solution is on par with state of the art in this field.Bluetooth Low Energy linkkitason injektointi. Tiivistelmä. Bluetooth Low Energy, Bluetoothin vähemmän energiaa kuluttava versio, on erittäin laajasti käytössä oleva lyhyen kantaman langaton tiedonsiirtoteknologia. Viime vuosien aikana julkisuudessa on ollut useita Bluetooth-haavoittuvuuksia. Monet näistä haavoittuvuuksista ovat koskettaneet erityisesti alimpia Bluetooth protokollakerroksia, jotka tyypillisesti toteutetaan langattomalle tiedonsiirrolle erikseen suunnitellulla järjestelmäpiirillä suoritettavassa laiteohjelmistossa. Bluetooth Low Energy linkkitason toteutuksia ei ole laajamittaisesti ja järjestelmällisesti fuzz-testattu laitevalmistajien toimesta, koska tähän mennessä ei ole ollut olemassa yleistä tapaa injektoida fuzzattuja linkkitason Bluetooth Low Energy-paketteja langattomasti testattavaan laitteeseen. Tämän työn tavoitteena oli suunnitella ja toteuttaa ratkaisu Bluetooth LE-linkkitason injektioon. Ratkaisu mahdollistaa Bluetooth Low Energy-linkkitason toteuttavien laitteiden fuzz-testauksen käyttäen kaupallista Synopsys Defensics fuzz testausohjelmistoa. Työssä esitellään kaksi erilaista lähestymistapaa Bluetooth Low Energy-linkkitason injektiomenetelmän toteuttamiseen. Molemmissa tavoissa hyödynnetään valmistajakohtaisia laajennuksia HCI rajapintaan, millä mahdollistetaan vaivaton tapa injektoida Bluetooth LE-linkkitason paketteja langattomasti testattavaan laitteeseen samalla säilyttäen injektioon käytettävän laitteen normaali toimintakyky. Tämän työn puitteissa suunniteltua ja toteutettua ratkaisua vertailtiin alan viimeisimpään kehitykseen ja tulokset osoittavat ratkaisun olevan kilpailukykyinen