Bluetooth Binary Patching and Experimentation Framework
Total Page:16
File Type:pdf, Size:1020Kb
InternalBlue – Bluetooth Binary Patching and Experimentation Framework Dennis Mantz Jiska Classen [email protected] [email protected] TU Darmstadt, Secure Mobile Networking Lab TU Darmstadt, Secure Mobile Networking Lab Darmstadt, Germany Darmstadt, Germany Matthias Schulz Matthias Hollick [email protected] [email protected] TU Darmstadt, Secure Mobile Networking Lab TU Darmstadt, Secure Mobile Networking Lab Darmstadt, Germany Darmstadt, Germany ABSTRACT ACM Reference Format: Bluetooth is one of the most established technologies for short Dennis Mantz, Jiska Classen, Matthias Schulz, and Matthias Hollick. 2019. InternalBlue – Bluetooth Binary Patching and Experimentation Framework. range digital wireless data transmission. With the advent of wear- In The 17th Annual International Conference on Mobile Systems, Applications, ables and the Internet of Things (IoT), Bluetooth has again gained and Services (MobiSys ’19), June 17–21, 2019, Seoul, Republic of Korea. ACM, importance, which makes security research and protocol optimiza- New York, NY, USA, 12 pages. https://doi.org/10.1145/3307334.3326089 tions imperative. Surprisingly, there is a lack of openly available tools and experimental platforms to scrutinize Bluetooth. In par- ticular, system aspects and close to hardware protocol layers are 1 INTRODUCTION mostly uncovered. Bluetooth, the standard for wireless short range communication, We reverse engineer multiple Broadcom Bluetooth chipsets that has been around for almost 25 years since Ericsson developed it in are widespread in off-the-shelf devices. Thus, we offer deep in- 1994. In the early days it was mainly applied to wireless headphones, sights into the internal architecture of a popular commercial family hands-free speakerphones, and replacement of infrared data links of Bluetooth controllers used in smartphones, wearables, and IoT between devices [16]. Today, Bluetooth experiences a comeback platforms. Reverse engineered functions can then be altered with with the use of wearables and the IoT, often using Bluetooth Low our InternalBlue Python framework—outperforming evaluation kits, Energy (BLE) introduced in version 4.0. Its latest specifications, which are limited to documented and vendor-defined functions. Bluetooth 5.0 and 5.1, provide new interesting features such as mesh The modified Bluetooth stack remains fully functional and high- networking and localization [19, 20], and indicate that Bluetooth performance. Hence, it provides a portable low-cost research plat- will play an important role in the future of wireless communication. form. Bluetooth security and performance have only been studied InternalBlue is a versatile framework and we demonstrate its selectively, which is a stark contrast to the extensive analysis of the abilities by implementing tests and demos for known Bluetooth Wi-Fi standard over the same period of time. This can be partially vulnerabilities. Moreover, we discover a novel critical security issue attributed to the availability of powerful, open-source tools which affecting a large selection of Broadcom chipsets that allows exe- allow easy experiments on raw Wi-Fi frames with low-cost, off-the- cuting code within the attacked Bluetooth firmware. We further shelf hardware. When the first patches for Wi-Fi drivers enabled the show how to use our framework to fix bugs in chipsets out of ven- so-called monitor mode and frame injection capabilities, researchers dor support and how to add new security features to Bluetooth soon implemented practical attacks on low-level parts of the Wi- firmware. Fi stack and the currently deprecated Wired Equivalent Privacy arXiv:1905.00631v1 [cs.CR] 2 May 2019 (WEP) standard [14, 28] in short order. Only recently [8, 9, 12], the firmware running on Wi-Fi cards has been shown to contain severe over-the-air vulnerabilities. Publicly available tools allow to alter off-the-shelf Broadcom Wi-Fi cards [34], along with easy to understand open source Wi-Fi SDR implementations [5, 15]. CCS CONCEPTS Blueborne is a state-of-the-art collection of weaknesses uncov- ered in most of the major Bluetooth stacks, and has raised awareness • Security and privacy → Mobile and wireless security; • Net- of different issues concerning Bluetooth security. However, Blue- works → Link-layer protocols. borne targets host-side Bluetooth drivers in opposition to the lower layers of the protocol, below the Host Controller Interface (HCI), MobiSys ’19, June 17–21, 2019, Seoul, Republic of Korea © 2019 Copyright held by the owner/author(s). Publication rights licensed to ACM. which are handled in firmware and are still difficult to audit.A This is the author’s version of the work. It is posted here for your personal use. Not recent Bluetooth attack concerns Elliptic Curve Diffie-Hellman for redistribution. The definitive Version of Record was published in The 17th Annual (ECDH) key exchange used during device pairing, where the at- International Conference on Mobile Systems, Applications, and Services (MobiSys ’19), June 17–21, 2019, Seoul, Republic of Korea, https://doi.org/10.1145/3307334.3326089. tacker replaces public key coordinates during transmission, which were not checked in most implementations [13]. Unfortunately, compared to Wi-Fi there is no similarly easy way RFCOMM SDP to monitor and manipulate the behavior of lower Bluetooth layers depicted in Figure 1. On the one hand, professional equipment L2CAP targeted at hardware developers exists, but is very expensive. On Host the other hand, modifiable open-source platforms still struggle with Host Controller Interface (HCI) fundamental problems such as frequency-hopping characteristics Controller of the Bluetooth Physical Layer (PHY). Device Manager Link Manager This paper is the groundwork for a platform focused on Blue- tooth low layer protocol modifications and security. It targets the Baseband Resource Manager firmware of the Broadcom Bluetooth chipset named BCM4339, which resides inside the Nexus 5. We tested and extended parts of the func- Link Controller tionality to Nexus 6P, Samsung Galaxy S6/S6 edge, Raspberry Pi 3/3+ and a Bluetooth 5.0 IoT evaluation kit. Bluetooth PHY On top of reverse engineering results, the outcome of this work is the research and analysis framework InternalBlue which enables Figure 1: Architecture of the Bluetooth Protocol Stack. direct interaction with Broadcom firmware internals at runtime. The framework consists of a flexible Python library which acts as InternalBlue is publicly available including various demos1. We an interface to the firmware over the Android Debug BridgeADB ( ). disclosed all issues reported before handing in this paper to Broad- It is supplemented with an interactive front-end which supports com, who has acknowledged them and has already provided fixes live analysis of the firmware and low-level Bluetooth activities. The to vendors. most important capabilities of InternalBlue are: This work is structured as follows. Section 2 describes relevant Broadcom specifications and how to reverse engineer the firmware. • modifying arbitrary memory regions including Read Only Based on this knowledge, the implementation of InternalBlue is Memory (ROM), explained in Section 3, including the application of an LMP toolkit. • run arbitrary code in the context of the running firmware, InternalBlue is then used to check for multiple known issues in • send arbitrary HCI commands to the chip, the Bluetooth standard in Section 4. Further investigation in Sec- • establish connections to non-visible devices, and tion 5 leads to Broadcom specific issues that allow code execution • enable monitor mode and injection for the Link Manager within Bluetooth firmware. Section 4 and Section 5 contain the main Protocol (LMP). contributions of this paper—readers who are not interested in the efforts required to open a closed source firmware and do notwant Access to LMP stands out for transforming an off-the-shelf low- to reproduce results can skip Section 2 and Section 3. Related work cost smartphone into an LMP monitor and injection device, while is listed in Section 6. Results are discussed in Section 7. Section 8 enabling security testing. To the best of our knowledge, there exists concludes this paper. no openly available solution to monitor and craft LMP messages in the context of Bluetooth connections. Such a tool is especially 2 FIRMWARE REVERSE ENGINEERING useful for researching and testing other Bluetooth devices on the This section summarizes the information on the internal structure Link Manager (LM) layer, which controls important features such and functioning of the Broadcom BCM4339 Bluetooth controller. as security parameters and frequency settings. The information has been gathered through reverse engineering the To demonstrate the capabilities of InternalBlue, we use it to test controller’s firmware according to the Bluetooth specifications [18], for known Bluetooth bugs. On top of this, we detect a new severe and also from the datasheet in [25]. Some functions can be clearly vulnerability inside the firmware, which affected a huge fraction of mapped to standardized Bluetooth procedures, because they use Broadcom Bluetooth chips in use in December 2018. We perform uniquely specified values. However, going from machine code to the following security demos and contributions with InternalBlue: assembly and data sections and then naming functions is a tedious process and nobody publicly did this for Broadcom Bluetooth chips • test for user interaction behavior of pairing devices without