RE: Is there possibility of theoretical attack where attacker tries to spoofs randomized MAC sniffed from air and central responds as if it was original device?

viktor.kz — Thu, 02 Nov 2023 01:13:36 GMT

JFC it deleted both my comments. But in short I figured it out I think and found out that if we have both LESC and internal AES-GCM tunnel, then this attack won't work. There is also stuff with attacker doing right SN/NESN, making right channel hop and broadcasting to the right channel (I have SDR - HackRF+PortaPack H2 and ADALM PLUTO, so I can just record and replay to test it). With "just works pairing" it would be different.

I also very much use Nordic BLE Sniffer, amazing tool, thanks for that.

The attack depends on phase - legit central and peripheral are connected, legit central and peripheral are transmitting, BLE MAC has rolled out after 15 minutes and legit peripheral is no longer connected.

Attacker wants to insert his packets into radio stream, and/or use social engineering to bond his device with faked MAC to central (but user/victim would have to make forget bonds, so it won't work as easily). But as I said wih LESC and internal AES-GCM tunnel this attack won't work.

Also I have 100% reliable stack smashing attack on iOS via BLE (tested on 16.x and even latest 17.1), it bricks iPhones so you have to reboot (iPad iOS 16.6 tested was broken a bit, BLE stopped working, but no lockup). It's already reported to Apple, but there is someone with Corellium or dev jailbroken iPhone (you can get it from Apple for $$$ and lot of paperwork) trying to make exploit chain, I bet. The stack smashing attack need less than 30 seconds to work. It works via different messages on Android with custom pictures shown, and also Windows. Seen iOS and Android, didn't test Windows, but I'd bet it'd work.

It's public already so no need for secrecy, but work 100% reliably as I said, tested on several devices - www.mobile-hacker.com/.../

But I found this - is IRK transmitted in clear text during bonding phase or is it encrypted with LTK or some other key? Because if it's transmitted in plaintext, then attacker can forever know IRK follow and resolve the MAC address, is this correct, or am I wrong? According to BLE specification?

RE: Is there possibility of theoretical attack where attacker tries to spoofs randomized MAC sniffed from air and central responds as if it was original device?

Kenneth — Wed, 01 Nov 2023 12:39:23 GMT

Hello,

This topic is too complex and difficult to cover in any reasonable way in a devzone ticket, what I would like to say is that BT SIG takes security very importantly, and when and if there are weaknesses found by third party then BT SIG (or the manufacturer) follow up immediatly to ensure those weaknesses are handled in any future specifications work. Typically manufacturers of such devices can then implement the solution (e.g. update to a new release of the sdk) and perfom an DFU of their product to ensure it's closed. But to answer your question is specific:

[quote user=""]Is this MAC spoofing going to work? What if the attacker uses the replay of saved packet after 15 minutes, when central already has different MAC, is central going to resolve it or deny it?[/quote]

No, the packet will be disregarded. There are random numbers exchanged when an encrypted link is established and counters during connection to ensure that any replayed/injected packet will be fail message integrity check and thereby disregarded (as with any other packet that is failed to be received).

As a developer I recommend to check release notes of new sdk to check if there are security updates that may be relevant for your product in specific.

Best regards,
Kenneth