L2Fuzz: Discovering Bluetooth L2CAP Vulnerabilities Using Stateful Fuzz Testing

  title={L2Fuzz: Discovering Bluetooth L2CAP Vulnerabilities Using Stateful Fuzz Testing},
  author={Haram Park and Carlos Nkuba Kayembe and Seunghoon Woo and Heejo Lee},
  journal={2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)},
Bluetooth Basic Rate/Enhanced Data Rate (BR/EDR) is a wireless technology used in billions of devices. Recently, several Bluetooth fuzzing studies have been conducted to detect vulnerabilities in Bluetooth devices, but they fall short of effectively generating malformed packets. In this paper, we propose L2FUZZ, a stateful fuzzer to detect vulnerabilities in Bluetooth BR/EDR Logical Link Control and Adaptation Protocol (L2CAP) layer. By selecting valid commands for each state and mutating only… 



Frankenstein: Advanced Wireless Fuzzing to Exploit New Bluetooth Escalation Targets

The potential of Frankenstein, a fuzzing framework based on advanced firmware emulation, is demonstrated by finding three zero-click vulnerabilities in the Broadcom and Cypress Bluetooth stack, which is used in most Apple devices, many Samsung smartphones, the Raspberry Pis, and many others.

SweynTooth: Unleashing Mayhem over Bluetooth Low Energy

A systematic and comprehensive testing framework, which, as an automated and general-purpose approach, can effectively fuzz any BLE protocol implementation, and calls a bunch of vulnerabilities as SWEYNTOOTH, which highlights the efficacy of the framework.

ToothPicker: Apple Picking in the iOS Bluetooth Stack

This paper builds the iOS in-process fuzzer ToothPicker and evaluates the implementation security of Apple’s Bluetooth protocols, finding a zero-click Remote Code Execution (RCE) that was fixed in iOS 13.5 and simple crashes.

BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols

It is shown that reflection attacks are possible against various pairing modes of BLE and Bluetooth Classic and several vulnerabilities in Bluetooth Mesh provisioning are uncovered, ranging from reflection attacks to cryptographic weaknesses.

Analysis of the packet transferring in L2CAP layer of Bluetooth v2.x+EDR

This paper proposes a packet selection strategy in baseband layer to achieve the maximum throughput for L2CAP basic mode in different channel SNRs and applies it to transfer L2 CAP PDUs by 3-DH5 baseband packet for L 2CAP retransmission mode.

Riding the IoT Wave With VFuzz: Discovering Security Flaws in Smart Homes

This paper presents VFUZZ, a protocol-aware blackbox fuzzing framework for quickly assessing vulnerabilities in Z-Wave devices, which assesses the target device capabilities and encryption support to guide seed selection and tests the target for new vulnerability discovery.

BIAS: Bluetooth Impersonation AttackS

It is shown that the Bluetooth specification contains vulnerabilities enabling to perform impersonation attacks during secure connection establishment, including the lack of mandatory mutual authentication, overly permissive role switching, and an authentication procedure downgrade.

NFDFuzz: A Stateful Structure-Aware Fuzzer for Named Data Networking

In this work, the design of the NFD fuzzer is presented and an overview of its most salient implementation details are provided, to be effective and aware of the packet structure and the rules governing the NDN wire protocol.

BlueMaster: Bypassing and Fixing Bluetooth-based Proximity Authentication

The security pitfalls of Bluetooth-based proximity authentication is presented, and a method for analyzing the (in)security of the device proximity authentication methods is constructed and a vulnerability detection tool is released to help developers eliminate potential vulnerabilities.

What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices

It is demonstrated that memory corruptions, a common class of security vulnerabilities, often result in different behavior on embedded devices than on desktop systems, reducing significantly the effectiveness of traditional dynamic testing techniques in general, and fuzzing in particular.