Matheus-Garbelini
commented
4 years ago Hi @guillaumeschatz thanks for the feedback
About the link-layer overflow. While we have explained the attack by using the version indication, it was stated that increasing the Link Layer length field is the main requirement. Even if L2CAP is involved, we are changing the Link Layer length which is processed before the L2CAP is processed. Furthermore, L2CAP has its own length field which we are not changing here.
Nevertheless, we will update the link_layer_length_overflow to alternate between sending a malformed version request and pairing request by this weekend and let you know.
We are aware of the LLID deadlock script issues and already fixed it by a recent commit: https://github.com/Matheus-Garbelini/sweyntooth_bluetooth_low_energy_attacks/blob/master/llid_dealock.py
As for the Zero LTK installation, some peripherals do not support pairing at all. In this case, it's not possible to trigger the Zero LTK installation. To verify if the peripheral you are testing indeed is not supporting pairing you can try to use your smartphone to manually perform a pairing. In android, you can do that by connecting to the peripheral via the Bluetooth system menu.
Hi Matheus,
Thanks for sharing the test scripts. I have however some comments related to your test suite.
I'm running your test suite and noticed several discrepancies between the script behavior and the description of the threat (https://asset-group.github.io/disclosures/sweyntooth/).
For instance, link_layer_lenght_overflow does not send a corrupted LL_VERSION_IND (LLCP), but it sends a corrupted ACL packet (SMP Pairing Request) which is more related to an L2CAP issue and LL.
In addition, LLID Deadlock seems not to send corrupted LLID value in any of the transmitted packet.
And I also experienced some issue in reproducing Zero LTK installation as the tester does not initiate the pairing procedure...
Best regards, Guillaume