Re: [PATCH 0/2] Bluetooth: ignore NULL link key and reject connection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi experts,

On Sun, Oct 01, 2023 at 03:45:24PM +0800, Lee, Chun-Yi wrote:
> with the device which has same BD_ADDR
>  
> This patch set is used to relieve CVE-2020-26555. The description of the
> CVE:
> 
> Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification
> 1.0B through 5.2 may permit an unauthenticated nearby device to spoof
> the BD_ADDR of the peer device to complete pairing without knowledge
> of the PIN. [1]
> 
> The detail of this attack is in IEEE paper:
> BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols
> [2]
> 
> It's a reflection attack. The paper mentioned that attacker can induce
> the attacked target to generate null link key (zero key) without PIN
> code. In BR/EDR, the key generation is actually handled in the controller
> which is below HCI.
> 
> Thus, we can ignore null link key in the handler of "Link Key Notification
> event" to relieve the attack. And, a condition of this attack is that
> attacker should change the BR_ADDR of his hacking device (Host B) to equal
> to the BR_ADDR with the target device being attacked (Host A). So we reject
> the connection with device which has same BD_ADDR both on HCI_Create_Connection
> and HCI_Connection_Request to prevent the attack.
> 
> Similar implementations also show in btstack project. [3][4][5]
> 
> Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26555 [1]
> Link: https://ieeexplore.ieee.org/abstract/document/9474325/authors#authors [2]
> Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3722 [3]
> Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3523 [4]
> Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L7297 [5]
> 
> Lee, Chun-Yi (2):
>   Bluetooth: hci_event: Ignore NULL link key
>   Bluetooth: Reject connection with the device which has same BD_ADDR
> 
>  net/bluetooth/hci_conn.c  |  7 +++++++
>  net/bluetooth/hci_event.c | 16 ++++++++++++++++
>  2 files changed, 23 insertions(+)
> 
> -- 
> 2.35.3
> 
> >From 2c6cd3f353d21086a3163a9ad461789d203a7ee4 Mon Sep 17 00:00:00 2001
> From: "Lee, Chun-Yi" <jlee@xxxxxxxx>
> Date: Sat, 30 Sep 2023 16:56:56 +0800
> Subject: [PATCH 0/2] Bluetooth: ignore NULL link key and reject connection 
> with the device which has same BD_ADDR
>  

Please ignore this patch set because I used wrong mutt command to send out
patch. It causes that the mail has duplicate contents. I will send out a
new series.

Sorry for any inconvenience caused!

Joey Lee

> This patch set is used to relieve CVE-2020-26555. The description of the
> CVE:
> 
> Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification
> 1.0B through 5.2 may permit an unauthenticated nearby device to spoof
> the BD_ADDR of the peer device to complete pairing without knowledge
> of the PIN. [1]
> 
> The detail of this attack is in IEEE paper:
> BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols
> [2]
> 
> It's a reflection attack. The paper mentioned that attacker can induce
> the attacked target to generate null link key (zero key) without PIN
> code. In BR/EDR, the key generation is actually handled in the controller
> which is below HCI.
> 
> Thus, we can ignore null link key in the handler of "Link Key Notification
> event" to relieve the attack. And, a condition of this attack is that
> attacker should change the BR_ADDR of his hacking device (Host B) to equal
> to the BR_ADDR with the target device being attacked (Host A). So we reject
> the connection with device which has same BD_ADDR both on HCI_Create_Connection
> and HCI_Connection_Request to prevent the attack.
> 
> Similar implementations also show in btstack project. [3][4][5]
> 
> Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26555 [1]
> Link: https://ieeexplore.ieee.org/abstract/document/9474325/authors#authors [2]
> Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3722 [3]
> Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3523 [4]
> Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L7297 [5]
> 
> Lee, Chun-Yi (2):
>   Bluetooth: hci_event: Ignore NULL link key
>   Bluetooth: Reject connection with the device which has same BD_ADDR
> 
>  net/bluetooth/hci_conn.c  |  7 +++++++
>  net/bluetooth/hci_event.c | 16 ++++++++++++++++
>  2 files changed, 23 insertions(+)
> 
> -- 
> 2.35.3



[Index of Archives]     [Bluez Devel]     [Linux Wireless Networking]     [Linux Wireless Personal Area Networking]     [Linux ATH6KL]     [Linux USB Devel]     [Linux Media Drivers]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux