Skip to content

BlueToolkit is an extensible Bluetooth Classic vulnerability testing framework that helps uncover new and old vulnerabilities in Bluetooth-enabled devices. Could be used in the vulnerability research, penetration testing and bluetooth hacking. We also collected and classified Bluetooth vulnerabilities in an "Awesome Bluetooth Security" way

License

Notifications You must be signed in to change notification settings

FingerLeakers/BlueToolkit

 
 

Repository files navigation

BlueToolkit

BlueToolkit

Extensible Bluetooth Classic vulnerability testing framework based on simple YAML DSL.

DocumentationInstallUsageSupported ExploitsBluetooth Classic and BLE vulnerabilities and attacksResultsHardware


BlueToolkit is an extensible Bluetooth Classic vulnerability testing framework that helps uncover new and old vulnerabilities in Bluetooth-enabled devices.

It works by executing templated exploits one by one and verifying appropriate properties based on the template logic. The toolkit is extensible and allows new research to be added to the centralized testing toolkit. There are 43 Bluetooth exploits available in the toolkit, from known public exploits and tools to custom-developed ones.

The framework works in a Black-box fashion, but it is also possible to operate the toolkit in a Gray-box fashion. For that one needs to extend the framework and connect it to the Operating System of the target so that it would be possible to observe Bluetooth logs and guarantee no false positives.

Also, we have already used our framework and were able to find 64 new vulnerabilities in 22 products.

We have a dedicated repository that provides various types of vulnerability templates.

Credit

This work has been done at Cyber Defence Campus and System Security Group at ETH Zurich.

Install BlueToolkit

BlueToolkit has 2 installation stages: general and specific module installation. The general installation downloads the code, modules and tools available in the toolkit and tries to set up modules that do not require human interaction. The specific module installation requires a human to verify that the needed hardware is connected to the device on which the toolkit is being installed.

Install

We provide 2 installation options: virtual machine or Ubuntu/Debian.

VM Installation

Prerequisites:

git clone https://github.com/sgxgsx/BlueToolkit --recurse-submodules
cd BlueToolkit/vagrant
vagrant up

After Installation:

  • You need to allow the virtual machine to access the Bluetooth module or additional hardware through USB, which requires you to do the following:
  • USB support is already switched on, that's why open VirtualBox
  • Find a running virtual machine and click on "Show"
  • Click on "Devices" -> "USB"
  • You will be presented with multiple devices that you can switch on for the virtual machine
  • Tick any device that you need (Bluetooth module, hardware, phone) or tick all devices to be sure.
Ubuntu/Debian Installation Installation:
sudo mkdir /usr/share/BlueToolkit
sudo chown $USER:$USER /usr/share/BlueToolkit
git clone https://github.com/sgxgsx/BlueToolkit /usr/share/BlueToolkit --recurse-submodules
chmod +x /usr/share/BlueToolkit/install.sh
/usr/share/BlueToolkit/install.sh
Windows and MacOS Installation You could try to install the toolkit on WSL or MacOS directly. Alternatively, use the VM installation option.

Specific Module Install

Virtual Machine
  • Verify that the hardware is connected to the machine
  • Verify that you allowed the hardware to be shown to the VM in the USB settings
  • Then depending on the hardware that you need to install do the following:
vagrant ssh
cd /usr/share/BlueToolkit/installation/
ls -al
  • Find a script for your hardware and execute it
./{HARDWARE}_installation.sh
Linux
  • Verify that the hardware is connected to the machine
  • Then depending on the hardware that you need to install do the following:
cd /usr/share/BlueToolkit/installation/
ls -la
  • Then find a script for your hardware and execute it
./{HARDWARE}_installation.sh

Usage

sudo -E env PATH=$PATH bluekit -h

This will display help information for the tool. Here are all the parameters it supports.

usage: bluekit [-h] [-t TARGET] [-l] [-c] [-ct] [-ch] [-v VERBOSITY] [-ex EXCLUDEEXPLOITS [EXCLUDEEXPLOITS ...]] [-e EXPLOITS [EXPLOITS ...]] [-r] [-re] [-rej] [-hh HARDWARE [HARDWARE ...]] ...

positional arguments:
  rest

options:
  -h, --help            show this help message and exit
  -t TARGET, --target TARGET
                        target MAC address
  -l, --listexploits    List exploits or not
  -c, --checksetup      Check whether Braktooth is available and setup
  -ct, --checktarget    Check connectivity and availability of the target
  -ch, --checkpoint     Start from a checkpoint
  -v VERBOSITY, --verbosity VERBOSITY
                        Verbosity level
  -ex EXCLUDEEXPLOITS [EXCLUDEEXPLOITS ...], --excludeexploits EXCLUDEEXPLOITS [EXCLUDEEXPLOITS ...]
                        Exclude exploits, example --exclude exploit1, exploit2
  -e EXPLOITS [EXPLOITS ...], --exploits EXPLOITS [EXPLOITS ...]
                        Scan only for provided --exploits exploit1, exploit2; --exclude is not taken into account
  -r, --recon           Run a recon script
  -re, --report         Create a report for a target device
  -rej, --reportjson    Create a report for a target device
  -hh HARDWARE [HARDWARE ...], --hardware HARDWARE [HARDWARE ...]
                        Scan only for provided exploits based on hardware --hardware hardware1 hardware2; --exclude and --exploit are not taken into account

EXAMPLES:
Run bluekit recon:
   $ sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF -r

Run bluekit connectivity check:
   $ sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF -ct

Run bluekit with a specific exploit:
   $ sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF -e invalid_max_slot

Run bluekit with specific exploits:
   $ sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF -e invalid_max_slot au_rand_flooding internalblue_knob

Run bluekit and list all available exploits:
   $ sudo -E env PATH=$PATH bluekit -l

Documentation is available at: https://github.com/sgxgsx/BlueToolkit/wiki

Available Bluetooth Vulnerabilities and Attacks

BlueToolkit automatically downloads all vulnerability and hardware templates. BlueToolkit templates repository provides a full list of ready-to-use templates. Additionally, you can write your own templates and checks as well as add new hardware by following BlueToolkit's templating guide The YAML reference syntax is available here

We collected and classified Bluetooth vulnerabilities in an "Awesome Bluetooth Security" way. We used the following sources - ACM, IEEE SP, Blackhat, DEFCON, Car Hacking Village, NDSS, and Google Scholars. Looked for the following keywords in Search Engines such as Google, Baidu, Yandex, Bing - Bluetooth security toolkit, Bluetooth exploits github, Bluetooth security framework, bluetooth pentesting toolkit. We also parsed all Github repositories based on the following parameters - topic:bluetooth topic:exploit, topic:bluetooth topic:security.

Currently BlueToolkit check the following vulnerabilities and attacks:

For manual attacks refer to the documentation.

Vulnerability Category Type Verification type Hardware req. Tested
Always pairable Chaining Chaining Manual
Only vehicle can initiate a connection Chaining Chaining Manual
Fast reboot Chaining Chaining Manual
SC not supported Chaining Info Automated
possible check for BLUR Chaining Info Automated
My name is keyboard Critical RCE Semi-automated
CVE-2017-0785 Critical Memory leak Automated
CVE-2018-19860 Critical Memory execution Automated
V13 Invalid Max Slot Type DoS DoS Automated
V3 Duplicated IOCAP DoS DoS Automated
NiNo check MitM MitM Semi-automated
Legacy pairing used MitM MitM Automated
KNOB MitM MiTM Semi-automated
CVE-2018-5383 MitM MiTM Automated
Method Confusion attack MitM MiTM Automated
SSP supported <= 4.0 weak crypto or SSP at all MitM Info/MitM Automated
CVE-2020-24490 Critical DoS Automated
CVE-2017-1000250 Critical Info leak Automated
CVE-2020-12351 Critical RCE/DoS Automated
CVE-2017-1000251 Critical RCE/DoS Automated
V1 Feature Pages Execution Critical RCE/DoS Automated
Unknown duplicated encapsulated payload DoS DoS Automated
V2 Truncated SCO Link Request DoS DoS Automated
V4 Feature Resp. Flooding DoS DoS Automated
V5 LMP Auto Rate Overflow DoS DoS Automated
V6 LMP 2-DH1 Overflow DoS DoS Automated
V7 LMP DM1 Overflow DoS DoS Automated
V8 Truncated LMP Accepted DoS DoS Automated
V9 Invalid Setup Complete DoS DoS Automated
V10 Host Conn. Flooding DoS DoS Automated
V11 Same Host Connection DoS DoS Automated
V12 AU Rand Flooding DoS DoS Automated
V14 Max Slot Length Overflow DoS DoS Automated
V15 Invalid Timing Accuracy DoS DoS Automated
V16 Paging Scan Deadlock DoS DoS Automated
Unknown wrong encapsulated payload DoS DoS Automated
Unknown sdp unknown element type DoS DoS Automated
Unknown sdp oversized element size DoS DoS Automated
Unknown feature req ping pong DoS DoS Automated
Unknown lmp invalid transport DoS DoS Automated
CVE-2020-12352 Critical Info leak Automated

Vulnerabilities to be added soon

Vulnerability Category Type Verification type Hardware req. Tested Scheduled to be added
BLUR MitM ? -
BIAS MitM ? -
BLUFFS MitM ? -
BlueRepli Critical BAC -
CVE-2020-26555 MitM MiTM -

Vulnerabilities to be added in August

3 vulnerabilities will be added in August (might change to June). Additionally, 1 privilege escalation vulnerability would be added at the same time.

Vulnerability Category Type Verification type Hardware req. Tested
To be added in August MitM MitM Manual
To be added in August MitM Info Manual
To be added in August Critical BAC Manual

Bluetooth Vulnerabilities and Attacks

Additionally, we found the following Bluetooth Classic and Bluetooth Low Energy (BLE) vulnerabilities. The table has the following information about the attacks and vulnerabilities - name, type either implementation-specific, protocol-specific or affecting a BT profile, Bluetooth Type (BLE, BT, BT + BLE), BT versions affected, number of exploits, year released, CVE if available, CVSS if available, Hardware if required, Proof of Concept if available and additional information in the comment section with additional links or explanation.

Exp. Family Name Type BT Type BT ver exp. # Year CVE CVSS Hardware PoC Link Comment
Qualcomm WSA8835 attck Imp BLE 1 2023 https://www.cvedetails.com/cve/CVE-2023-21647/?q=CVE-2023-21647 Improper GATT packet verification
Auth bypass, spoofing Imp BLE 1 2022 https://fmsh-seclab.github.io/ Authentication Bypass by Spoofing in Tesla Keys
unauth MITM Prot BLE 4.0 - 5.3 1 2022 https://www.cvedetails.com/cve/CVE-2022-25836/ Check CVE for details, relies on Method Confusion
BLE Proximity Auth relay Rel BLE 4.0 - 5.3 1 2022 https://research.nccgroup.com/2022/05/15/technical-advisory-tesla-ble-phone-as-a-key-passive-entry-vulnerable-to-relay-attacks/ BLE Proximity Authentication Vulnerable to Relay Attacks
Sniffle Snif BLE 4.0-5.0 1 2022 TI CC1352/CC26x2 https://github.com/nccgroup/Sniffle
InjectaBLE Prot BLE 4.0 - 5.2 1 2021 nRF52840 https://github.com/RCayre/injectable-firmware https://hal.laas.fr/hal-03193297v2/document MITM, Send malicious packets, post-exploitation after the session was established/hijacked (Imp and model specific)
jacknimble Imp BLE 2020 nRF52840 https://github.com/darkmentorllc/jackbnimble https://i.blackhat.com/USA-20/Wednesday/us-20-Kovah-Finding-New-Bluetooth-Low-Energy-Exploits-Via-Reverse-Engineering-Multiple-Vendors-Firmwares.pdf 3 exploits for specific hardware, CVE-2020-15531
SweynTooth Imp BLE 12 2020 nRF52840 https://github.com/Matheus-Garbelini/sweyntooth_bluetooth_low_energy_attacks https://asset-group.github.io/disclosures/sweyntooth/
BlueDoor Prot BLE 4.0 - 5.2 1 2020 nRF51822 http://tns.thss.tsinghua.edu.cn/~jiliang/publications/MOBISYS2020_BlueDoor.pdf MITM
Downgrade attack Prot BLE 4.2 - 5.0 1 2020 TICC2640 & Adafruit Bluefruit LE Sniffe https://www.usenix.org/system/files/sec20-zhang-yue.pdf MITM through downgrade (SCO) CVE-2020-35473
BLESA Spoof BLE 1 2020 https://www.usenix.org/system/files/woot20-paper-wu.pdf Spoofing to establish MITM and disable encryption
SweynTooth Cypress PSoc 4 BLE Imp BLE 1 2019 https://www.cvedetails.com/cve/CVE-2019-16336/?q=CVE-2019-16336 DoS
SweynTooth Cypress PSoc 4 BLE Imp BLE 1 2019 https://www.cvedetails.com/cve/CVE-2019-17061/?q=CVE-2019-17061 Buffer Overflow
SweynTooth NXP KW41Z up to 2.2.1 Imp BLE 1 2019 https://www.cvedetails.com/cve/CVE-2019-17060/?q=CVE-2019-17060 BLE Link layer buffer overflow
SweynTooth STMicroelectronics BLE Stack Imp BLE 1 2019 https://www.cvedetails.com/cve/CVE-2019-19192/?q=CVE-2019-19192 through 1.3.1 for STM32WB5x devices does not properly handle consecutive ATT requests on reception
Co-located app BLE BLE 1 2019 Theory https://www.usenix.org/system/files/sec19-sivakumaran_0.pdf Co-located apps can get BLE data, and thus exfiltrate needed info??? can we do a relay with it?
BleedingBit Imp BLE 4.2 - 5.0 1 2018 https://www.armis.com/research/bleedingbit/
GATTacking Prot BLE 4.0 1 2016 CSR 8510-based USB dongle https://github.com/securing/gattacker https://www.blackhat.com/docs/us-16/materials/us-16-Jasek-GATTacking-Bluetooth-Smart-Devices-Introducing-a-New-BLE-Proxy-Tool.pdf MITM BLE
Crackle Prot BLE 4 1 2013 https://github.com/mikeryan/crackle https://www.usenix.org/system/files/conference/woot13/woot13-ryan.pdf crack ble encryption
Bluez MynameIsKeyboard Imp BT 1 2023 CVE-2023-45866 8.8 https://github.com/marcnewlin/hi_my_name_is_keyboard - CVE-2023-45866, CVE-2023-45866, CVE-2023-45866
Antonioli BLUFFS Prot BT 4.2-5.2 6 2023 CVE-2023-24023 6.8 CYW920819EVB-02 https://github.com/francozappa/bluffs
- Prot BT 1 2022 https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9833777 Cross-stack illegal access attack (formal methods) + CVE-2020-26560 and CVE-2020-15802 mentioned in other entries
BlackTooth Prot BT 1 2022 CYW920819EVB-02 https://dl.acm.org/doi/pdf/10.1145/3548606.3560668 1 new attack (connection stage) + KNOB and other attacks that were reused
BLAP Prot BT 1 2022 Theory https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9833575 Extract Link Key from the HCI dump needs physical access to the car (applicable in car sharing only)
Blue's Clues Prot BT <=5.3 2022 CVE-2022-24695 4.3 Ubertooth & USRP B210 SDR https://github.com/TylerTucker/BluesClues https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10179358 CVE-2022-24695 affects Privacy, defeats non-discoverable feature of BT/EDR
unauth MITM Prot BT 1.0B-5.3 1 2022 CVE-2022-25837 7.5 https://www.cvedetails.com/cve/CVE-2022-25837/ Check CVE for details, relies on Method Confusion, CVE-2022-25837
Braktooth BrakTooth Imp BT 3.0 - 5.2 16 2021 CVE-2021-28139 8.8 ESP-WROVER-KIT https://github.com/Matheus-Garbelini/braktooth_esp32_bluetooth_classic_attacks https://asset-group.github.io/disclosures/braktooth/
BleedingTooth BadChoice Imp BT 4.2-5.2 1 2020 CVE-2020-12352 6.5 https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html Information leak
BleedingTooth BadKarma Imp BT 5.0 1 2020 CVE-2020-12351 8.8 https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html stack-based info leak BlueZ
BleedingTooth BadVibes Imp BT 5.0+ 1 2020 CVE-2020-24490 6.5 https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649 https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html Requires BT 5.0 and higher
Snapdragon Auto CVEs Imp BT 4 2020 https://www.cvedetails.com/cve/CVE-2020-3703/?q=CVE-2020-3703 CVE-2020-11156 Snapdragon Auto, no exploits CVE-2020-11154 CVE-2020-11155, CVE-2020-3703
BlueRepli Imp BT 1 2020 No exploit so far https://i.blackhat.com/USA-20/Wednesday/us-20-Xu-Stealthily-Access-Your-Android-Phones-Bypass-The-Bluetooth-Authentication.pdf https://github.com/DasSecurity-HatLab/BlueRepli-Plus
UberTooth Snif BT ALL 1 2020 Ubertooth https://github.com/greatscottgadgets/ubertooth https://ubertooth.readthedocs.io/en/latest/ Sniffing
Antonioli BIAS Prot BT <=5.0 4 2019 CVE-2020-10135 5.4 CYW920819, possibly CYW920819M2EVB-01 https://github.com/francozappa/bias https://francozappa.github.io/about-bias/ CVE-2020-10135
MITM SSP BT 5.0 Prot BT 5 1 2018 https://link.springer.com/article/10.1007/s00779-017-1081-6 passkey entry association model is vulnerable to the MITM
BlueBorne CVE-2017-0785 Imp BT 1 2017 CVE-2017-0785 6.5
BlueBorne CVE-2017-1000251 Imp BT 5 4 2017 CVE-2017-1000251 8.0 https://github.com/ArmisSecurity/blueborne https://www.armis.com/research/blueborne/
Lexus BT Heap Overflow Imp BT 1 2017 CVE-2020-5551 8.8 Theory https://keenlab.tencent.com/en/2020/03/30/Tencent-Keen-Security-Lab-Experimental-Security-Assessment-on-Lexus-Cars/ RCE in Lexus (LC, LS, NX, RC, RC F), TOYOTA CAMRY, and TOYOTA SIENNA manufactured not in Japan from Oct. 2016 to Oct. 2019
BlueEar Snif BT ALL 1 2016 Ubertooth (2) https://github.com/albazrqa/BluEar https://www.cs.cityu.edu.hk/~jhuan9/papers/blueear16mobisys.pdf Sniffing, extending the code of Ubertooth
CVE-2018-19860 Imp BT 1 2014 CVE-2018-19860 8.8 Nexus 5 (internalblue) internalblue Nexus 5 examples Imp. specific attacks on Broadcom chips BCM4335C0, BCM43438A1, and some other from 2012-2014 (DoS)
NINO MITM attack Prot BT 2 2010 Nexus 5 (internalblue) Theory + a PoC from internalblue + easy exploit similar to method confusion https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5374082 NINO - no input no output (mitm + out-of-band mitm attacks). https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=4401672
Attacks on Pairing Prot BT 2.1 1 2008 https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=ac095564c820f02b2793694018d419ce99279de0 MITM, attack on 2.1
Cracking Bluetooth PIN Brute BT 1 2005 Theory https://www.usenix.org/legacy/event/mobisys05/tech/full_papers/shaked/shaked.pdf 6
Key extraction BT 1.0B 1 2001 https://link.springer.com/chapter/10.1007/3-540-45353-9_14 Old attack on very old version 1.0B
BadBluetooth Prot BT + adj 1 2019 Theory https://staff.ie.cuhk.edu.hk/~khzhang/my-papers/2019-ndss-bluetooth.pdf Too high assumptions (malicious app installed + compromised device)
BlueMirror BlueMirror BT Mesh profile brute Prot BT Profile 2.1-5.2 1 2021 CVE-2020-26556 7.5 Brute-force insufficient random AuthValue in BT Mesh 1.0 and 1.0.1 to complete authentication
BlueMirror BlueMirror BT Mesh profile brute 2 Prot BT Profile 2.1-5.2 1 2021 CVE-2020-26557 7.5 Determine Authvalue in BT Mesh 1.0 and 1.0.1 via brute-force attack
BlueMirror BlueMirror BT Mesh profile no brute Prot BT Profile 2.1-5.2 1 2021 CVE-2020-26559 8.8 Auth bypass in Mesh profile 1.0, 1.0.1, can determine authvalue and other data without brute-force
BlueMirror BlueMirror BT Mesh profile Prot BT Profile 1.0B-5.2 1 2020 CVE-2020-26560 8.1 https://kb.cert.org/vuls/id/799380 CVE-2020-26560 - Auth bypass in Mesh profile 1.0, 1.0.1  https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9474325
BlueMirror BlueMirror Legacy pairing Prot BT/BLE 2.1-5.2 1 2021 CVE-2020-26555 5.4 https://kb.cert.org/vuls/id/799380 Complete pairing without knowledge of the PIN  https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9474325     https://www.ieee-security.org/TC/SP2021/SPW2021/WOOT21/files/woot21-claverie-slides.pdf
BlueMirror BlueMirror passkey leak Prot BT/BLE 2.1-5.2 1 2021 CVE-2020-26558 4.2 MitM attacker can determine passkey value through reflection of the public key (can leak passkey value 1 bit at a time)
Antonioli BLURTooth Prot BT/BLE 4.2, 5.0, 5.1, 5.2 4 2020 CVE-2020-15802 5.9 https://github.com/francozappa/blur https://hexhive.epfl.ch/BLURtooth/ CVE-2020-15802
Fixed Coord. Inv. Attack Imp BT/BLE 2.1-5.2 1 2019 CVE-2018-5383 Nexus 5 (internalblue) or CY5677 internalblue Nexus 5 examples https://biham.cs.technion.ac.il/BT/ MITM exploiting crypto (implementation/protocol attack) CVE-2018-5383
Antonioli KNOB Prot BT/BLE <=5.0 1 2019 CVE-2019-9506 8.1 Nexus 5 (internalblue) https://github.com/francozappa/knob https://knobattack.com/ CVE-2019-9506
Ghost attack Prot BT/BLE? 2 2023 https://www.ndss-symposium.org/wp-content/uploads/2023/02/ndss2023_s119_paper.pdf Ghost attack and group guessing attack
Qualcomm 9206 Imp BT/BLE? 1 2022 CVE-2022-40503 8.2 https://www.cvedetails.com/cve/CVE-2022-40503/?q=CVE-2022-40503 Buffer overread in A2DP profile
Qualcomm APQ8009 Imp BT/BLE? 1 2022 CVE-2022-40537 7.3 https://www.cvedetails.com/cve/CVE-2022-40537/?q=CVE-2022-40537 Memory corruption while processing AVRC_PDU_GET_PLAYER_APP_VALUE_TEXT AVRCP response
Qualcomm WSA8815 Imp BT/BLE? 1 2022 CVE-2022-33280 7.3 https://www.cvedetails.com/cve/CVE-2022-33280/?q=CVE-2022-33280 Memory corruption while processing AVRCP packet
Qualcomm WSA8835 Imp BT/BLE? 1 2022 CVE-2022-33255 8.2 https://www.cvedetails.com/cve/CVE-2022-33255/?q=CVE-2022-33255 Bluetooth HOST Buffer overread while processing GetFolderItems, GetItemAttributes
Qualcomm WSA8835 Imp BT/BLE? 1 2022 CVE-2022-22088 9.8 https://www.cvedetails.com/cve/CVE-2022-22088/?q=CVE-2022-22088 Bluetooth Host Buffer overflow while processing response from remote
SnapDragon Auto Imp BT/BLE? 1 2021 CVE-2021-35068 9.8 https://www.cvedetails.com/cve/CVE-2021-35068/?q=CVE-2021-35068 Null pointer dereference while freeing the HFP profile
Method Confusion Prot BT/BLE? 2.1-5.2 1 2020 CVE-2020-10134 6.3 huge selection with different capabilities. https://github.com/maxdos64/BThack https://www.sec.in.tum.de/i20/publications/method-confusion-attack-on-bluetooth-pairing/@@download/file/conference-proceeding.pdf MITM between 2 BLE or BR/EDR devices. Strange hardware needed, CVE-2020-10134
BlueSnarf revisited Imp OBEX 1 2011 https://inria.hal.science/hal-01587858/document OBEX path traversal (FTP)

The YAML DSL reference syntax is available here.

Results from testing

We tested XXXXXXX from the following manufacturers and were able to find 60+ new vulnerabilities in them:

** Scheduled for August 2024 **

Hardware

To test all vulnerabilities one would need to buy additional hardware:

  • ESP-WROVER-KIT-VE for Braktooth vulnerabilities
  • Nexus5 (phone) for Internalblue-based vulnerabilities. It also could be substituted by CYW20735, but an additional hardware profile would be needed and 2 exploits won't be reproducible.
  • CYW920819M2EVB-01 for BIAS, BLUR and BLUFFS attacks

Running Bluetoolkit

See https://github.com/sgxgsx/BlueToolkit/wiki for details on running BlueToolkit

License

BlueToolkit is distributed under MIT License

About

BlueToolkit is an extensible Bluetooth Classic vulnerability testing framework that helps uncover new and old vulnerabilities in Bluetooth-enabled devices. Could be used in the vulnerability research, penetration testing and bluetooth hacking. We also collected and classified Bluetooth vulnerabilities in an "Awesome Bluetooth Security" way

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Shell 96.2%
  • Ruby 3.8%