Original paper: Method Confusion Attack on Bluetooth Pairing
CVE: CERT report Bluetooth SIG: SIG security alert Apple: iOS / IPadOS Google: ...
Every pairing between any BLE devices using Numeric Comparison or Passkey Entry is vulnerable to the Method Confusion attack.
Currently there is no fix available that would not massively affect backwards compatibility to older Bluetooth devices.
Device vendors can only try to educate their users about the threat and visualize the utilized pairing method prominently (providing aware and versed users the possibility to detect an ongoing attack).
This is of course just a mild mitigation and entirely defeats the idea of a simple and secure TOFU establishment.
Bluetooths security model has to be considered broken until a solution is found. We are following the decisions of the Bluetooth SIG closely.
This PoC is intended to make reproduction of the issue as easy as possible. If you encounter any difficulties or find a description to imprecise please reach out so we can improve.
- UI interface - Python script with some pleasant(?) graphics to control the whole framework
- Controller interaction - Customized version of the BTstack library
- Numeric on Passkey implementation - C program that utelizes the custom BTstack library
- Passkey on Numeric implementation - C program that utelizes the custom BTstack library
- Jamming implementation - Customized version of btlejack and btlejack-firmware
- ==Please check this repo out using 'git clone --recurse-submodules'==
- Run the Makefiles in the subdirectories of the desired attack variants (pon, nop, full_mitm) + run the discovery/Makefile
- Connect 2 USB Bluetooth controller that are compatible with BTstack (list) - they should appear under
lsusb(Ensure that the Responder advertises using BLE not BR/EDR)
You have two different complexities of the attack available:
- Enter the folder of the desired attack variant
- Call the respective binary (nop, pon, full_mitm); provide the target address and the lsusb-identifiers of your dongles
- Add at least 3 micro:bit devices if you want to suppress victim advertisments
- Start the attack.py script
- Select your devices and the attack mode ('auto' selects the optimal method dynamically)
To simulate BLE victims you may use the programs initiator and responder in the folder full_mitm
In order to lead a realistic victim-Initiator into attempting the pairing with our MitM-Responder the framework offers the option to selectively jam the advertisement messages of the victim-Responder. In this case at least 3 BBC:microbits are required as they contain the nrf5x chip that is utelized for jamming. For this option you are also required to flash the microbits with our customized version of the btlejack-firmware (See Readme in the respective subfolder)
Unfortunately it happens regularly that devices get stuck in the execution of their modified firmware. We are trying to slowly narrow down these issues and fix them. For now, we recommend to stop the software; powercycle the devices; and restart the software.