Talk: Intelligent Bluetooth fuzzing – Why bother?
Bluetooth devices and software implementations have been a fruitful playground for security researchers for years. You probably remember the PoC code from the trinifite.group and other bugs dragged out into the open. Riding public transport often led to Bluetooth scanning with tools such as Blooover. But that’s all past and gone. Software has evolved. Developers have learned. Modern quality assurance won’t let this happen again. Sadly this is fiction. Tommi Mäkilä has some stories to share about the state of Bluetooth:
„Bluetooth robustness is wretched, no surprise there. Bluetooth test results from plugfests show 80% failure rate, eight out of ten tests end with a crash. It is not pretty, it is sad and frustrating. For a moment, few years back, there seemed to be light at the end of the tunnel: the failures were moving up the Bluetooth stack, and for example L2CAP robustness showed some improvement. Only for a moment though, as recent tests again show a steady decline in results.“
Given the fact that Bluetooth is quite ubiquitous the results should be interpreted as a clear warning. Tommi will present the results of fuzzing tests with Bluetooth equipment:
„We will share our test results from plugfests and car kit tests, including a few demos of actual test cases. That will basically demonstrate how easily everything crashes: we were unable to complete a single test run successfully. Sooner or later, usually sooner, every equipment failed.“
It may be a good idea to keep your MAC addresses secret and turn Bluetooth off now. So indeed, why bother? Well, we need to bother because Bluetooth gadgets are in use. Every laptop, every cell phone, a lot of headsets and millions of other devices use this technology (including cars and other „IT-untypical“ objects). Buying a Bluetooth-enabled device just to turn it off doesn’t make sense. Hiding your MAC address might work, but it doesn’t solve the problem that you are vulnerable to attacks. It just hides your weakness until the attacker can guess or brute-force the correct address. This is no solution you can base security on.
If you are dealing with devices using Bluetooth, if you develop code for these devices, if you use them or if you have to implement security measure, you should listen to this talk.