Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

InternalBlue PoCs and Examples

KNOB Attack Test (CVE-2019-9506)

We provide a modified version of the KNOB attack test, originally provided here. This script tests if the other device will accept a reduced key entropy of 1 byte instead of the optimal 16 byte. Available for the Raspberry Pi 3, Raspberry Pi 3+/4, Nexus 5, Nexus 6P, CYW20735 evaluation board, and Samsung Galaxy S8.

Invalid Curve Attack Test (CVE-2018-5383)

This is a test which tires to set the y-coordinate during ECDH key exchange to zero. If the devie under test accepts the pairing (50% probability), it is vulnerable. This is not an MITM implementation, it only tests, if the other device would be vulnerable in practice.

Available for the Nexus 5.

LMP MAC Address Filter

Only accept traffic from whitelisted MAC addresses and send LMP_not_accepted otherwise.

Available for the Nexus 5.

NiNo Attack Test

Prior to pairing, an MITM can set the IO capabilities to no input, no output. This will skip the numeric comparison. If the operating system displays a yes/no question during pairing, a warning, or similar, is up to the concrete implementation. This script tests how the other device will behave in a pairing that does not use numeric comparison, but is no active MITM attack.

Available for the Nexus 5.

Measurement of BLE Receive Statistics

This demo provides a hook within the callback for BLE packet reception. Upon packet reception, no matter if the packet is a keep-alive null packet or not, it will be processed by this function. During this state, further metadata is available, such as the RSSI (Received Signal Strength Indicator), the packet's channel, and the currently active channel map.

Available for the Nexus 5 and Samsung Galaxy S8 including a callback script, as well as for the CYW20735 Evaluation board, Raspberry Pi 3 and 3+/4 currently without callback script. We also ported it for the iPhone 6, however, the current InternalBlue iOS implementation cannot be run in parallel with the full iOS stack, thus it is not pushed online here.

You can’t perform that action at this time.