research-article

Blacktooth: Breaking through the Defense of Bluetooth in Silence

Authors:

Feng WuAuthors Info & Claims

CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

Pages 55 - 68

https://doi.org/10.1145/3548606.3560668

Published: 07 November 2022 Publication History

Abstract

Bluetooth is a short-range wireless communication technology widely used by billions of personal computing, IoT, peripheral, and wearable devices. Bluetooth devices exchange commands and data, such as keyboard/mouse inputs, audio, and files, through a secure communication channel that is established through a pairing process. Due to the sensitivity of those commands and data, security mechanisms, such as encryption, authentication, and authorization, have been developed and adopted in the standards. Nevertheless, vulnerabilities continue to be discovered.

In the literature, few successful attacks against the Bluetooth connection establishment stage have been reported. Many attacks simply assume that connections are already established or use a compromised agent, e.g, a malicious app or a careless user, to initialize the connection. We argue that such assumptions are strong and impractical. A stealthily established connection is a critical starting point for any practical attack against Bluetooth devices. In this paper, we demonstrate that the Bluetooth Specification contains a series of vulnerabilities that will enable an attacker to impersonate a Bluetooth device and successfully establish a connection with a victim device. The entire process does not require any involvement of the device owner/user or any malicious app on the victim device. The attacker could further escalate permissions by switching Bluetooth profiles to retrieve sensitive information from the victim device and inject arbitrary commands. We name our new attack as the Blacktooth Attack. To demonstrate the effectiveness and practicality of the Blacktooth attack, we evaluate it against 21 different Bluetooth devices with diverse manufacturers and operating systems, and all major Bluetooth versions. We show that the newly proposed attack is successful on all victim devices.

References

[1]

2021. AOSP Bluetooth Services. https://source.android.com/devices/bluetooth/ services. (2021). accessed: Oct., 2021.

[2]

2021. Bluez - Official Linux Bluetooth Protocol Stack. http://www.bluez.org. (2021). accessed: Oct, 2021.

[3]

Albazrqaoe, Wahhab and Huang, Jun and Xing, Guoliang. 2016. Practical bluetooth traffic sniffing: Systems and privacy implications. In Proceedings of the 14th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys). 333--345.

Digital Library

[4]

Antonioli, Daniele and Tippenhauer, Nils Ole and Rasmussen, Kasper. 2019. The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR. In USENIX Security. USENIX Association, 1047--1061.

[5]

Antonioli, Daniele and Tippenhauer, Nils Ole and Rasmussen, Kasper. 2020. BIAS: bluetooth impersonation attacks. In IEEE Symposium on Security and Privacy.

[6]

Antonioli, Daniele and Tippenhauer, Nils Ole and Rasmussen, Kasper. 2020. Key negotiation downgrade attacks on bluetooth and bluetooth low energy. ACM Transactions on Privacy and Security (TOPS) 23, 3 (2020), 1--28.

Digital Library

[7]

Armis. 2017. The Attack Vector BlueBorne Exposes Almost Every Connected Device. https://armis.com/research/blueborne/. (2017). accessed: Oct., 2021.

[8]

Biham, Eli and Neumann, Lior. 2019. Breaking the bluetooth pairing--the fixed coordinate invalid curve attack. In Proceedings of International Conference on Selected Areas in Cryptography (SAC). Springer, 250--273.

[9]

Bluetooth SIG. 2015. Human Interface Device Profile 1.1.1. https://www.bluetooth. org/docman/handlers/downloaddoc.ashx?doc_id=309012. (2015). accessed: Oct., 2021.

[10]

Bluetooth SIG. 2019. Bluetooth Core Specification v5.2. https://www.bluetooth. org/docman/handlers/downloaddoc.ashx?doc_id=478726. (2019). accessed: Oct., 2021.

[11]

Bluetooth SIG. 2021. 2021 Bluetooth Market Update. https://www.bluetooth. com/wp-content/uploads/2021/01/2021-Bluetooth_Market_Update.pdf. (2021). accessed: Oct., 2021.

[12]

Tristan Claverie and José Lopes Esteves. 2021. Bluemirror: reflections on bluetooth pairing and provisioning protocols. In Proceedings of 2021 IEEE Security and Privacy Workshops (SPW 2021). IEEE, 339--351.

[13]

Cypress. 2021. CYW920819EVB-02 Evaluation Kit. https://www.cypress.com/ documentation/development-kitsboards/cyw920819evb-02-evaluation-kit. (2021). accessed: Oct., 2021.

[14]

Dunning, John. 2010. Taming the blue beast: A survey of bluetooth based threats. IEEE Security & Privacy 8, 2 (2010), 20--27.

Digital Library

[15]

Scott Fluhrer and Stefan Lucks. 2001. Analysis of the E0 encryption system. In Proceedings of the 8th Annual International Workshop on Selected Areas in Cryptography (SAC 2001). Springer, 38--48.

[16]

Jovan Dj Goli?, Vittorio Bagini, and Guglielmo Morgari. 2002. Linear cryptanalysis of Bluetooth stream cipher. In Proceedings of the 21st Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT 2002). Springer, 238--255.

[17]

Haataja, Keijo and Toivanen, Pekka. 2008. Practical man-in-the-middle attacks against bluetooth secure simple pairing. In Proceedings of the 4th International Conference on Wireless Communications, Networking and Mobile Computing (WiCOM). IEEE, 1--5.

[18]

Herfurt, Martin. 2004. Bluebugging. https://trifinite.org/trifinite_stuff_bluebug. html. (2004). accessed: Oct., 2021.

[19]

Jakobsson, Markus and Wetzel, Susanne. 2001. Security weaknesses in Bluetooth. In Proceedings of the 2001 Cryptographers' Track at the RSA Conference. Springer, 176--191.

[20]

Jasek, Sawomir. 2016. Gattacking Bluetooth smart devices. In Proceedings of the Black Hat USA Conference.

[21]

Levi, Albert and Çetintaú, Erhan and Aydos, Murat. 2004. Relay Attacks on Bluetooth Authentication and Solutions. In Proceedings of the 19th International Symposium on Computer and Information Sciences (ISCIS), Vol. 19. Springer, 278-- 288.

[22]

Lindell, Andrew Y. 2008. Attacks on the pairing protocol of bluetooth v2. 1. Black Hat USA, Las Vegas, Nevada (2008).

[23]

Lonzetta, Angela M and Cope, Peter and Campbell, Joseph and Mohd, Bassam J and Hayajneh, Thaier. 2018. Security vulnerabilities in Bluetooth technology as used in IoT. Journal of Sensor and Actuator Networks 7, 3 (2018), 28.

[24]

Loveless, Mark. 2017. BLUETOOTH HACKING TOOLS COMPARISON. https: //trifinite.org/trifinite_stuff_bluebug.html. (2017). accessed: Oct., 2021.

[25]

Yi Lu, Willi Meier, and Serge Vaudenay. 2005. The conditional correlation attack: A practical attack on bluetooth encryption. In Proceedings of the 25th Annual International Cryptology Conference (CRYPTO 2005). Springer, 97--117.

[26]

Yi Lu and Serge Vaudenay. 2004. Cryptanalysis of Bluetooth keystream generator two-level E0. In Proceedings of the 10th International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT 2004). Springer, 483--499.

[27]

Mantz, Dennis and Classen, Jiska and Schulz, Matthias and Hollick, Matthias. 2019. InternalBlue-Bluetooth binary patching and experimentation framework. In Proceedings of the 17th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys). ACM, 79--90.

Digital Library

[28]

Padgette, John. 2017. Guide to Bluetooth Security. NIST Special Publication 800:121 (2017).

[29]

Ruge, Jan and Classen, Jiska and Gringoli, Francesco and Hollick, Matthias. 2020. Frankenstein: Advanced wireless fuzzing to exploit new bluetooth escalation targets. In USENIX Security. 19--36.

[30]

Shaked, Yaniv andWool, Avishai. 2005. Cracking the bluetooth pin. In Proceedings of the 3rd international conference on Mobile systems, applications, and services (MobiSys). 39--50.

Digital Library

[31]

Spill, Dominic and Bittau, Andrea. 2007. BlueSniff: Eve Meets Alice and Bluetooth. USENIX Workshop on Offensive Technologies 7 (2007), 1--10.

[32]

Sun, Da-Zhi and Mu, Yi and Susilo, Willy. 2018. Man-in-the-middle attacks on Secure Simple Pairing in Bluetooth standard V5. 0 and its countermeasure. Personal and Ubiquitous Computing 22, 1 (2018), 55--67.

Digital Library

[33]

von Tschirschnitz, Maximilian and Peuckert, Ludwig and Franzen, Fabian and Grossklags, Jens. 2021. Method confusion attack on bluetooth pairing. In Proceedings of the 2021 IEEE Symposium on Security and Privacy (SP). IEEE, 1332--1347.

[34]

Wong, Ford-Long and Stajano, Frank and Clulow, Jolyon. 2005. Repairing the bluetooth pairing protocol. In Proceedings of the 13th International Conference on Security Protocols. 31--45.

Digital Library

[35]

Wu, Jianliang and Wu, Ruoyu and Antonioli, Daniele and Payer, Mathias and Tippenhauer, Nils Ole and Xu, Dongyan and Tian, Dave Jing and Bianchi, Antonio. 2021. LIGHTBLUE: Automatic Profile-Aware Debloating of Bluetooth Stacks. In USENIX Security 21. 339--356.

[36]

Xu, Fenghao and Diao,Wenrui and Li, Zhou and Chen, Jiongyi and Zhang, Kehuan. 2019. BadBluetooth: Breaking Android Security Mechanisms via Malicious Bluetooth Peripherals. In Proceedings of the 2019 Network and Distributed System Security Symposium (NDSS). NDSS Symposium.

[37]

Bin Zhang, Chao Xu, and Dengguo Feng. 2013. Real time cryptanalysis of Bluetooth encryption with condition masking. In Proceedings of the 33rd Annual Cryptology Conference (CRYPTO 2013). Springer, 165--182.

[38]

Bin Zhang, Chao Xu, and Dengguo Feng. 2018. Practical cryptanalysis of Bluetooth encryption with condition masking. Journal of Cryptology 31, 2 (2018), 394--433.

Digital Library

[39]

Zhang, Yue andWeng, Jian and Dey, Rajib and Jin, Yier and Lin, Zhiqiang and Fu, Xinwen. 2020. Breaking secure pairing of bluetooth low energy using downgrade attacks. In Proceedings of the 29th USENIX Security Symposium (USENIX Security). USENIX Association, 37--54.

[40]

Zuo, Chaoshun and Wen, Haohuang and Lin, Zhiqiang and Zhang, Yinqian. 2019. Automatic fingerprinting of vulnerable ble iot devices with static uuids from mobile apps. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 1469--1483.

Digital Library

Cited By

Gao DOu LChen YGuo XLiu RLiu YHe T(2025)Physical-Layer CTC From BLE to Wi-Fi With IEEE 802.11axIEEE Transactions on Mobile Computing10.1109/TMC.2024.346294124:1(338-351)Online publication date: Jan-2025
https://doi.org/10.1109/TMC.2024.3462941
Song WLiu JHan J(2024)PuppetMouse: Practical and Contactless Mouse Manipulation Attack via Intentional Electromagnetic Interference InjectionProceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies10.1145/36785708:3(1-30)Online publication date: 9-Sep-2024
https://dl.acm.org/doi/10.1145/3678570
Wu JWu RXu DTian DBianchi A(2024)SoK: The Long Journey of Exploiting and Defending the Legacy of King Harald Bluetooth2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00023(2847-228066)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00023
Show More Cited By

Index Terms

Blacktooth: Breaking through the Defense of Bluetooth in Silence
1. Security and privacy
  1. Network security
    1. Mobile and wireless security

Recommendations

The Denial-of-Service Dance

By understanding the types of attacks available to an adversary, we can develop more effective defenses against them. A taxonomy of denial-of-service attacks based on a dance-hall metaphor is a step toward gaining such an understanding.
Overcoming programming flaws: indexing of common software vulnerabilities
InfoSecCD '05: Proceedings of the 2nd annual conference on Information security curriculum development

The goal of this research project was to identify categories of programming flaws that lead to software bugs and index existing vulnerability reports against those categories. A keyword-based search placed 70% of the records from the OSVDB and CVE ...
Detecting Mobile Application Spoofing Attacks by Leveraging User Visual Similarity Perception
CODASPY '17: Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy

Mobile application spoofing is an attack where a malicious mobile app mimics the visual appearance of another one. A common example of mobile application spoofing is a phishing attack where the adversary tricks the user into revealing her password to a ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

November 2022

3598 pages

ISBN:9781450394505

DOI:10.1145/3548606

General Chairs:
Heng Yin
University of California, Riverside
,
Angelos Stavrou
Virginia Tech
,
Program Chairs:
Cas Cremers
CISPA Helmholtz Center for Information Security
,
Elaine Shi
Carnegie Mellon University

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 November 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

CCS '22

Sponsor:

SIGSAC

CCS '22: 2022 ACM SIGSAC Conference on Computer and Communications Security

November 7 - 11, 2022

CA, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
1,734
Total Downloads

Downloads (Last 12 months)289
Downloads (Last 6 weeks)40

Reflects downloads up to 22 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Gao DOu LChen YGuo XLiu RLiu YHe T(2025)Physical-Layer CTC From BLE to Wi-Fi With IEEE 802.11axIEEE Transactions on Mobile Computing10.1109/TMC.2024.346294124:1(338-351)Online publication date: Jan-2025
https://doi.org/10.1109/TMC.2024.3462941
Song WLiu JHan J(2024)PuppetMouse: Practical and Contactless Mouse Manipulation Attack via Intentional Electromagnetic Interference InjectionProceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies10.1145/36785708:3(1-30)Online publication date: 9-Sep-2024
https://dl.acm.org/doi/10.1145/3678570
Wu JWu RXu DTian DBianchi A(2024)SoK: The Long Journey of Exploiting and Defending the Legacy of King Harald Bluetooth2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00023(2847-228066)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00023
Mallojula PLi FDu XLuo B(2024)Companion Apps or Backdoors? On the Security of Automotive Companion AppsComputer Security – ESORICS 202410.1007/978-3-031-70896-1_2(24-44)Online publication date: 6-Sep-2024
https://doi.org/10.1007/978-3-031-70896-1_2
Antonioli DMeng WJensen CCremers CKirda E(2023)BLUFFS: Bluetooth Forward and Future Secrecy Attacks and DefensesProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623066(636-650)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623066
Ali MZhang JYe F(2023)Mitigating Cross-Transport Key Derivation Attacks in Bluetooth CommunicationNAECON 2023 - IEEE National Aerospace and Electronics Conference10.1109/NAECON58068.2023.10365983(254-257)Online publication date: 28-Aug-2023
https://doi.org/10.1109/NAECON58068.2023.10365983
Xiang XZhang XGuo QGong XLiu B(2023)Breaking the Trust Circle in HarmonyOS by Chaining Multiple Vulnerabilities2023 3rd Asia-Pacific Conference on Communications Technology and Computer Science (ACCTCS)10.1109/ACCTCS58815.2023.00102(438-443)Online publication date: Feb-2023
https://doi.org/10.1109/ACCTCS58815.2023.00102

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents