BrakRPi: Crashing Bluetooth Communications On Raspberry Pi With Braktooth

thank you hi everyone uh my name is sias uh I work as an embedded engineer and in next 15 minutes I'll tell you a story of how I was able to uh add make a small contribution to the public research by uh reproducing the vulnerability related to Bluetooth on Rasberry Pi and why patching it is not trivial um before we start though um please raise your hand if you use Bluetooth on a regular basis whether it's for work purposes or not well pretty much similar percentage of people who didn't work tform this year um to be honest it shouldn't come as a surprise because Bluetooth is everywhere it surrounds us uh according to Bluetooth standards organization only

in 2023 over 5 billion devices were shipped uh worldwide uh starting from laptops and smartphones to cars key fobs and hell I haven't seen toasters with Bluetooth um and it's not not surprised why Bluetooth is pretty much popular it's essentially a short range uh Wireless protocol that works on radio on high radio frequency and it allows to exchange the data between uh devices and in some case you can even create the network of these devices for example that's what Bluetooth mesh is for um but obviously over 20 years since Bluetooth uh exists uh it's not bulletproof and hundreds of vulnerabilities uh were being found and uh one of these vulnerabilities was bros so essentially in uh 2021 a group of researchers from

uh Singapore discovered a series of vulnerabilities uh in the uh link man in commercial B stack implementation of uh within system on chips uh uh particularly spec targeted against uh link manager protocol in short link manager protocol is essentially a protocol that is responsible for uh negotiating all the connection stages uh between uh two devices and because uh the chipsets that were found vulnerable included big names such as Intel or Qualcomm and others it meant that billions of devices were being uh vulnerable to this uh but uh researchers haven't tested Rasberry pies and because my main work uh involved involves working on Rasberry pies and at that time the proof of concept wasn't being publicly publicly released for

disclosure reasons um I asked for proof of concept and happily they provided to me so essentially the attack model was pretty much simple I have a rosb pi 4 it was running obun to 20 LTS with latest updates again it was back in 2021 uh and uh it is being connected to the the D speaker uh uh just simply connected to the D speaker and meanwhile I as an imposter trying I'm try I should try to disrupt the Bluetooth connection between these two devices essentially this is how it looked like in real life um so first things first obviously I needed to set up the connection between crossberry pi and the uh the speaker uh if anyone surprised why I'm

using command line is because first of all uh I was running uh uh anun to LTS without UI on Rasberry Pi and secondly it is easier for me to explain what's actually happening uh behind the scenes so the pairing has been established obviously it uses the PIN code and uh if as you can see um the command profile has changed to timebox Evo audio which was the name of my div speaker meaning that the can it it has pair and connected rosby pip has pair and connected to it now Cypress has four vulnerabilities um of 16 attributed to attributed to it I'll I'll focus on the one that I used which is um invalid Max slot LMP invalid

Max slot type um essentially Bluetooth has five uh types of logical transport Communications and uh one of them is a synchronous connection less stands for ACL essentially ACL is used for exchanging the data uh where you need to to use as much bandd as possible for example if you connect your phone or desktop to the uh to the remote speaker or smart TV and you want to play song or video usually ACL is usually ACL is used for that purpose the problem is um ACL by its design is not designed for the broadcast packets there is a specific uh logical transport protocol for this and um essentially the exploit is uh the logic of the exploit is that if you

malform the packet uh one of the fields in the packet particularly L LT address which is logical transport address essentially it means that um usually LT address is generated randomly uh for each connection but if you set it to zero and Zer was reserved for the broadcast packets um and send it with as an ACL which is not designed as a broadcast packets essentially it should CL crash device it is funny enough it is outlined uh it is act strictly for hidden to do this Bluetooth specification but apparently the uh uh vendors haven't uh uh expected this so basically which is why it should uh it was supposed to crash the Bluetooth connection between these two

devices uh so basically this is the uh output of me running an exploit which is pretty much standard and not much interesting nothing much interesting stuff there is happening uh then I decided to look at those pi and see how it's uh how it's behaving and the first and I already had the first um sign of Hope where when I saw the agent unregistered line um now now the Linux desktop uh uses uh for on on operating system level uh Linux Linux uses Blu for uh as a Bluetooth stack and uh and essentially it's Blu who is responsible for creating Bluetooth service within the uh within the Rasberry Pi um and agent object is is an

is a high level debas object that is responsible for um that is basically acts like a supervisor for pairing and the connection authentication authorization between uh two devices um and basically when it's when when for no other reason it says that agent unregistered essentially means it doesn't know what's happening I'm I'm giving up I'm just living living out here and then I then I saw something that I actually didn't expect Not only was I able to disrupt the Bluetooth connection as you can see by command profile which is reverted back to Bluetooth but I actually managed to crush Bluetooth service and which is seen by the line controller uh controller then Mac address of my

Rasberry Pi and the Ubuntu uh name which is Ubuntu was the name of my uh Bluetooth name of my device and essentially forced to restart and uh register back the agent and considering this was my second attempt at running this exploit first time I tried with another exploit not only it didn't work but I managed to find a bug in PC improv concept um I was pleasantly surprised by this now some of you might think well that was in 20 21 surely that has been fixed by Cypress and credit words du Cyprus was was one of the vendors who quickly fixed this uh vulnerability in their code but one thing is fixing the code another thing is Distributing it

and distributing the fix I mean um and that's why the problems begin now uh for upgrades so basically Cypress uh system and chip on for Cypress system and chips uh the firmware is being flashed at the manufacturing uh stage uh to the read on the memory which means that essentially you make the uh F immutable to directly Flash and update it however so for but obviously you need to update the fir for example when security fixes needs to you need to apply security fixes or non-security fixes and for that they use something called uh patcham patcham essentially is based on the uh flash patch unit which is a p part of arm architecture and um imagine so basically

imagine if you're trying to debug a p and you putting a break point in it essentially patum is like is that that break point it contains the specific specific value it contains the address that uh needs to be uh targeted and then it will override with new values within the uh within the firmware that is stored in readon memory uh you can find basically these um uh patcham slots are being distributed as hcd files uh by operating system updates so basically if you run for example sudo AP update or and upgrade uh htd FS are being applied uh through the repos AP repositories um but but but the problem is uh there isn't infinite number of these uh

patcham slots this first so basically this first uh item in this patcham slot indicates the index slot of this patcham and because it's one bite there cannot be more than 256 slots but in reality Rasberry Pi has only 128 Slots of of these patches of these patcham slots and uh and that's where the problems begin because um essentially Cyprus uh it is completely up to Cypress to decide which vulnerabilities to fix and which are not to fix for one simple reason so let me give you an example Rosy pi4 was released in 2018 in just one year all slots except for one were reserved to make matters worse uh it was success turns out that

the compilation date of the firmware that has been stored in uh that was stored in read only memory was in 2014 so by the time the rosby pi4 was released they already had to apply four years worth of fixes and by this and by today they have to apply 10 years of fixes and they and basically they decide which so and and because 128 SS is not enough it means that it is uh essentially their response they decide uh which uh fix to take out and which to slot in uh now question is how to mitigate it if you if you think that upgrading to rber Pi 5 would resolve the issue abandon or whole because they use the

same chip as Roseberry Pi 4 um so basically on that level the problem still exist uh first so basically there so in terms to mitigate it it depends on whether you use Bluetooth on Rasberry Pi or not if you don't use I suggest to turn off the adapter and turn off ser entirely so that you won't be able so that you close that Loop if you use Bluetooth on nor P for example if you run home assistant with it within it within it uh then there are two options with it either you use the external uh Bluetooth dongle for example TP Link sells that sells the dongle for 40 quid I believe and which and it's one I tested it actually uh or

if you don't want to use dongle you have to keep the O updated and play to G the side has patch this patch this vulnerability um now to make it a small oftp um because broadcom is owned by Cypress and some uh chips by broadcom are used in smartphones and laptops it means that the problem with BR Toth and with the from upgrade process is uh uh basically Dev some laptops and smartphones also fall into that category particularly iPhones and MacBooks and actually it was proved on iPhones it was several researchers were able to reproduce it and uh some others are Samsung Galaxy smartphones in fact Samsung Galaxy reported to the research team confirming that they're vulnerable as well so if

anyone's here owning Samsung Galaxy you'll be warned last but not least um if you want to read more about the bra tools about Cypress upgrade process about how uh iPhones were able being able to exploit you can uh check out those links don't worry I'll I'll publish the slides in my website you can download them uh by latest by tomorrow few words of thanks are in order first of all I want to thank my employer for allowing to give me few days to research this problem on Rasberry p on Rasberry pies uh special thanks to also to wife of B who was one of researchers behind Bros and who was able and with whom I

I've kept contact at contact and he was able to uh confirm that rosby pies are vulnerable another special thanks to ISA Classen uh who who pointed out to me the issue with Cypress upgrade process in fact she was one of the researchers behind it and in general she's an excellent uh expert on Wireless Communications especially when it comes to Apple devices very very big thanks to my mentor araman I appreciate every every feedback and the advice that you've given thank you very much lastly I want to thank each and every one of you for coming and I hope you enjoyed this talk if you want to reach out to me you can scan my scan the QR code which leads to

my website with socials and contact details and if you have any questions I'll do my best to answer thank

you do we we have a few questions are you okay I'll start the front and work work back thank you um is Bluetooth disabled by default in rosby pies or it is not so it's by default on and it is by default enabled you essentially can I would suggest to actually mask the entire service if you don't want to use Bluetooth in general so that you it will it will not be so that you won't be it won't be you won't be able to no one will be able to hijack into it in any way right thank you down back there thanks um so what's the uh what's kind of the main effect of this vulnerability like what what does

this allow a potential attacker to do oh what well for example and this is something that researchers did is that uh if you have a noisy neighborhood who's uh uh turning music loud enough and you want to shut off that shut off that idiot's uh speaker then you can certain turn turn off make it turn off and in fact um when I was able to when I did the attack and it it was able to to scratch the service I was able to reconnect to that device for 5 minutes so I have 5 minutes of silence basically why did youch H why did you get patched oh why didn't I get patched it sounds useful

yeah any other questions no in that case huge thanks to elas thank you