BrokenMesh: New Attack Surfaces of Bluetooth Mesh

Bluetooth Mesh Protocol Vulnerabilities and Fuzzing Techniques

• Bluetooth Mesh Protocol has vulnerabilities in the Network Build Stage, Network Control Stage, and Wrapper Application
• Fuzzing is an effective technique for detecting vulnerabilities in Bluetooth Mesh Protocol implementation
• Test case generation involves randomizing ICG and ICO details
• 17 issues have been found and certain CVEs have been obtained
• Auto on right vulnerability in Network View Stage allows mismatched ICGM and Total Lens

The vulnerability in the Network View Stage allows an attacker to send a transaction start message to the victim with a total length of 65 but with the option 30. The victim will lock a 65-byte buffer to catch all the segmented packets but will consider that there are only 31 packets to resume, leading to the attacker being able to send a message from the segmented packet whose segmented index is free.

Bluetooth Mesh is a mesh networking standard based on Bluetooth Low Energy. It was made public by Bluetooth Special Interest Group (Bluetooth SIG) in 2017. Bluetooth Mesh enables many-to-many device communications and is optimized for creating large-scale device networks. It is ideally suited for smart home, industrial deployments and other scenes. At present, Bluetooth Mesh specifications have been widely supported by major chip manufacturers. But in general, security of its implementation has not been paid enough attention.In this topic, we dived into the Bluetooth Mesh protocol, divided the mesh process into two key stages: network build and network control. We focused on the security of implementation in these two stages. Based on the protocol analysis, an automatic fuzzing tool “BLE Mesh Fuzzer” is proposed. It can cover both network build and network control stages. We evaluated our tools on 8 well-known vendors and open source projects. BLE Mesh Fuzzer has found 17 memory corruption vulnerabilities and obtained 9 CVEs. Some of the vulnerabilities can cause remote code execution without user interaction. Even, they can cause the destruction of the whole mesh network and affect tens of millions of IoT devices. Also, we studied the security of protocol wrapper application. We found 10 vulnerabilities in a well-known vendor and obtained 10 CVEs. The vulnerabilities can lead to serious consequences such as privilege escalation.In this talk, we will first introduce the background of Bluetooth Mesh. Then, we analyze the network build and network control protocols, illustrate the attack surfaces in their implementation and wrapper application. Next, we will share the design of BLE Mesh Fuzzer. And finally, we explain the causes of vulnerabilities through several real cases, and put forward our safety recommendations.