(all) your aps (are) belong to us - i.blackhat.com · link layer (ll) physical layer (phy)...
TRANSCRIPT
![Page 1: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/1.jpg)
(All) Your APs (Are) Belong to Us
Ben Seri, VP ResearchDor Zusman, Researcher
![Page 2: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/2.jpg)
• Bluetooth Low Energy (BLE)
• BLE in Access Points (?!)
• Over-the-air firmware upgrades Is it secure?
• Aruba BLE vulnerability - CVE-2018-7080
• TI BLE stack RCE vulnerability - CVE-2018-16986
• Exploitation and Impact
Agenda
![Page 3: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/3.jpg)
Why Bluetooth Low Energy?
HEALTHCARE MANUFACTURING RETAIL OFFICES
![Page 4: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/4.jpg)
BLE in recent news
![Page 5: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/5.jpg)
INDOOR NAVIGATION
MEDICAL ASSET
TRACKING
RETAILCUSTOMER TRACKING
Why do APs support BLE?
SMART SENSORS
![Page 6: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/6.jpg)
But Why????
![Page 7: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/7.jpg)
BLE Attack surface
CVE-2018-7080Affecting Aruba
CVE-2018-16986TI BLE STACK
Affecting Cisco, Meraki
![Page 8: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/8.jpg)
CVE-2018-7080Affecting Aruba
CVE-2018-16986TI BLE STACK
Affecting Cisco, Meraki
BLE Attack surface
![Page 9: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/9.jpg)
Capturing firmware over the air?
Authentication of GATT? Based on BLE Bonding?
OAD DFU
OTA solutions over BLE - The challenges
![Page 10: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/10.jpg)
Firmware passed unencrypted over the air
GATT connection is unauthenticated
Firmware integrity is not validated, or uses weak cryptographic signature
OTA solutions over BLE - The problems
OAD
![Page 11: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/11.jpg)
$ gatttool -i hci1 --primary -b f4:5e:ab:e7:ff:5d
attr handle = 0x0001, end grp handle = 0x000b
uuid: 00001800-0000-1000-8000-00805f9b34fb
attr handle = 0x000c, end grp handle = 0x000f
uuid: 00001801-0000-1000-8000-00805f9b34fb
attr handle = 0x0010, end grp handle = 0x001c
uuid: 0000180a-0000-1000-8000-00805f9b34fb
attr handle = 0x001d, end grp handle = 0x0029
uuid: f000ffc0-0451-4000-b000-000000000000
attr handle = 0x002a, end grp handle = 0x0031
uuid: faafea00-b67b-6ee7-3d4c-424fb2f14a66
attr handle = 0x0032, end grp handle = 0xffff
uuid: 272fe150-6c6c-4718-a3d4-6de8a3735cff
BLE in Aruba Access Points
![Page 12: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/12.jpg)
Initiate GATT connection
FFC1
User Device
Image Identify
Image Block Request
Image BlockFFC2
Image Block Request
OAD in General
![Page 13: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/13.jpg)
Initiate GATT connection
User Device
No Response
FFC1
Image Identify
OAD in Aruba Access Points
![Page 14: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/14.jpg)
Extracting BLE firmware
![Page 15: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/15.jpg)
Extracting BLE firmware
![Page 16: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/16.jpg)
static bStatus_t oadWriteAttrCB(...){...if (osal_memcmp(pAttr->type.uuid,
oadCharUUID[OAD_CHAR_IMG_IDENTIFY],ATT_UUID_SIZE)) {
status = oadImgIdentifyWrite(connHandle, pValue);
} else if (osal_memcmp(pAttr->type.uuid,oadCharUUID[OAD_CHAR_IMG_BLOCK],ATT_UUID_SIZE)) {
status = oadImgBlockWrite(connHandle, pValue);}
...}
Analyzing custom OAD
![Page 17: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/17.jpg)
static bStatus_t ARUBA_oadWriteAttrCB(...){...if (is_oad_unlocked) {// 128-bit UUIDif (is_img_write_unlocked &&
osal_memcmp(pAttr->type.uuid,oadCharUUID[OAD_CHAR_IMG_IDENTIFY],ATT_UUID_SIZE)) {
status = oadImgIdentifyWrite(connHandle, pValue);
} else if (osal_memcmp(pAttr->type.uuid,oadCharUUID[OAD_CHAR_IMG_BLOCK],ATT_UUID_SIZE)) {
status = oadImgBlockWrite(connHandle, pValue);
} else {status = ATT_ERR_ATTR_NOT_FOUND;
}} else if (osal_memcmp(pAttr->type.uuid,
OAD_UNLOCK_UUID, ATT_UUID_SIZE) {if (osal_memcmp(pAttr->pValue, OAD_COOKIE, ATT_UUID_SIZE)) {
is_oad_unlocked = true;} else if (osal_memcmp(pAttr->pValue, AB_ACCESS_COOKIE, ATT_UUID_SIZE)) {
is_img_write_unlocked = true;}
}...
}
static bStatus_t oadWriteAttrCB(...){...if (osal_memcmp(pAttr->type.uuid,
oadCharUUID[OAD_CHAR_IMG_IDENTIFY],ATT_UUID_SIZE)) {
status = oadImgIdentifyWrite(connHandle, pValue);
} else if (osal_memcmp(pAttr->type.uuid,oadCharUUID[OAD_CHAR_IMG_BLOCK],ATT_UUID_SIZE)) {
status = oadImgBlockWrite(connHandle, pValue);}...}
Analyzing custom OAD
![Page 18: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/18.jpg)
static bStatus_t ARUBA_oadWriteAttrCB(...){...if (osal_memcmp(pAttr->type.uuid,
OAD_UNLOCK_UUID, ATT_UUID_SIZE) {if (osal_memcmp(pAttr->pValue, OAD_COOKIE, ATT_UUID_SIZE)) {
is_oad_unlocked = true;} else if (osal_memcmp(pAttr->pValue,
AB_ACCESS_COOKIE, ATT_UUID_SIZE)) {is_img_write_unlocked = true;
}}...}
Analyzing custom OAD
![Page 19: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/19.jpg)
![Page 20: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/20.jpg)
OTA OAD OMG
![Page 21: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/21.jpg)
OTA OAD OMG
![Page 22: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/22.jpg)
What would a BLEEDINGBIT attack look like?
![Page 23: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/23.jpg)
WLC
What would a BLEEDINGBIT attack look like?
![Page 24: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/24.jpg)
GuestCorporate
Access Point
WLC
What would a BLEEDINGBIT attack look like?
![Page 25: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/25.jpg)
Router
Internet
Access Point
WLC
What would a BLEEDINGBIT attack look like?
![Page 26: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/26.jpg)
RouterInternet
Access Point
WLC
C&C
What would a BLEEDINGBIT attack look like?
![Page 27: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/27.jpg)
RouterInternet
Access Point
C&C
What would a BLEEDINGBIT attack look like?
WLC Video
![Page 28: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/28.jpg)
![Page 29: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/29.jpg)
![Page 30: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/30.jpg)
![Page 31: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/31.jpg)
![Page 32: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/32.jpg)
![Page 33: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/33.jpg)
![Page 34: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/34.jpg)
![Page 35: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/35.jpg)
![Page 36: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/36.jpg)
CVE-2018-7080Affecting Aruba
CVE-2018-16986TI BLE STACK
Affecting Cisco, Meraki
BLE Attack surface
![Page 37: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/37.jpg)
BLE link layer
![Page 38: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/38.jpg)
Bluetooth® Core Specification version 4.2
Bluetooth® Core Specification version 5.0
BLE link layer
![Page 39: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/39.jpg)
TI CC2640 Architecture
![Page 40: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/40.jpg)
Main CPU Radio CoreApplication Layer (App)
Generic Access Profile (GAP)
Security Manager (SMP) Attribute Protocol (ATT)
Logical Link Control & Adaptation Protocol (L2CAP)
Generic Attribute Protocol (GATT)
Link Layer (LL)
Physical Layer (PHY)
TI CC2640 Architecture
![Page 41: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/41.jpg)
NO DEP(NX-BIT)
NO ASLR NO MEMORY MANAGMENT
K
U
CC2640 (lack of) Security
![Page 42: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/42.jpg)
void llGetAdvChanPDU(uint8 *pduType, uint8 *isTxAddress,uint8 *advAddr, uint8 *dataLen,uint8 *advData, int8 *rssi)
{dataEntry_t *dataEntry;uint8 pktLength;uint8 *pktData;...dataEntry = RFHAL_GetNextDataEntry(scanParam.pRxQ);...pktLength = dataEntry.data[1];pktData = &(dataEntry.data[2]); //Skip the 2 byte header*dataLen = pktLength - 6;
Main core
CC2640 Memory Corruption
![Page 43: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/43.jpg)
void llGetAdvChanPDU(uint8 *pduType, uint8 *isTxAddress,uint8 *advAddr, uint8 *dataLen,uint8 *advData, int8 *rssi)
{dataEntry_t *dataEntry;uint8 pktLength;uint8 *pktData;...dataEntry = RFHAL_GetNextDataEntry(scanParam.pRxQ);...pktLength = dataEntry.data[1];pktData = &(dataEntry.data[2]); //Skip the 2 byte header*dataLen = pktLength - 6;
Main core
dataEntry.data[1]dataEntry.data[0]
dataEntry.data[1]
CC2640 Memory Corruption
![Page 44: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/44.jpg)
if ((signed int)*dataLen >= 32) // Check for bad sizehalAssertHandler();
// Copy address from packetfor (i = 0; i < 6; ++i)
Main core
CC2640 Memory Corruption
![Page 45: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/45.jpg)
if ((signed int)*dataLen >= 32) // Check for bad sizehalAssertHandler();
// Copy address from packetfor (i = 0; i < 6; ++i)
Main core
CC2640 Memory Corruption
![Page 46: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/46.jpg)
// Copy address from packetfor (i = 0; i < 6; ++i){*advAddr++ = *pktData++;
}...// Parse packet header, convert packet type to pduType
enum...// Copy the rest of the packetfor (i = 0; i < (unsigned int)*dataLen; ++i){*advData++ = *pktData++;
}...}
Main core
CC2640 Memory Corruption
![Page 47: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/47.jpg)
RFU Length Actual payload size Crash?
11 111111 (255) 255
Lets try and crash it
![Page 48: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/48.jpg)
RFU Length Actual payload size Crash?
11 111111 (255) 255
00 000001 (1) 1
Lets try and crash it
![Page 49: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/49.jpg)
RFU Length Actual payload size Crash?
11 111111 (255) 255
00 000001 (1) 1
00 111111 (63) 63
Lets try and crash it
![Page 50: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/50.jpg)
RFU Length Actual payload size Crash?
11 111111 (255) 255
00 000001 (1) 1
00 111111 (63) 63
00 100101 (37) 37
Lets try and crash it
![Page 51: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/51.jpg)
RFU Length Actual payload size Crash?
11 111111 (255) 255
00 000001 (1) 1
00 111111 (63) 63
00 100101 (37) 37
10 100101 (165) 37
Lets try and crash it
![Page 52: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/52.jpg)
Main CPU Radio Core
Link Layer (LL)
Physical Layer (PHY)
StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification are considered valid. For an ADV_DIRECT_IND, valid means a length field of 12, and for other ADV*_IND messages valid means a length field in the range from
CC2640 - RTFM
![Page 53: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/53.jpg)
void llGetAdvChanPDU(...){dataEntry_t *dataEntry;uint8 pktLength;uint8 *pktData;...dataEntry = RFHAL_GetNextDataEntry(RxQ);...pktLength = dataEntry.data[1];
Main core
signed int parse_and_validate_packet_header(...){int packet_len;int pduType;...// Radio waits for syncword...pkt_first_word = RF_read_word();...pduType = pkt_first_word & 0xF;
// advLenMask == 0x3F (0b00111111)// maxAdvPktLen == 0x25 (37)packet_len = ((uint8)pkt_first_word & advLenMask);...if ( packet_len_extracted > maxAdvPktLen )
return -1; // Failed
}
Radio core
Packet Length: Main Core vs Radio Core
![Page 54: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/54.jpg)
CISCO AP1815W JTAG Header
Case Study
![Page 55: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/55.jpg)
advPkt
llProcessScanRxFIFO
llGetAdvChanPDU
void llGetAdvChanPDU(...){dataEntry_t *dataEntry;uint8 pktLength;uint8 *pktData;...// Copy the rest of the packetfor (i = 0; i < (unsigned int)*dataLen; ++i){*advData++ = *pktData++;
}...}
CC2640 Memory Corruption
![Page 56: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/56.jpg)
Advertising incoming packet
Function pointers
System clock
Last system clock timestamp
System timers list pointer
GAP Outgoing response
Task IDs
advPkt
hciGapTaskID
hciL2capTaskID
hciSmpTaskID
hciExtTaskID
bleDispatch_TaskID
rspBuf
timerHead
osal_last_timestamp
osal_systemClock
ICall_dispatcher
ICall_enterCriticalSection
ICall_exitCriticalSection
0x20004488
0x200044F4
0x200044F8
0x200044FC
0x200044F0
0x200044B0
0x200044B5
What is being overwritten?
![Page 57: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/57.jpg)
Function pointers
ICall_dispatcher
ICall_enterCriticalSection
ICall_exitCriticalSection
0x200044FC
What is being overwritten?
![Page 58: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/58.jpg)
RPi Ubertooth AP Cisco 1815W
Attacking an Cisco AP
![Page 59: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/59.jpg)
RPi Ubertooth AP Cisco 1815W
Demo
![Page 60: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/60.jpg)
RPi Ubertooth AP Cisco 1815W
Demo
![Page 61: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/61.jpg)
![Page 62: (All) Your APs (Are) Belong to Us - i.blackhat.com · Link Layer (LL) Physical Layer (PHY) StrictLenFilter is 1, only length fields compliant with the Bluetooth low energy specification](https://reader036.vdocument.in/reader036/viewer/2022081611/5f09c2947e708231d4286157/html5/thumbnails/62.jpg)
Take awaysBLE Radio chips can be vulnerable to attack
Vulnerabilities in peripheral chips can lead to network breach
Access points and network infra devices are also unmanaged devices