[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20231001080551.GB8209@linux-l9pv.suse>
Date: Sun, 1 Oct 2023 16:05:51 +0800
From: joeyli <jlee@...e.com>
To: Marcel Holtmann <marcel@...tmann.org>,
Johan Hedberg <johan.hedberg@...il.com>,
Luiz Augusto von Dentz <luiz.dentz@...il.com>
Cc: linux-kernel@...r.kernel.org, linux-bluetooth@...r.kernel.org
Subject: Re: [PATCH 0/2] Bluetooth: ignore NULL link key and reject connection
Hi experts,
On Sun, Oct 01, 2023 at 03:45:24PM +0800, Lee, Chun-Yi wrote:
> with the device which has same BD_ADDR
>
> This patch set is used to relieve CVE-2020-26555. The description of the
> CVE:
>
> Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification
> 1.0B through 5.2 may permit an unauthenticated nearby device to spoof
> the BD_ADDR of the peer device to complete pairing without knowledge
> of the PIN. [1]
>
> The detail of this attack is in IEEE paper:
> BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols
> [2]
>
> It's a reflection attack. The paper mentioned that attacker can induce
> the attacked target to generate null link key (zero key) without PIN
> code. In BR/EDR, the key generation is actually handled in the controller
> which is below HCI.
>
> Thus, we can ignore null link key in the handler of "Link Key Notification
> event" to relieve the attack. And, a condition of this attack is that
> attacker should change the BR_ADDR of his hacking device (Host B) to equal
> to the BR_ADDR with the target device being attacked (Host A). So we reject
> the connection with device which has same BD_ADDR both on HCI_Create_Connection
> and HCI_Connection_Request to prevent the attack.
>
> Similar implementations also show in btstack project. [3][4][5]
>
> Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26555 [1]
> Link: https://ieeexplore.ieee.org/abstract/document/9474325/authors#authors [2]
> Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3722 [3]
> Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3523 [4]
> Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L7297 [5]
>
> Lee, Chun-Yi (2):
> Bluetooth: hci_event: Ignore NULL link key
> Bluetooth: Reject connection with the device which has same BD_ADDR
>
> net/bluetooth/hci_conn.c | 7 +++++++
> net/bluetooth/hci_event.c | 16 ++++++++++++++++
> 2 files changed, 23 insertions(+)
>
> --
> 2.35.3
>
> >From 2c6cd3f353d21086a3163a9ad461789d203a7ee4 Mon Sep 17 00:00:00 2001
> From: "Lee, Chun-Yi" <jlee@...e.com>
> Date: Sat, 30 Sep 2023 16:56:56 +0800
> Subject: [PATCH 0/2] Bluetooth: ignore NULL link key and reject connection
> with the device which has same BD_ADDR
>
Please ignore this patch set because I used wrong mutt command to send out
patch. It causes that the mail has duplicate contents. I will send out a
new series.
Sorry for any inconvenience caused!
Joey Lee
> This patch set is used to relieve CVE-2020-26555. The description of the
> CVE:
>
> Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification
> 1.0B through 5.2 may permit an unauthenticated nearby device to spoof
> the BD_ADDR of the peer device to complete pairing without knowledge
> of the PIN. [1]
>
> The detail of this attack is in IEEE paper:
> BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols
> [2]
>
> It's a reflection attack. The paper mentioned that attacker can induce
> the attacked target to generate null link key (zero key) without PIN
> code. In BR/EDR, the key generation is actually handled in the controller
> which is below HCI.
>
> Thus, we can ignore null link key in the handler of "Link Key Notification
> event" to relieve the attack. And, a condition of this attack is that
> attacker should change the BR_ADDR of his hacking device (Host B) to equal
> to the BR_ADDR with the target device being attacked (Host A). So we reject
> the connection with device which has same BD_ADDR both on HCI_Create_Connection
> and HCI_Connection_Request to prevent the attack.
>
> Similar implementations also show in btstack project. [3][4][5]
>
> Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26555 [1]
> Link: https://ieeexplore.ieee.org/abstract/document/9474325/authors#authors [2]
> Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3722 [3]
> Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3523 [4]
> Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L7297 [5]
>
> Lee, Chun-Yi (2):
> Bluetooth: hci_event: Ignore NULL link key
> Bluetooth: Reject connection with the device which has same BD_ADDR
>
> net/bluetooth/hci_conn.c | 7 +++++++
> net/bluetooth/hci_event.c | 16 ++++++++++++++++
> 2 files changed, 23 insertions(+)
>
> --
> 2.35.3
Powered by blists - more mailing lists