Talk Title:

Bluetooth Low Energy GATT Fuzzing: from specification to implementation

Abstract:

Bluetooth Low Energy (BLE) is a widely adopted wireless communication technology used by billions of devices in various applications. These applications range from IoT domain to more sensitive devices such as medical ones.

BLE has been subject to a lot of research so far, but only a few of them targeted specification corner cases which require high-level manipulation of the GATT layer. This talk proposes to explore this dense and sometimes unclear specification, and to show how we have designed attack scenarios on the ATT and GATT layers. We propose a fuzzing approach to reach our goals since it provides an easy and efficient way to identify potential vulnerabilities and weaknesses regarding the various BLE stacks implementations.

The adopted methodology will be presented first, outlining the steps followed during this work. Then, a comprehensive description of the ATT and GATT layers will be made. After that, our attack scenarios will be detailed, covering their elaboration from the specification and their implementation. Our test bench setup will be then introduced, including the tools and services used, along with an overview of the various BLE stacks fuzzed. The final section will identify the various non-conformities, bugs, and vulnerabilities found in relation to the specification across the different stacks, which were reported to the appropriate entities.

Speaker Bio:

Baptiste Boyer is a junior R&D engineer at Quarkslab with an interest in IoT and embedded security.