| Message ID | 20231001074524.GA14361@linux-691t (mailing list archive) |
|---|---|
| Headers | show |
| Series | Bluetooth: ignore NULL link key and reject connection | expand |
Hi experts, On Sun, Oct 01, 2023 at 03:45:24PM +0800, Lee, Chun-Yi wrote: > with the device which has same BD_ADDR > > This patch set is used to relieve CVE-2020-26555. The description of the > CVE: > > Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification > 1.0B through 5.2 may permit an unauthenticated nearby device to spoof > the BD_ADDR of the peer device to complete pairing without knowledge > of the PIN. [1] > > The detail of this attack is in IEEE paper: > BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols > [2] > > It's a reflection attack. The paper mentioned that attacker can induce > the attacked target to generate null link key (zero key) without PIN > code. In BR/EDR, the key generation is actually handled in the controller > which is below HCI. > > Thus, we can ignore null link key in the handler of "Link Key Notification > event" to relieve the attack. And, a condition of this attack is that > attacker should change the BR_ADDR of his hacking device (Host B) to equal > to the BR_ADDR with the target device being attacked (Host A). So we reject > the connection with device which has same BD_ADDR both on HCI_Create_Connection > and HCI_Connection_Request to prevent the attack. > > Similar implementations also show in btstack project. [3][4][5] > > Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26555 [1] > Link: https://ieeexplore.ieee.org/abstract/document/9474325/authors#authors [2] > Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3722 [3] > Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3523 [4] > Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L7297 [5] > > Lee, Chun-Yi (2): > Bluetooth: hci_event: Ignore NULL link key > Bluetooth: Reject connection with the device which has same BD_ADDR > > net/bluetooth/hci_conn.c | 7 +++++++ > net/bluetooth/hci_event.c | 16 ++++++++++++++++ > 2 files changed, 23 insertions(+) > > -- > 2.35.3 > > >From 2c6cd3f353d21086a3163a9ad461789d203a7ee4 Mon Sep 17 00:00:00 2001 > From: "Lee, Chun-Yi" <jlee@suse.com> > Date: Sat, 30 Sep 2023 16:56:56 +0800 > Subject: [PATCH 0/2] Bluetooth: ignore NULL link key and reject connection > with the device which has same BD_ADDR > Please ignore this patch set because I used wrong mutt command to send out patch. It causes that the mail has duplicate contents. I will send out a new series. Sorry for any inconvenience caused! Joey Lee > This patch set is used to relieve CVE-2020-26555. The description of the > CVE: > > Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification > 1.0B through 5.2 may permit an unauthenticated nearby device to spoof > the BD_ADDR of the peer device to complete pairing without knowledge > of the PIN. [1] > > The detail of this attack is in IEEE paper: > BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols > [2] > > It's a reflection attack. The paper mentioned that attacker can induce > the attacked target to generate null link key (zero key) without PIN > code. In BR/EDR, the key generation is actually handled in the controller > which is below HCI. > > Thus, we can ignore null link key in the handler of "Link Key Notification > event" to relieve the attack. And, a condition of this attack is that > attacker should change the BR_ADDR of his hacking device (Host B) to equal > to the BR_ADDR with the target device being attacked (Host A). So we reject > the connection with device which has same BD_ADDR both on HCI_Create_Connection > and HCI_Connection_Request to prevent the attack. > > Similar implementations also show in btstack project. [3][4][5] > > Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26555 [1] > Link: https://ieeexplore.ieee.org/abstract/document/9474325/authors#authors [2] > Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3722 [3] > Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3523 [4] > Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L7297 [5] > > Lee, Chun-Yi (2): > Bluetooth: hci_event: Ignore NULL link key > Bluetooth: Reject connection with the device which has same BD_ADDR > > net/bluetooth/hci_conn.c | 7 +++++++ > net/bluetooth/hci_event.c | 16 ++++++++++++++++ > 2 files changed, 23 insertions(+) > > -- > 2.35.3