Old Wine for New Bottle - Legacy Bug Exploitation (Bluetooth)
INTRODUCTION
In my previous job, I was involved in developing testing scripts for a framework. Essentially, the framework is a set of automated vehicle tests that verify whether mitigations are implemented to address UNR155 threats. Although similar frameworks exist, most of them are mainly focus on testing car protocols such as CAN. I personally believe that wireless interfaces, such as Bluetooth, Wi-Fi, and cellular, are also crucial attack surfaces. That's where I come in, as a vulnerability researcher, I have always been passionate about wireless and embedded systems security. In the past, I've discovered various bugs, one of the highlights being Rolling-PWN, which affects all models of the Honda key fob system globally. Additionally, my friend rapiddns and I found a backdoor-like account in the firmware of an EV charging station from Schneider, which led to a full compromise of the EV charging network. We received acknowledgement from Schneider and later presented a talk at DEFCON "Remotely Rooting Charging Station for fun and maybe profit"
Although there are multiple attack vectors to consider when pen-testing vehicle-related targets, those bugs I've mentioned have one thing in common: they all relate to the upstream supply chain, whether the application involves a keyfob opening a car door, a charging station, or a T-box connecting a vehicle to a cloud server. They all require firmware and an OS, like QNX, Linux, or Android. If they have Bluetooth functionality, they likely use the BlueZ or Bluedroid stack. The same chipset may be used across all keyfobs to control the vehicles. Due to the nature of the vehicle ecosystem and the complexity of upstream suppliers, a protocol or chipset-level bug can have significant implications for every product relying on the same solution. In this article, I will share the research and script development process for some legacy Bluetooth vulnerabilities, discuss their impact on modern vehicles.
LEGACY BUG – BRAKTOOTH
In year 2021, a team of researchers at SUTD (Asset-Group) discovered and disclosed the family of vulnerabilities in the classic Bluetooth link manager layer. They've released a paper named "Braktooth: Causing Havoc on Bluetooth link manager". The paper is very detailed, highly recommend. The Braktooth is a codename for 16 classic Bluetooth vulnerabilities. It will cause affect BT devices continuously crash or deadlock. These bugs are present in various BT Chipsets across many manufacturers such as Intel, Mediatek, Qualcomm, TI, Infineon, etc. The whole testing setup is quite simple, we only need a ESP-WROVER-KIT flashed with Braktooth firmware and testing POC released on Github.
In the paper they mentioned that Braktooth not only affects laptops and smartphones, but also infotainment units in automobiles. This is great, it sounds like a perfect test case for framework. They released 16 POCs from the Braktooth vulnerabilities, but we found one of the vulnerabilities called Invalid-Timing-Accuracy almost always work across different chipsets. The vulnerable chipsets do not properly handle the reception of a malformed LMP timing accuracy response followed by multiple re-connections to the target link slave.
During the experiment, we found that more than 20 vehicles are vulnerable to Braktooth, regardless of model or brand. The full testing report can be found in the reference. Here are some highlights from the test results. The first one is NIO ET5, which is a brand quite popular in China. After running the Invalid-Timing-Accuracy script, the NIO-ET5 disconnects the Bluetooth connection immediately, causing a poor user experience.
The second example is the Changan Uni-T from China. The Bluetooth connection was disconnected after the attack.
Ironically, this vehicle is so vulnerable that it failed almost every Braktooth test case, making it one of the worst brands in the report. As the picture shows, the Uni-T’s IVI is vulnerable to the KNOB attack, which is another critical Bluetooth vulnerability.
Finally we tested a brand called ARCFOX aS. As shown in the video, the music started behaving oddly and jittering after we launched the attack.
What makes this case interesting is that this vehicle uses Huawei HarmonyOS as its IVI system. The results prove that when it comes to low-level Bluetooth attacks, the high-level OS indeed makes no difference. In conclusion, even though the end behavior varies across different brands, the Braktooth attack is very effective. Therefore, it must be included in framework for regulatory testing.
LEGACY BUG – BLUEBORNE
BlueBorne was discovered and publicly disclosed by security researchers from Armis in September 2017. The vulnerability posed a significant security risk to a wide range of Bluetooth-enabled devices and impacted various operating systems such as Android, iOS, Windows, and Linux. Since many IVI systems of modern vehicles are based on Android or Linux and provide Bluetooth functionality, BlueBorne became a nice candidate for inclusion in framework. Although BlueBorne was discovered about 7 years ago, many vehicles on the road are 10 years old or even older, and thus potentiality still vulnerable. During the script development process, I found at least one IVI system vulnerable to multiple legacy bugs or design flaws, including BlueBorne. We use the framework to check for Blueborne memory leak as demonstrated in the video below.
Of course, attackers would aim to take full control of the target. Armis has already published an exploit to achieve remote code execution for Android 7.1.2 on Pixel and Nexus 5X phones via Bluetooth. However, to exploit other targets, some modifications to the code, including adjusting the offsets of libc and Bluetooth libraries, are necessary. For testing purposes, a Nexus 7 tablet running Android 6.0.1 was used. The modification involves both static and dynamic debugging. For example, we will first need to extract two system libraries (libc.so and bluetooth.default.so) from the target system, in order to use Radare to locate the correct value of system offsets later.
The entire process may take some time, but fortunately, there are plenty of tutorials online already, which make debugging job easier. Once we have gathered all the information we need, the exploitation is straightforward. Here is a video demonstrating how to steal a photo in Pwn2Own style once we achieve a shell.
LEGACY BUG - BLEEDINGTOOTH
Last but not least, BleedingTooth is a Bluetooth stack vulnerability. Successful exploitation in Linux kernel versions between 4.8 and 5.9 can lead to DoS or arbitrary code execution, allowing an attacker to take full control. Since many charging station solutions are based on Linux, but attention is usually paid to hardening network attack vectors, the wireless vectors such as Bluetooth are mostly under-examined. This makes BleedingTooth a great candidate for inclusion in framework.
Google security researcher Andy Nguyen, who discovered the vulnerability, released the testing POC and a full exploit. Additionally, he wrote a very detailed blog, which makes the reproduction process much simpler. As the picture shows, we successfully disabled the BlueZ service on the target device using the Framework.
However, a bit of patience is needed when testing the exploit. After a couple of reboots of the target in our lab, we finally got a shell. Since the shell has root privileges, we can have full control of the target. Imagine what could go wrong if this were a charging station.
CONCLUSION
"Old wine in a new bottle" in the context of legacy bug exploitation refers to the phenomenon where old, known vulnerabilities (the "old wine") are rediscovered and exploited in new systems or, in our case, vehicles (the "new bottle"). The entire vehicle ecosystem and upstream suppliers network are so complex that even exploiting years-old legacy bugs can still have significant implications, such as system failures, or other critical issues. The complexity of the system makes it challenging to address all potential threats, allowing old bugs to continue to pose risks.
REFERENCE
https://rollingpwn.github.io/rolling-pwn/
https://www.armis.com/research/blueborne/
https://rollingpwn.github.io/Braktooth-IVI-Report/
https://asset-group.github.io/disclosures/braktooth/
https://google.github.io/security-research/pocs/linux/bleedingtooth/