InjectaBLE: Injecting malicious traffic into established Bluetooth Low Energy connections

Cayre, Romain; Galtier, Florent; Auriol, Guillaume; Nicomette, Vincent; Kaâniche, Mohamed; Marconato, Géraldine

doi:10.1109/dsn48987.2021.00050

Cited by 7 publications

(8 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Attacks that exploit LoRaWAN MAC and physical layer vulnerabilities to perform DoS, packet injection and replay attacks have also been reported [3], [7], [8]. Similar attacks are possible for the BLE stack [9]- [12]. IoT protocols are often subject to packet injection based attacks resulting in exploits such as DoS, MITM, RCE and privilege escalation.…”

Section: A Vulnerabilities and Attacksmentioning

confidence: 91%

A Lightweight Intrusion Detection System against IoT Memory Corruption Attacks

Bouazzati,

Tessier,

Tanguy

et al. 2023

2023 26th International Symposium on Design and Diagnostics of Electronic Circuits and Systems (DDECS)

View full text Add to dashboard Cite

Attacks against internet-of-things (IoT) end-devices represent a significant threat since their wireless communication capabilities provide a potential attack entry point. To address this threat, we demonstrate the use of hardware performance counters (HPCs) in a host-based intrusion detection system (HIDS). The counter-based monitors are customized to support IoT enddevices which use low data rate GHz and sub-GHz protocols. Our solution implements a hardware unit that performs data tracing for a 32-bit RISC-V based wireless connectivity unit. The unit can detect ongoing remote attacks in real time. We demonstrate the effectiveness of our system by detecting a packet injection exploit. Our FPGA implementation of HIDS has a logic overhead of about 6% and design frequency penalty of less than 1% for a RISC-V processor.

show abstract

Section: A Vulnerabilities and Attacksmentioning

confidence: 91%

A Lightweight Intrusion Detection System against IoT Memory Corruption Attacks

Bouazzati,

Tessier,

Tanguy

et al. 2023

2023 26th International Symposium on Design and Diagnostics of Electronic Circuits and Systems (DDECS)

View full text Add to dashboard Cite

show abstract

“…The Connection Hijack attacks target a pre-existing BLE connection. In 2021, researchers identified a flaw in the BLE specification itself that allowed this attack to be implemented on any device using BLE version 4.0-5.2 [8]. Implementation of this attack has a catastrophic impact on the BLE connection as it hands in strong controls to the attacker.…”

Section: Bluetooth Le Vulnerabilities and Attacksmentioning

confidence: 99%

“…The BLE device and phone are then connected using their respective app and the packets exchanged are saved. The captured pcap files can then be examined using the Crackle BLE utility tool 8 . Crackle is designed to decrypt BLE traffic from BLE versions 4.0 -4.2 and is able to determine if the packets captured is encrypted or unencrypted.…”

Section: Bluetooth Le Security and Privacy Analysismentioning

confidence: 99%

Bluetooth Vulnerabilities in General and Intimate Health IoT Devices and Apps: the Case of Female-oriented Technologies

Cook,

Merhnezad,

Toreini

2024

Preprint

View full text Add to dashboard Cite

Digital health products are increasing faster than ever. These technologies (e.g., apps and connected devices) collect massive data about the users including health, medical , sex life, and other intimate data. In this paper, we study a set of Internet of Thing (IoT) devices which are advertised for general and/or intimate health purposes of female bodies (also known as female-oriented technologies or FemTech). We particularly focus on the security and privacy of the Blue-tooth connection between the IoT device and the mobile app. Our results highlight the serious vulnerabilities present in the current off-the-shelf FemTech devices. These vulnera-bilities include unencrypted Bluetooth traffic, insecure Blue-tooth authentication and undocumented Bluetooth services. We implement Bluetooth attacks to intercept and manipulate the communication between these devices and apps resulting in the malfunctioning of their corresponding Android app. We discuss our results and provide a set of recommendations for different stakeholders to improve the security and privacy practices of Bluetooth-enabled IoT devices in such a sensitive and intimate domain.

show abstract

“…For example, the repurposing of a hardware register on Nordic Semiconductor's nRF24L01 chip by Travis Goodspeed to allow passive eavesdropping on proprietary protocols in the 2.4 GHz band [20] was a decisive step, allowing the development of a dedicated analysis firmware [27] and the discovery of multiple vulnerabilities targeting various wireless keyboards and mice [26]. Many works have extended this hack to nRF51 and nRF52 chips, allowing the development of offensive tools on various platforms [7], [8], [13] and the discovery of critical low-level attacks targeting the BLE protocol [9], [11]. Another example is modification of ATMEL's RZUSBStick firmware by Joshua Wright to provide injection capabilities as part of his work on the security of the ZigBee [40] protocol.…”

Section: Related Workmentioning

confidence: 99%

ESPwn32: Hacking with ESP32 System-on-Chips

Cayre,

Cauquil,

Francillon

2023

2023 IEEE Security and Privacy Workshops (SPW)

Self Cite

View full text Add to dashboard Cite

In this paper, we analyze the ESP32 from a wireless security perspective. We reverse engineer the hardware and software components dedicated to Bluetooth Low Energy (BLE) on the ESP32 and ANT protocol on Nordic Semiconductors' nRF chips. Exploiting this, we then implement multiple attacks on the repurposed ESP32 targeting various wireless protocols, including ones not natively supported by the chip. We make link-layer attacks on BLE (fuzzing, jamming) and cross-protocol injections, with only software modifications. We also attack proprietary protocols on commercial devices like keyboards and ANT-based sports monitoring devices. Finally, we show the ESP32 can be repurposed to interact with Zigbee or Thread devices. In summary, we show that accessing low-level, non-documented features of the ESP32 can allow, possibly compromised, devices to mount attacks across many IoT devices.

show abstract

InjectaBLE: Injecting malicious traffic into established Bluetooth Low Energy connections

Cited by 7 publications

References 10 publications

A Lightweight Intrusion Detection System against IoT Memory Corruption Attacks

A Lightweight Intrusion Detection System against IoT Memory Corruption Attacks

Bluetooth Vulnerabilities in General and Intimate Health IoT Devices and Apps: the Case of Female-oriented Technologies

ESPwn32: Hacking with ESP32 System-on-Chips

Contact Info

Product

Resources

About