Re: [PATCH 0/2] Bluetooth: ignore NULL link key and reject connection

From: joeyli
Date: Sun Oct 01 2023 - 04:06:13 EST

Next message: Lee, Chun-Yi: "[PATCH 1/2] Bluetooth: hci_event: Ignore NULL link key"
Previous message: Lee, Chun-Yi: "[PATCH 0/2] Bluetooth: ignore NULL link key and reject connection with the device which has same BD_ADDR"
In reply to: Lee, Chun-Yi: "[PATCH 2/2] Bluetooth: Reject connection with the device which has same BD_ADDR"
Next in thread: Lee, Chun-Yi: "[PATCH 1/2] Bluetooth: hci_event: Ignore NULL link key"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi experts,

On Sun, Oct 01, 2023 at 03:45:24PM +0800, Lee, Chun-Yi wrote:
> with the device which has same BD_ADDR
>
> This patch set is used to relieve CVE-2020-26555. The description of the
> CVE:
>
> Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification
> 1.0B through 5.2 may permit an unauthenticated nearby device to spoof
> the BD_ADDR of the peer device to complete pairing without knowledge
> of the PIN. [1]
>
> The detail of this attack is in IEEE paper:
> BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols
> [2]
>
> It's a reflection attack. The paper mentioned that attacker can induce
> the attacked target to generate null link key (zero key) without PIN
> code. In BR/EDR, the key generation is actually handled in the controller
> which is below HCI.
>
> Thus, we can ignore null link key in the handler of "Link Key Notification
> event" to relieve the attack. And, a condition of this attack is that
> attacker should change the BR_ADDR of his hacking device (Host B) to equal
> to the BR_ADDR with the target device being attacked (Host A). So we reject
> the connection with device which has same BD_ADDR both on HCI_Create_Connection
> and HCI_Connection_Request to prevent the attack.
>
> Similar implementations also show in btstack project. [3][4][5]
>
> Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26555 [1]
> Link: https://ieeexplore.ieee.org/abstract/document/9474325/authors#authors [2]
> Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3722 [3]
> Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3523 [4]
> Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L7297 [5]
>
> Lee, Chun-Yi (2):
> Bluetooth: hci_event: Ignore NULL link key
> Bluetooth: Reject connection with the device which has same BD_ADDR
>
> net/bluetooth/hci_conn.c | 7 +++++++
> net/bluetooth/hci_event.c | 16 ++++++++++++++++
> 2 files changed, 23 insertions(+)
>
> --
> 2.35.3
>
> >From 2c6cd3f353d21086a3163a9ad461789d203a7ee4 Mon Sep 17 00:00:00 2001
> From: "Lee, Chun-Yi" <jlee@xxxxxxxx>
> Date: Sat, 30 Sep 2023 16:56:56 +0800
> Subject: [PATCH 0/2] Bluetooth: ignore NULL link key and reject connection
> with the device which has same BD_ADDR
>

Please ignore this patch set because I used wrong mutt command to send out
patch. It causes that the mail has duplicate contents. I will send out a
new series.

Sorry for any inconvenience caused!

Joey Lee

> This patch set is used to relieve CVE-2020-26555. The description of the
> CVE:
>
> Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification
> 1.0B through 5.2 may permit an unauthenticated nearby device to spoof
> the BD_ADDR of the peer device to complete pairing without knowledge
> of the PIN. [1]
>
> The detail of this attack is in IEEE paper:
> BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols
> [2]
>
> It's a reflection attack. The paper mentioned that attacker can induce
> the attacked target to generate null link key (zero key) without PIN
> code. In BR/EDR, the key generation is actually handled in the controller
> which is below HCI.
>
> Thus, we can ignore null link key in the handler of "Link Key Notification
> event" to relieve the attack. And, a condition of this attack is that
> attacker should change the BR_ADDR of his hacking device (Host B) to equal
> to the BR_ADDR with the target device being attacked (Host A). So we reject
> the connection with device which has same BD_ADDR both on HCI_Create_Connection
> and HCI_Connection_Request to prevent the attack.
>
> Similar implementations also show in btstack project. [3][4][5]
>
> Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26555 [1]
> Link: https://ieeexplore.ieee.org/abstract/document/9474325/authors#authors [2]
> Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3722 [3]
> Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3523 [4]
> Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L7297 [5]
>
> Lee, Chun-Yi (2):
> Bluetooth: hci_event: Ignore NULL link key
> Bluetooth: Reject connection with the device which has same BD_ADDR
>
> net/bluetooth/hci_conn.c | 7 +++++++
> net/bluetooth/hci_event.c | 16 ++++++++++++++++
> 2 files changed, 23 insertions(+)
>
> --
> 2.35.3

Next message: Lee, Chun-Yi: "[PATCH 1/2] Bluetooth: hci_event: Ignore NULL link key"
Previous message: Lee, Chun-Yi: "[PATCH 0/2] Bluetooth: ignore NULL link key and reject connection with the device which has same BD_ADDR"
In reply to: Lee, Chun-Yi: "[PATCH 2/2] Bluetooth: Reject connection with the device which has same BD_ADDR"
Next in thread: Lee, Chun-Yi: "[PATCH 1/2] Bluetooth: hci_event: Ignore NULL link key"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]