Skip to content
/ ble-gatt-fuzzing Public

Tool developed to fuzz the GATT layer of the Bluetooth Low Energy protocol based on defined attack scenarios.

License

Apache-2.0 license
17 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

quarkslab/ble-gatt-fuzzing

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
poc
poc
 
 
scenario
scenario
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
__main__.py
__main__.py
 
 
fuzzing.py
fuzzing.py
 
 
requirements.txt
requirements.txt
 
 
utils.py
utils.py
 
 

Repository files navigation

BLE GATT Fuzzing

Introduction

This repository contains the tool developed to fuzz Bluetooth Low Energy (BLE) GATT layer with over-the-air communication. It is based on attack scenarios which can be found on the related paper. The tool relies on the WHAD framework and adheres to BLE specification version 4.2.

Proof of Concepts for Denial of Service on Sony WH-1000XM4 and WF-1000XM4 are also provided.

A blog post explaining the work that has been done can be found at https://blog.quarkslab.com/bluetooth-low-energy-gatt-fuzzing.html.

Installation

To use this fuzzer, ensure that you are working within a Python virtual environment where you have installed the required libraries.

$ python3 -m virtualenv venv
$ . ./venv/bin/activate
$ pip3 install -r requirements.txt

By default, interacting with most WHAD-compatible devices require root permissions.
Please follow the instructions given by the documentation to be able to interact with your device as a normal user.

Usage

To run the tool, you have to provide at least:

  • the BLE address of the target,
  • if the address is random of not.

The --help option displays the following message:

Usage: __main__.py [OPTIONS] {client|server}

    Bluetooth Low Energy GATT Fuzzer based on multiple scenario.

Options:
    --bt_addr -bt         Bluetooth address of the device.
    --is_addr_random -r   Is the given Bluetooth address random.
    --post_url -u         Ntfy address to use.
    --interface -i        Interface to use.
    --gatt_handle -g      The last GATT handle of the device.
    --scenario -s         The scenario to play.
    --none-cnt -nc        The maximum number of unreceived responses before triggering an error.
    --prep_write_max -pwm The maximum number of prepare write request PDUs to send.
    --help -h             Show this help message and exit.

Note: The scenario number 8 was removed since it corresponds to the combination of scenarios 4, 5 and 9.

Example

The following command run the scenario number 1 on the device with the random BLE address a8:42:e3:ca:bf:fe using the hci1 interface.

$ python __main__.py -bt a8:42:e3:ca:bf:fe -r True -i hci1 -s 1 client

PoCs

There are two behaviors with these PoCs:

  • The crash of the device,
  • The crash of the GATT server and the need to restart the headset to have the GATT server on.

The headset will take some time to be able to be restarted.

To run the PoCs, you have to edit them with your own device's BLE address.

$ python wh_xm4_poc.py
$ python wf_xm4_poc.py

The probability of success is low and the PoCs may need to be run several times before the crashs occur.

About

Tool developed to fuzz the GATT layer of the Bluetooth Low Energy protocol based on defined attack scenarios.

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

17 stars

Watchers

3 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages