M. E. Garbelini, V. Bedi, S. Chattopadhyay, S. Sun, and E. Kurniawan, & BrakTooth: Causing Havoc on Bluetooth Link Manager via Directed Fuzzing,& 31st USENIX Security Symposium (USENIX Security 22), Boston, MA, USA, pp. 1025-1042, August 2022.
Abstract:
In this paper we propose, design and evaluate a systematic directed fuzzing framework to automatically discover implementation bugs in arbitrary Bluetooth Classic (BT) devices. The core of our fuzzer is the first over-the-air approach that takes full control of the BT controller baseband from the host. This enables us to intercept and modify arbitrary packets, as well as to inject packets out-of-order in lower layers of closed-source BT stack, i.e., Link Manager Protocol (LMP) and Baseband. To systematically guide our fuzzing process, we propose an extensible and novel rule-based approach to automatically construct the protocol state machine during normal over-the-air communication. In particular, by writing a simple set of rules to identify protocol messages, we can dynamically construct an abstracted protocol state machine, fuzz packets resulting from a state and validate responses from target devices. As of today, we have fuzzed 13 BT devices from 11 vendors and we have discovered a total of 18 unknown implementation flaws, with 24 common vulnerability exposures (CVEs) assigned. Furthermore, our discoveries were awarded with six bug bounties from certain vendors. Finally, to show the broader applicability of our framework beyond BT, we have extended our approach to fuzz other wireless protocols, which additionally revealed 6 unknown bugs in certain Wi-Fi and BLE Host stacks.
License type:
Publisher Copyright
Funding Info:
This research / project is supported by the National Research Foundation - National Satellite of Excellence in Trustworthy Software Systems
Grant Reference no. : RGNSOE2101
Description:
This research is supported by A*STAR under its A*STAR Graduate Academy (SINGA) scholarship program.