7,101 research outputs found
InternalBlue - Bluetooth Binary Patching and Experimentation Framework
Bluetooth is one of the most established technologies for short range digital
wireless data transmission. With the advent of wearables and the Internet of
Things (IoT), Bluetooth has again gained importance, which makes security
research and protocol optimizations imperative. Surprisingly, there is a lack
of openly available tools and experimental platforms to scrutinize Bluetooth.
In particular, system aspects and close to hardware protocol layers are mostly
uncovered.
We reverse engineer multiple Broadcom Bluetooth chipsets that are widespread
in off-the-shelf devices. Thus, we offer deep insights into the internal
architecture of a popular commercial family of Bluetooth controllers used in
smartphones, wearables, and IoT platforms. Reverse engineered functions can
then be altered with our InternalBlue Python framework---outperforming
evaluation kits, which are limited to documented and vendor-defined functions.
The modified Bluetooth stack remains fully functional and high-performance.
Hence, it provides a portable low-cost research platform.
InternalBlue is a versatile framework and we demonstrate its abilities by
implementing tests and demos for known Bluetooth vulnerabilities. Moreover, we
discover a novel critical security issue affecting a large selection of
Broadcom chipsets that allows executing code within the attacked Bluetooth
firmware. We further show how to use our framework to fix bugs in chipsets out
of vendor support and how to add new security features to Bluetooth firmware
Byzantine Attack and Defense in Cognitive Radio Networks: A Survey
The Byzantine attack in cooperative spectrum sensing (CSS), also known as the
spectrum sensing data falsification (SSDF) attack in the literature, is one of
the key adversaries to the success of cognitive radio networks (CRNs). In the
past couple of years, the research on the Byzantine attack and defense
strategies has gained worldwide increasing attention. In this paper, we provide
a comprehensive survey and tutorial on the recent advances in the Byzantine
attack and defense for CSS in CRNs. Specifically, we first briefly present the
preliminaries of CSS for general readers, including signal detection
techniques, hypothesis testing, and data fusion. Second, we analyze the spear
and shield relation between Byzantine attack and defense from three aspects:
the vulnerability of CSS to attack, the obstacles in CSS to defense, and the
games between attack and defense. Then, we propose a taxonomy of the existing
Byzantine attack behaviors and elaborate on the corresponding attack
parameters, which determine where, who, how, and when to launch attacks. Next,
from the perspectives of homogeneous or heterogeneous scenarios, we classify
the existing defense algorithms, and provide an in-depth tutorial on the
state-of-the-art Byzantine defense schemes, commonly known as robust or secure
CSS in the literature. Furthermore, we highlight the unsolved research
challenges and depict the future research directions.Comment: Accepted by IEEE Communications Surveys and Tutoiral
Resilient networking in wireless sensor networks
This report deals with security in wireless sensor networks (WSNs),
especially in network layer. Multiple secure routing protocols have been
proposed in the literature. However, they often use the cryptography to secure
routing functionalities. The cryptography alone is not enough to defend against
multiple attacks due to the node compromise. Therefore, we need more
algorithmic solutions. In this report, we focus on the behavior of routing
protocols to determine which properties make them more resilient to attacks.
Our aim is to find some answers to the following questions. Are there any
existing protocols, not designed initially for security, but which already
contain some inherently resilient properties against attacks under which some
portion of the network nodes is compromised? If yes, which specific behaviors
are making these protocols more resilient? We propose in this report an
overview of security strategies for WSNs in general, including existing attacks
and defensive measures. In this report we focus at the network layer in
particular, and an analysis of the behavior of four particular routing
protocols is provided to determine their inherent resiliency to insider
attacks. The protocols considered are: Dynamic Source Routing (DSR),
Gradient-Based Routing (GBR), Greedy Forwarding (GF) and Random Walk Routing
(RWR)
Bluetooth Low Energy link layer injection
Abstract. Bluetooth Low Energy is a very widely used short-range wireless technology. During the last few years many high visibility Bluetooth related vulnerabilities have been discovered. A significant amount of them have had an impact on implementations of the lowest protocol layers of Bluetooth in firmware running on separate embedded System on Chip dedicated for wireless communication. Bluetooth LE Link Layer implementations have not yet been under systematic fuzzing by vendors as there has been no mature way to inject fuzzed Link Layer packets over the air to the target device.
The goal of this thesis was to design and implement a solution for Bluetooth Low Energy Link Layer injection to enable fuzzing of Link Layer implementations with Synopsys Defensics, a commercial fuzzing framework. Two different approaches were designed and implemented. Both approaches used vendor-specific HCI commands and events for providing a convenient way to inject arbitrary Bluetooth Low Energy Link Layer packets over the air to target devices and at the same time retaining the normal functionality of the Bluetooth LE dongle. The solution was evaluated against state of the art in this field and the results show that the solution is on par with state of the art in this field.Bluetooth Low Energy linkkitason injektointi. TiivistelmÀ. Bluetooth Low Energy, Bluetoothin vÀhemmÀn energiaa kuluttava versio, on erittÀin laajasti kÀytössÀ oleva lyhyen kantaman langaton tiedonsiirtoteknologia. Viime vuosien aikana julkisuudessa on ollut useita Bluetooth-haavoittuvuuksia. Monet nÀistÀ haavoittuvuuksista ovat koskettaneet erityisesti alimpia Bluetooth protokollakerroksia, jotka tyypillisesti toteutetaan langattomalle tiedonsiirrolle erikseen suunnitellulla jÀrjestelmÀpiirillÀ suoritettavassa laiteohjelmistossa. Bluetooth Low Energy linkkitason toteutuksia ei ole laajamittaisesti ja jÀrjestelmÀllisesti fuzz-testattu laitevalmistajien toimesta, koska tÀhÀn mennessÀ ei ole ollut olemassa yleistÀ tapaa injektoida fuzzattuja linkkitason Bluetooth Low Energy-paketteja langattomasti testattavaan laitteeseen.
TÀmÀn työn tavoitteena oli suunnitella ja toteuttaa ratkaisu Bluetooth LE-linkkitason injektioon. Ratkaisu mahdollistaa Bluetooth Low Energy-linkkitason toteuttavien laitteiden fuzz-testauksen kÀyttÀen kaupallista Synopsys Defensics fuzz testausohjelmistoa. TyössÀ esitellÀÀn kaksi erilaista lÀhestymistapaa Bluetooth Low Energy-linkkitason injektiomenetelmÀn toteuttamiseen. Molemmissa tavoissa hyödynnetÀÀn valmistajakohtaisia laajennuksia HCI rajapintaan, millÀ mahdollistetaan vaivaton tapa injektoida Bluetooth LE-linkkitason paketteja langattomasti testattavaan laitteeseen samalla sÀilyttÀen injektioon kÀytettÀvÀn laitteen normaali toimintakyky. TÀmÀn työn puitteissa suunniteltua ja toteutettua ratkaisua vertailtiin alan viimeisimpÀÀn kehitykseen ja tulokset osoittavat ratkaisun olevan kilpailukykyinen
- âŠ