Skip to main content
Springer Nature Link
Log in

BloomFuzz: Unveiling Bluetooth L2CAP Vulnerabilities via State Cluster Fuzzing with Target-Oriented State Machines

  • Conference paper
  • First Online:
Computer Security – ESORICS 2024 (ESORICS 2024)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14984))

Included in the following conference series:

  • 670 Accesses

Abstract

Bluetooth technologies are widely utilized across various devices. Despite the advantages, the lack of security in Bluetooth can pose critical threats. Existing approaches that rely solely on Bluetooth specification have failed to bridge the gap between documentation and implemented devices. Therefore, they struggle to (1) precisely generate state machines for target devices and (2) accurately track states during the fuzzing process, resulting in low fuzzing efficiency. In this paper, we propose BloomFuzz, a stateful fuzzer to discover vulnerabilities in Bluetooth Logical Link Control and Adaptation Protocol (L2CAP) layer. Utilizing the concept of the state cluster, which is a set of one or more states with similar attributes, BloomFuzz  can generate a target-oriented state machine by pruning unimplemented states (missing states) and addressing states that are implemented but not introduced in the specification (hidden states). Furthermore, BloomFuzz  enhances fuzzing efficiency by generating valid test packets for each cluster via cluster-based state machine tracking. When we applied BloomFuzz  to real-world Bluetooth devices, we observed that BloomFuzz  outperformed existing L2CAP fuzzers by (1) discovering 56 potential vulnerabilities (more than twice compared to existing fuzzers), (2) precisely generating a target-oriented state machine, (3) significantly reducing the probability of test packets being rejected (from 76% to 23%), and (4) producing nine times more valid malformed test packets. Our proposed approach can contribute to preventing threats within L2CAP, thereby rendering a secure Bluetooth environment.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Since the vulnerabilities have not been patched yet, detailed explanations are omitted. We plan to introduce details after the completion of the patching process.

References

  1. Android Build Coastguard Worker, BlueDroid_12.1.0_r19 (2023). https://android.googlesource.com/platform/system/bt/+/refs/tags/android-platform-12.1.0_r19. Accessed 4 Jan 2024

  2. Antonioli, D., Tippenhauer, N.O., Rasmussen, K.: BIAS: bluetooth impersonation attacks. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 549–562 (2020)

    Google Scholar 

  3. Antonioli, D., Tippenhauer, N.O., Rasmussen, K.: Key negotiation downgrade attacks on bluetooth and bluetooth low energy. ACM Trans. Priv. Secur. (TOPS) 23(3), 1–28 (2020)

    Article  Google Scholar 

  4. Antonioli, D., Tippenhauer, N.O., Rasmussen, K.B.: The KNOB is broken: exploiting low entropy in the encryption key negotiation of bluetooth BR/EDR. In: 28th USENIX Security Symposium (USENIX Security 2019), pp. 1047–1061 (2019)

    Google Scholar 

  5. Betouin, P.: [Infratech - vulnérabilité] Nouvelle version 0.8 de Bluetooth Stack Smasher (2015). http://www.secuobs.com/news/15022006-bss_0_8.shtml. Accessed 4 Jan 2024

  6. Claverie, T., Esteves, J.L.: BlueMirror: reflections on bluetooth pairing and provisioning protocols. In: 2021 IEEE Security and Privacy Workshops (SPW), pp. 339–351 (2021)

    Google Scholar 

  7. Garbelini, M.E., Bedi, V., Chattopadhyay, S., Sun, S., Kurniawan, E.: BRAKTOOTH: causing havoc on bluetooth link manager via directed fuzzing. In: 31st USENIX Security Symposium (USENIX Security 2022), pp. 1025–1042 (2022)

    Google Scholar 

  8. Garbelini, M.E., Wang, C., Chattopadhyay, S., Sumei, S., Kurniawan, E.: SweynTooth: unleashing mayhem over bluetooth low energy. In: 2020 USENIX Annual Technical Conference (USENIX ATC 2020), pp. 911–925 (2020)

    Google Scholar 

  9. Gascon, H., Wressnegger, C., Yamaguchi, F., Arp, D., Rieck, K.: Pulsar: stateful black-box fuzzing of proprietary network protocols. In: Thuraisingham, B., Wang, X.F., Yegneswaran, V. (eds.) SecureComm 2015. LNICST, vol. 164, pp. 330–347. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-28865-9_18

    Chapter  Google Scholar 

  10. Han, H., Kyea, J., Jin, Y., Kang, J., Pak, B., Yun, I.: QueryX: symbolic query on decompiled code for finding bugs in COTS binaries. In: 2023 IEEE Symposium on Security and Privacy (SP), pp. 3279–312795 (2023)

    Google Scholar 

  11. Kim, S., Woo, S., Lee, H., Oh, H.: VUDDY: a scalable approach for vulnerable code clone discovery. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 595–614 (2017)

    Google Scholar 

  12. Kim, S., Woo, S., Lee, H., Oh, H.: Poster: IoTcube: an automated analysis platform for finding security vulnerabilities. In: Proceedings of the 38th IEEE Symposium on Poster presented at Security and Privacy (2017)

    Google Scholar 

  13. Park, H., Nkuba, C.K., Woo, S., Lee, H.: L2Fuzz: discovering bluetooth L2CAP vulnerabilities using stateful fuzz testing. In: 2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 343–354 (2022)

    Google Scholar 

  14. Rasoamanana, A.T., Levillain, O., Debar, H.: Towards a systematic and automatic use of state machine inference to uncover security flaws and fingerprint TLS stacks. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds.) ESORICS 202. LNCS, vol. 13556, pp. 637–657. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-17143-7_31

    Chapter  Google Scholar 

  15. Ruge, J., Classen, J., Gringoli, F., Hollick, M.: Frankenstein: advanced wireless fuzzing to exploit new bluetooth escalation targets. In: 29th USENIX Security Symposium (USENIX Security 2020), pp. 19–36

    Google Scholar 

  16. Seri, B., Vishnepolsky, G., Zusman, D.: BLEEDINGBIT: the hidden attack surface within BLE chips (2019)

    Google Scholar 

  17. Seri, B., Vishnepolsky, G.: BlueBorne: The dangers of Bluetooth implementations: Unveiling zero day vulnerabilities and security flaws in modern Bluetooth stacks (2017). https://www.armis.com/research/blueborne/. Accessed 3 Jan 2024

  18. Shu, Z., Yan, G.: IoTInfer: automated blackbox fuzz testing of IoT network protocols guided by finite state machine inference. IEEE Internet Things J. 9(22), 22737–22751 (2022)

    Article  Google Scholar 

  19. SIG, B.: Bluetooth Core Specification 5.2 (2019). https://www.bluetooth.com/specifications/specs/

  20. Synopsys: Defensics Fuzz Testing. https://www.synopsys.com/software-integrity/security-testing/fuzz-testing.html. Accessed 4 Jan 2024

  21. von Tschirschnitz, M., Peuckert, L., Franzen, F., Grossklags, J.: Method confusion attack on bluetooth pairing. In: 2021 IEEE Symposium on Security and Privacy (SP), pp. 1332–1347 (2021)

    Google Scholar 

  22. Woo, S., Choi, E., Lee, H., Oh, H.: V1SCAN: discovering 1-day vulnerabilities in reused C/C++ open-source software components using code classification techniques. In: 32nd USENIX Security Symposium (USENIX Security 2023), pp. 6541–6556 (2023)

    Google Scholar 

  23. Woo, S., Hong, H., Choi, E., Lee, H.: MOVERY: a precise approach for modified vulnerable code clone discovery from modified open-source software components. In: 31st USENIX Security Symposium (USENIX Security 2022), pp. 3037–3053 (2022)

    Google Scholar 

  24. Woo, S., Park, S., Kim, S., Lee, H., Oh, H.: CENTRIS: a precise and scalable approach for identifying modified open-source software reuse. In: 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE), pp. 860–872 (2021)

    Google Scholar 

  25. Wu, J., et al.: OSSFP: precise and scalable C/C++ third-party library detection using fingerprinting functions. In: 2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE), pp. 270–282

    Google Scholar 

  26. Xiao, Y., et al.: MVP: Detecting vulnerabilities using patch-enhanced vulnerability signatures. In: 29th USENIX Security Symposium (2020), pp. 1165–1182 (2020)

    Google Scholar 

  27. Xu, F., Diao, W., Li, Z., Chen, J., Zhang, K.: BadBluetooth: breaking android security mechanisms via malicious bluetooth peripherals. In: NDSS (2019)

    Google Scholar 

  28. Yuan, Z., et al.: B2SFinder: detecting open-source software reuse in COTS software. In: 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE), pp. 1038–1049 (2019)

    Google Scholar 

  29. Zalewski, M.: American fuzzy lop (2021). https://github.com/google/AFL. Accessed 3 Jan 2024

Download references

Acknowledgment

We appreciate the anonymous reviewers for their valuable comments to improve the quality of the paper. Additionally, we appreciate Haram Park and Choongin Lee for their valuable comments. This work was supported by ICT Creative Consilience Program through the Institute of Information & Communications Technology Planning & Evaluation (IITP) grant funded by the Korea government (MSIT) (No.2022-0-00277, Development of SBOM Technologies for Securing Software Supply Chains, No.2022-0-01198, Convergence Security Core Talent Training Business (Korea University), and IITP-2024-2020-0-01819, ICT Creative Consilience program).

Author information

Authors and Affiliations

  1. Korea University, Seoul, South Korea

    Pyeongju Ahn, Yeonseok Jang, Seunghoon Woo & Heejo Lee

Authors
  1. Pyeongju Ahn
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yeonseok Jang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Seunghoon Woo
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Heejo Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Seunghoon Woo or Heejo Lee .

Editor information

Editors and Affiliations

  1. Institut Polytechnique de Paris, Palaiseau, France

    Joaquin Garcia-Alfaro

  2. Bydgoszcz University of Science and Technology, Bydgoszcz, Poland

    Rafał Kozik

  3. Bydgoszcz University of Science and Technology, Bydgoszcz, Poland

    Michał Choraś

  4. Norwegian University of Science and Technology - NTNU, Gjøvik, Norway

    Sokratis Katsikas

Appendices

A Discovered Crashes

BloomFuzz  could discover 56 potential vulnerabilities (see Table 5). Among them, two potential vulnerabilities (in D6 and D7; see Table 2) were reported and confirmed by each vendor. Next, the eight potential vulnerabilities were patched by the vendors while we were analyzing the root causes. Eighteen crashes occurred intermittently, while the remaining 28 crashes are still under analysis. We will report to the vendor as soon as we complete the analysis.

Table 5. Classification results of discovered potential vulnerabilities.
Full size table

B Efficiency in Addressing Missing and Hidden States

Figure 7 shows state machine generation effectiveness and packet acceptance ratio. The \(A_t\) demonstrates the effectiveness of missing state pruning (see Sect. 4.1). The better the missing state is removed, the higher the probability that the packet will not be rejected. Note that BloomFuzz  exhibits the highest \(A_t\). Additionally, \(A_i\) indicates how well missing and hidden states are handled. While we cannot directly determine whether vulnerabilities were found in the hidden state, we can indirectly infer that by effectively managing missing and hidden states. As a result, BloomFuzz  can discover more crashes than other fuzzers.

Fig. 7.
figure 7

State machine generation effectiveness and packet acceptance ratio.

Full size image

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ahn, P., Jang, Y., Woo, S., Lee, H. (2024). BloomFuzz: Unveiling Bluetooth L2CAP Vulnerabilities via State Cluster Fuzzing with Target-Oriented State Machines. In: Garcia-Alfaro, J., Kozik, R., Choraś, M., Katsikas, S. (eds) Computer Security – ESORICS 2024. ESORICS 2024. Lecture Notes in Computer Science, vol 14984. Springer, Cham. https://doi.org/10.1007/978-3-031-70896-1_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-70896-1_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-70895-4

  • Online ISBN: 978-3-031-70896-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics