sgxgsx/BlueToolkit

GitHub: sgxgsx/BlueToolkit

BlueToolkit 是一个可扩展的蓝牙经典与低功耗蓝牙漏洞测试框架，集侦察、漏洞利用与报告生成于一体，帮助安全研究人员和渗透测试人员高效发现蓝牙设备中的已知和未知安全缺陷。

Stars: 693 | Forks: 70

适用于 BR/EDR 和 BLE 的可扩展蓝牙漏洞测试框架。

文档 • 安装 • 用法 • 漏洞利用 • 硬件 • 待办事项 • 汽车评估 • 蓝牙资源 • 许可证

BlueToolkit 是一个模块化的黑盒蓝牙安全测试框架，适用于经典蓝牙和低功耗蓝牙 (BLE)。它支持半自动化测试，并包含三个主要模块： - **Recon**：收集蓝牙功能和安全配置。 - **Exploit**：执行（目前）43 个公开漏洞利用的测试（MitM、RCE、DoS 等）。漏洞模板位于[漏洞利用文件夹](https://github.com/sgxgsx/BlueToolkit/tree/development/exploits)中。可以通过 TODO 添加对更多漏洞的支持。 - **Report**：生成结构化的、机器和人类可读的 JSON 报告。我们在来自不同厂商（奥迪、宝马、雪佛兰、本田、现代、梅赛德斯-奔驰、Mini、欧宝、极星、雷诺、斯柯达、丰田、大众、特斯拉）的 22 辆汽车上对 BlueToolkit 进行了评估，并发现了 [128 个漏洞](https://github.com/sgxgsx/BlueToolkit/tree/development/evaluation/README.md)。此外，我们还展示了如何针对已建立的连接或处于 MitM 位置[通过 MAP 劫持在线账户](https://github.com/sgxgsx/mapAccountHijack)。这项工作促成了一篇被 WOOT 25' 接收的研究论文：*拥有链接后补充缺失的链接* # 安装 BlueToolkit 可以安装在裸机 Ubuntu/Debian 系统上（推荐）或使用虚拟机。在这两种情况下，安装程序都会提示安装 Braktooth 和 BluetoothAssistant 的特定模块，这需要连接特定的硬件设备。独立模块的安装也可以通过再次运行安装程序来单独完成。

常规安装

安装： ``` git clone https://github.com/sgxgsx/BlueToolkit chmod +x ./BlueToolkit/install.sh sudo ./BlueToolkit/install.sh [-dev] ```

虚拟机安装

前置条件： * Virtualbox https://www.virtualbox.org * vagrant https://developer.hashicorp.com/vagrant/install?product_intent=vagrant ``` git clone https://github.com/sgxgsx/BlueToolkit --recurse-submodules cd BlueToolkit/vagrant vagrant up ``` 安装后： * 您需要允许虚拟机通过 USB 访问蓝牙模块或附加硬件，这需要您执行以下操作： * USB 支持已经开启，因此请打开 VirtualBox * 找到正在运行的虚拟机，然后点击“显示” * 点击“设备” -> “USB” * 您将看到多个可以为虚拟机开启的设备 * 勾选您需要的任何设备（蓝牙模块、硬件、手机），或者勾选所有设备以确保无误。

### 用法运行 `bluekit -h` 以显示 BlueToolkit 的使用信息： ``` usage: bluekit [-h] [-t TARGET] [-l] [-c] [-ct] [-ch] [-v VERBOSITY] [-ex EXCLUDEEXPLOITS [EXCLUDEEXPLOITS ...]] [-e EXPLOITS [EXPLOITS ...]] [-r] [-re] [-rej] [-hh HARDWARE [HARDWARE ...]] ... positional arguments: rest options: -h, --help show this help message and exit -t TARGET, --target TARGET target MAC address -l, --listexploits List exploits or not -c, --checksetup Check whether Braktooth is available and setup -ct, --checktarget Check connectivity and availability of the target -ch, --checkpoint Start from a checkpoint -v VERBOSITY, --verbosity VERBOSITY Verbosity level -ex EXCLUDEEXPLOITS [EXCLUDEEXPLOITS ...], --excludeexploits EXCLUDEEXPLOITS [EXCLUDEEXPLOITS ...] Exclude exploits, example --exclude exploit1, exploit2 -e EXPLOITS [EXPLOITS ...], --exploits EXPLOITS [EXPLOITS ...] Scan only for provided --exploits exploit1, exploit2; --exclude is not taken into account -r, --recon Run a recon script -re, --report Create a report for a target device -rej, --reportjson Create a report for a target device -hh HARDWARE [HARDWARE ...], --hardware HARDWARE [HARDWARE ...] Scan only for provided exploits based on hardware --hardware hardware1 hardware2; --exclude and --exploit are not taken into account ``` 一些使用示例如下： - 列出所有可用的漏洞利用（无需 root 权限）： `bluekit -l` - 运行侦察： `sudo bluekit -t AA:BB:CC:DD:EE:FF -r` - 测试连接性： `sudo bluekit -t AA:BB:CC:DD:EE:FF -ct` - 测试一个或多个漏洞利用（以空格分隔）： `sudo bluekit -t AA:BB:CC:DD:EE:FF -e invalid_max_slot au_rand_flooding internalblue_knob` 更多文档可在[我们的 Wiki](https://github.com/sgxgsx/BlueToolkit/wiki)中找到 ## 硬件某些攻击需要特定的硬件： * 用于 Braktooth 漏洞的 ESP-WROVER-KIT-VE * 用于 Internalblue 的 Nexus 5 手机。可以用 CYW20735 替代，但有两个漏洞利用将无法工作，并且需要新的硬件配置文件。 * 用于 BIAS、BLUR 和 BLUFFS 攻击的 CYW920819M2EVB-01。 # 可用的蓝牙漏洞与攻击 BlueToolkit 会自动下载所有漏洞和硬件模板。[**BlueToolkit 模板**](https://github.com/sgxgsx/templates)仓库提供了完整的即用型模板列表。此外，您也可以按照 BlueToolkit 的[模板指南](https://github.com/sgxgsx/Bluetoolkit/wiki/Templating)编写自己的模板和检查项，以及添加新硬件。 YAML 参考语法可在[此处](https://github.com/sgxgsx/BlueToolkit/wiki/YAMLreference)获取我们以“极客蓝牙安全”的方式收集并分类了蓝牙漏洞。我们使用了以下来源 - ACM、IEEE SP、Blackhat、DEFCON、Car Hacking Village、NDSS 和 Google 学术。在 Google、百度、Yandex、Bing 等搜索引擎中搜索了以下关键词 - Bluetooth security toolkit、Bluetooth exploits github、Bluetooth security framework、bluetooth pentesting toolkit。我们还根据以下参数解析了所有 Github 仓库 - topic:bluetooth topic:exploit、topic:bluetooth topic:security。 ### 目前 BlueToolkit 会检查以下漏洞和攻击：有关手动攻击，请参阅[文档](https://github.com/sgxgsx/BlueToolkit/wiki/Manual-Exploits)。 | 漏洞 | 类别 | 类型 | 验证类型 | 硬件需求 | 已测试 | |----------------------------------------------| :---: | :---: | :---: | :---: | :---: | | 始终可配对 | 链式攻击 | 链式攻击 | 手动 | | ✓ | | 仅车载设备可发起连接 | 链式攻击 | 链式攻击 | 手动 | | ✓ | | 快速重启 | 链式攻击 | 链式攻击 | 手动 | | ✓ | | 不支持 SC | 链式攻击 | 信息 | 自动化 | | ✓ | | 可能的 BLUR 检查 | 链式攻击 | 信息 | 自动化 | | ✓ | | 我的名字是键盘 | 严重 | RCE | 半自动化 | | ✓ | | CVE-2017-0785 | 严重 | 内存泄漏 | 自动化 | | ✓ | | CVE-2018-19860 | 严重 | 内存执行 | 自动化 | | ✓ | | V13 无效的 Max Slot 类型 | DoS | DoS | 自动化 | ✓ | ✓ | | V3 重复的 IOCAP | DoS | DoS | 自动化 | ✓ | ✓ | | NiNo 检查 | MitM | MitM | 半自动化 | | ✓ | | 使用传统配对 | MitM | MitM | 自动化 | | ✓ | | KNOB | MitM | MiTM | 半自动化 | ✓ | ✓ | | CVE-2018-5383 | MitM | MiTM | 自动化 | ✓ | ✓ | | 方法混淆攻击 | MitM | MiTM | 自动化 | | ✓ | | 支持 SSP <= 4.0 弱加密或完全支持 SSP | MitM | 信息/MitM | 自动化 | | ✓ | | CVE-2020-24490 | 严重 | DoS | 自动化 | | ✓ | | CVE-2017-1000250 | 严重 | 信息泄漏 | 自动化 | | ✓ | | CVE-2020-12351 | 严重 | RCE/DoS | 自动化 | | ✓ | | CVE-2017-1000251 | 严重 | RCE/DoS | 自动化 | | ✓ | | V1 Feature Pages 执行 | 严重 | RCE/DoS | 自动化 | ✓ | ✓ | | 未知的重复封装负载 | DoS | DoS | 自动化 | ✓ | ✓ | | V2 截断的 SCO Link 请求 | DoS | DoS | 自动化 | ✓ | ✓ | | V4 Feature Resp. 洪泛 | DoS | DoS | 自动化 | ✓ | ✓ | | V5 LMP Auto Rate 溢出 | DoS | DoS | 自动化 | ✓ | ✓ | | V6 LMP 2-DH1 溢出 | DoS | DoS | 自动化 | ✓ | ✓ | | V7 LMP DM1 溢出 | DoS | DoS | 自动化 | ✓ | ✓ | | V8 截断的 LMP Accepted | DoS | DoS | 自动化 | ✓ | ✓ | | V9 无效的 Setup Complete | DoS | DoS | 自动化 | ✓ | ✓ | | V10 Host Conn. 洪泛 | DoS | DoS | 自动化 | ✓ | ✓ | | V11 相同的 Host 连接 | DoS | DoS | 自动化 | ✓ | ✓ | | V12 AU Rand 洪泛 | DoS | DoS | 自动化 | ✓ | ✓ | | V14 Max Slot Length 溢出 | DoS | DoS | 自动化 | ✓ | ✓ | | V15 无效的 Timing Accuracy | DoS | DoS | 自动化 | ✓ | ✓ | | V16 Paging Scan 死锁 | DoS | DoS | 自动化 | ✓ | ✓ | | 未知的错误封装负载 | DoS | DoS | 自动化 | ✓ | ✓ | | 未知 sdp 未知元素类型 | DoS | DoS | 自动化 | ✓ | ✓ | | 未知 sdp 超大元素尺寸 | DoS | DoS | 自动化 | ✓ | ✓ | | 未知 feature req 乒乓 | DoS | DoS | 自动化 | ✓ | ✓ | | 未知 lmp 无效 transport | DoS | DoS | 自动化 | ✓ | ✓ | | CVE-2020-12352 | 严重 | 信息泄漏 | 自动化 | | ✓ | ### 新型攻击这些攻击属于新型/新发现的攻击，并由该框架进行测试 | 漏洞 | 类别 | 类型 | 验证类型 | 硬件需求 | 已测试 | |----------------------------------------------| :---: | :---: | :---: | :---: | :---: | | 不安全的 NC 实现 | MitM | MitM | 手动 | | ✓ | | 车载 NiNo | MitM | 信息 | 手动 | | ✓ | | 联系人提取器 | 严重 | BAC | 手动 | | ✓ | ### 即将添加的漏洞 | 漏洞 | 类别 | 类型 | 验证类型 | 硬件需求 | 已测试 | 计划添加 | |----------------------------------------------| :---: | :---: | :---: | :---: | :---: | :---: | | BLUR | MitM | ? | - | ✓ | | ✓ | | BIAS | MitM | ? | - | ✓ | | ✓ | | BLUFFS | MitM | ? | - | ✓ | | ✓ | | BlueRepli | 严重 | BAC | - | | | | | CVE-2020-26555 | MitM | MiTM | - | | | | ## 待办事项列表 - [ ] **增加对 BLE（低功耗蓝牙）的支持** - 实现 BLE 功能以增强项目的连接能力。 - [ ] **持续（重新）开发概念验证** - 开发新的 PoC 以探索额外的用例或功能。 # 蓝牙漏洞与攻击此外，我们还发现了以下经典蓝牙和低功耗蓝牙 (BLE) 漏洞。该表格包含有关攻击和漏洞的以下信息 - 名称、类型（无论是特定于实现的、特定于协议的还是影响 BT 配置文件的）、蓝牙类型 (BLE、BT、BT + BLE)、受影响的 BT 版本、漏洞利用数量、发布年份、CVE（如果有）、CVSS如果有）、硬件（如果需要）、概念验证（如果有）以及带有附加链接或说明的注释部分的附加信息。 | 漏洞家族 | 名称 | 类型 | BT 类型 | BT 版本 | 漏洞利用数 | 年份 | CVE | CVSS | 硬件 | PoC | 链接 | 注释 | | -------------- | ----------------------------------- | ----- | ---------- | ------------------ | --------------- | ---- | -------------------------------------------------------------------- | ---- | ------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Qualcomm WSA8835 attck | Imp | BLE | | 1 | 2023 | | | | | [https://www.cvedetails.com/cve/CVE-2023-21647/?q=CVE-2023-21647](https://www.cvedetails.com/cve/CVE-2023-21647/?q=CVE-2023-21647) | GATT 数据包验证不当 | | | Auth bypass, spoofing | Imp | BLE | | 1 | 2022 | | | | | [https://fmsh-seclab.github.io/](https://fmsh-seclab.github.io/) | Tesla 钥匙中的认证绕过与欺骗 | | | unauth MITM | Prot | BLE | 4.0 - 5.3 | 1 | 2022 | | | | | [https://www.cvedetails.com/cve/CVE-2022-25836/](https://www.cvedetails.com/cve/CVE-2022-25836/) | 有关详细信息请查看 CVE，依赖于方法混淆 | | | BLE Proximity Auth relay | Rel | BLE | 4.0 - 5.3 | 1 | 2022 | | | | | [https://research.nccgroup.com/2022/05/15/technical-advisory-tesla-ble-phone-as-a-key-passive-entry-vulnerable-to-relay-attacks/](https://github.com/Matheus-Garbelini/sweyntooth_bluetooth_low_energy_attacks) | BLE 近距离认证易受中继攻击 | | | Sniffle | Snif | BLE | 4.0-5.0 | 1 | 2022 | | | TI CC1352/CC26x2 | [https://github.com/nccgroup/Sniffle](https://github.com/nccgroup/Sniffle) | | | | | InjectaBLE | Prot | BLE | 4.0 - 5.2 | 1 | 2021 | | | nRF52840 | [https://github.com/RCayre/injectable-firmware](https://github.com/RCayre/injectable-firmware) | [https://hal.laas.fr/hal-03193297v2/document](https://hal.laas.fr/hal-03193297v2/document) | MITM，发送恶意数据包，在会话建立/被劫持后的后期利用（特定于实现和型号） | | | jacknimble | Imp | BLE | | | 2020 | | | nRF52840 | [https://github.com/darkmentorllc/jackbnimble](https://github.com/darkmentorllc/jackbnimble) | [https://i.blackhat.com/USA-20/Wednesday/us-20-Kovah-Finding-New-Bluetooth-Low-Energy-Exploits-Via-Reverse-Engineering-Multiple-Vendors-Firmwares.pdf](https://i.blackhat.com/USA-20/Wednesday/us-20-Kovah-Finding-New-Bluetooth-Low-Energy-Exploits-Via-Reverse-Engineering-Multiple-Vendors-Firmwares.pdf) | 针对特定硬件的 3 个漏洞利用，CVE-2020-15531 | | | SweynTooth | Imp | BLE | | 12 | 2020 | | | nRF52840 | https://github.com/Matheus-Garbelini/sweyntooth_bluetooth_low_energy_attacks | https://asset-group.github.io/disclosures/sweyntooth/ | | | | BlueDoor | Prot | BLE | 4.0 - 5.2 | 1 | 2020 | | | nRF51822 | | [http://tns.thss.tsinghua.edu.cn/~jiliang/publications/MOBISYS2020_BlueDoor.pdf](http://tns.thss.tsinghua.edu.cn/~jiliang/publications/MOBISYS2020_BlueDoor.pdf) | MITM | | | 降级攻击 | Prot | BLE | 4.2 - 5.0 | 1 | 2020 | | | TICC2640 & Adafruit Bluefruit LE Sniffe | | [https://www.usenix.org/system/files/sec20-zhang-yue.pdf](https://www.usenix.org/system/files/sec20-zhang-yue.pdf) | 通过降级实现的 MITM (SCO) CVE-2020-35473 | | | BLESA | Spoof | BLE | | 1 | 2020 | | | | | [https://www.usenix.org/system/files/woot20-paper-wu.pdf](https://www.usenix.org/system/files/woot20-paper-wu.pdf) | 欺骗以建立 MITM 并禁用加密 | | SweynTooth | Cypress PSoc 4 BLE | Imp | BLE | | 1 | 2019 | | | | | [https://www.cvedetails.com/cve/CVE-2019-16336/?q=CVE-2019-16336](https://www.cvedetails.com/cve/CVE-2019-16336/?q=CVE-2019-16336) | DoS | | SweynTooth | Cypress PSoc 4 BLE | Imp | BLE | | 1 | 2019 | | | | | [https://www.cvedetails.com/cve/CVE-2019-17061/?q=CVE-2019-17061](https://www.cvedetails.com/cve/CVE-2019-17061/?q=CVE-2019-17061) | 缓冲区溢出 | | SweynTooth | NXP KW41Z up to 2.2.1 | Imp | BLE | | 1 | 2019 | | | | | [https://www.cvedetails.com/cve/CVE-2019-17060/?q=CVE-2019-17060](https://www.cvedetails.com/cve/CVE-2019-17060/?q=CVE-2019-17060) | BLE 链路层缓冲区溢出 | | SweynTooth | STMicroelectronics BLE Stack | Imp | BLE | | 1 | 2019 | | | | | [https://www.cvedetails.com/cve/CVE-2019-19192/?q=CVE-2019-19192](https://www.cvedetails.com/cve/CVE-2019-19192/?q=CVE-2019-19192) | STM32WB5x 设备的 1.3.1 及之前版本在接收时未能正确处理连续的 ATT 请求 | | | 同机应用 BLE | | BLE | | 1 | 2019 | | | | 理论 | [https://www.usenix.org/system/files/sec19-sivakumaran_0.pdf](https://www.usenix.org/system/files/sec19-sivakumaran_0.pdf) | 同机应用可以获取 BLE 数据，从而泄露所需信息？？？我们可以用它进行中继吗？ | | | BleedingBit | Imp | BLE | 4.2 - 5.0 | 1 | 2018 | | | | | https://www.armis.com/research/bleedingbit/ | | | | GATTacking | Prot | BLE | 4.0 | 1 | 2016 | | | 基于 CSR 8510 的 USB 适配器 | [https://github.com/securing/gattacker](https://github.com/securing/gattacker) | [https://www.blackhat.com/docs/us-16/materials/us-16-Jasek-GATTacking-Bluetooth-Smart-Devices-Introducing-a-New-BLE-Proxy-Tool.pdf](https://www.blackhat.com/docs/us-16/materials/us-16-Jasek-GATTacking-Bluetooth-Smart-Devices-Introducing-a-New-BLE-Proxy-Tool.pdf) | MITM BLE | | | Crackle | Prot | BLE | 4 | 1 | 2013 | | | | [https://github.com/mikeryan/crackle](https://github.com/mikeryan/crackle) | [https://www.usenix.org/system/files/conference/woot13/woot13-ryan.pdf](https://www.usenix.org/system/files/conference/woot13/woot13-ryan.pdf) | 破解 BLE 加密 | | Bluez | MynameIsKeyboard | Imp | BT | | 1 | 2023 | [CVE-2023-45866](https://www.cvedetails.com/cve/CVE-2023-45866/) | 8.8 | | [https://github.com/marcnewlin/hi_my_name_is_keyboard](https://github.com/marcnewlin/hi_my_name_is_keyboard) | \- | CVE-2023-45866, CVE-2023-45866, CVE-2023-45866 | | Antonioli | BLUFFS | Prot | BT | 4.2-5.2 | 6 | 2023 | [CVE-2023-24023](https://www.cvedetails.com/cve/CVE-2023-24023/) | 6.8 | CYW920819EVB-02 | [https://github.com/francozappa/bluffs](https://github.com/francozappa/bluffs) | | | | | \- | Prot | BT | | 1 | 2022 | | | | | [https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9833777](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9833777) | 跨栈非法访问攻击（形式化方法）+ 其他条目中提到的 CVE-2020-26560 和 CVE-2020-15802 | | | BlackTooth | Prot | BT | | 1 | 2022 | | | CYW920819EVB-02 | | [https://dl.acm.org/doi/pdf/10.1145/3548606.3560668](https://dl.acm.org/doi/pdf/10.1145/3548606.3560668) | 1 个新攻击（连接阶段）+ 被复用的 KNOB 及其他攻击 | | | BLAP | Prot | BT | | 1 | 2022 | | | | 理论 | [https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9833575](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9833575) | 从 HCI 转储中提取 Link Key 需要对汽车的物理访问权限（仅适用于汽车共享场景） | | | Blue's Clues | Prot | BT | <=5.3 | | 2022 | [CVE-2022-24695](https://www.cvedetails.com/cve/CVE-2022-24695/) | 4.3 | Ubertooth & USRP B210 SDR | [https://github.com/TylerTucker/BluesClues](https://github.com/TylerTucker/BluesClues) | [https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10179358](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10179358) | CVE-2022-24695 影响隐私，击败了 BT/EDR 的不可发现功能 | | | unauth MITM | Prot | BT | 1.0B-5.3 | 1 | 2022 | [CVE-2022-25837](https://www.cvedetails.com/cve/CVE-2022-25837/) | 7.5 | | | [https://www.cvedetails.com/cve/CVE-2022-25837/](https://www.cvedetails.com/cve/CVE-2022-25837/) | 有关详细信息请查看 CVE，依赖于方法混淆，CVE-2022-25837 | | Braktooth | BrakTooth | Imp | BT | 3.0 - 5.2 | 16 | 2021 | [CVE-2021-28139](https://www.cvedetails.com/cve/CVE-2021-28139/) | 8.8 | ESP-WROVER-KIT | [https://github.com/Matheus-Garbelini/braktooth_esp32luetooth_classic_attacks](https://github.com/Matheus-Garbelini/braktooth_esp32_bluetooth_classic_attacks) | https://asset-group.github.io/disclosures/braktooth/ | | | | BleedingTooth BadChoice | Imp | BT | 4.2-5.2 | 1 | 2020 | [CVE-2020-12352](https://www.cvedetails.com/cve/CVE-2020-12352/) | 6.5 | | [https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq](https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq) | [https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html](https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html) | 信息泄漏 | | | BleedingTooth BadKarma | Imp | BT | 5.0 | 1 | 2020 | [CVE-2020-12351](https://www.cvedetails.com/cve/CVE-2020-12351/) | 8.8 | | [https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq](https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq) | [https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html](https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html) | 基于栈的信息泄漏 BlueZ | | | BleedingTooth BadVibes | Imp | BT | 5.0+ | 1 | 2020 | [CVE-2020-24490](https://www.cvedetails.com/cve/CVE-2020-24490/) | 6.5 | | [https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649](https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649) | [https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html](https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html) | 需要 BT 5.0 及更高版本 | | | Snapdragon Auto CVEs | Imp | BT | | 4 | 2020 | | | | | [https://www.cvedetails.com/cve/CVE-2020-3703/?q=CVE-2020-3703](https://www.cvedetails.com/cve/CVE-2020-3703/?q=CVE-2020-3703) | CVE-2020-11156 Snapdragon Auto，无漏洞利用 CVE-2020-11154 CVE-2020-11155，CVE-2020-3703 | | | BlueRepli | Imp | BT | | 1 | 2020 | | | | 暂无漏洞利用 | [https://i.blackhat.com/USA-20/Wednesday/us-20-Xu-Stealthily-Access-Your-Android-Phones-Bypass-The-Bluetooth-Authentication.pdf](https://i.blackhat.com/USA-20/Wednesday/us-20-Xu-Stealthily-Access-Your-Android-Phones-Bypass-The-Bluetooth-Authentication.pdf) | [https://github.com/DasSecurity-HatLab/BlueRepli-Plus](https://github.com/DasSecurity-HatLab/BlueRepli-Plus) | | | UberTooth | Snif | BT | ALL | 1 | 2020 | | | Ubertooth | [https://github.com/greatscottgadgets/ubertooth](https://github.com/greatscottgadgets/ubertooth) | [https://ubertooth.readthedocs.io/en/latest/](https://ubertooth.readthedocs.io/en/latest/) | 嗅探 | | Antonioli | BIAS | Prot | BT | <=5.0 | 4 | 2019 | [CVE-2020-10135](https://www.cvedetails.com/cve/CVE-2020-10135/) | 5.4 | CYW920819，可能是 CYW920819M2EVB-01 | [https://github.com/francozappa/bias](https://github.com/francozappa/bias) | [https://francozappa.github.io/about-bias/](https://francozappa.github.io/about-bias/) | CVE-2020-10135 | | | MITM SSP BT 5.0 | Prot | BT | 5 | 1 | 2018 | | | | | [https://link.springer.com/article/10.1007/s00779-017-1081-6](https://link.springer.com/article/10.1007/s00779-017-1081-6) | 密钥输入关联模型易受 MITM 攻击 | | BlueBorne | CVE-2017-0785 | Imp | BT | | 1 | 2017 | [CVE-2017-0785](https://www.cvedetails.com/cve/CVE-2017-0785/) | 6.5 | | | | | | BlueBorne | CVE-2017-1000251 | Imp | BT | 5 | 4 | 2017 | [CVE-2017-1000251](https://www.cvedetails.com/cve/CVE-2017-1000251/) | 8.0 | | [https://github.com/ArmisSecurity/blueborne](https://github.com/ArmisSecurity/blueborne) | [https://www.armis.com/research/blueborne/](https://github.com/Matheus-Garbelini/braktooth_esp32_bluetooth_classic_attacks) | | | | Lexus BT 堆溢出 | Imp | BT | | 1 | 2017 | [CVE-2020-5551](https://www.cvedetails.com/cve/CVE-2020-5551/) | 8.8 | | 理论 | [https://keenlab.tencent.com/en/2020/03/30/Tencent-Keen-Security-Lab-Experimental-Security-Assessment-on-Lexus-Cars/](https://keenlab.tencent.com/en/2020/03/30/Tencent-Keen-Security-Lab-Experimental-Security-Assessment-on-Lexus-Cars/) | 雷克萨斯 (LC, LS, NX, RC, RC F)、丰田凯美瑞和丰田赛那（2016 年 10 月至 2019 年 10 月期间非日本制造）中的 RCE | | | BlueEar | Snif | BT | ALL | 1 | 2016 | | | Ubertooth (2) | [https://github.com/albazrqa/BluEar](https://github.com/albazrqa/BluEar) | [https://www.cs.cityu.edu.hk/~jhuan9/papers/blueear16mobisys.pdf](https://www.cs.cityu.edu.hk/~jhuan9/papers/blueear16mobisys.pdf) | 嗅探，扩展了 Ubertooth 的代码 | | | CVE-2018-19860 | Imp | BT | | 1 | 2014 | [CVE-2018-19860](https://www.cvedetails.com/cve/CVE-2018-19860/) | 8.8 | Nexus 5 (internalblue) | internalblue Nexus 5 示例 | | 针对 Broadcom 芯片 BCM4335C0、BCM43438A1 及 2012-2014 年其他一些芯片的特定实现攻击 | | | NINO MITM 攻击 | Prot | BT | | 2 | 2010 | | | Nexus 5 (internalblue) | 理论 + internalblue 提供的 PoC + 类似于方法混淆的简单漏洞利用 | [https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5374082](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5374082) | NINO - 无输入无输出（mitm + 带外 mitm 攻击）。https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=4401672 | | | 针对配对的攻击 | Prot | BT | 2.1 | 1 | 2008 | | | | | [https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=ac095564c820f02b2793694018d419ce99279de0](https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=ac095564c820f02b2793694018d419ce99279de0) | MITM，针对 2.1 的攻击 | | | 破解蓝牙 PIN | Brute | BT | | 1 | 2005 | | | | 理论 | [https://www.usenix.org/legacy/event/mobisys05/tech/full_papers/shaked/shaked.pdf](https://www.usenix.org/legacy/event/mobisys05/tech/full_papers/shaked/shaked.pdf) | 6 | | | 密钥提取 | | BT | 1.0B | 1 | 2001 | | | | | [https://link.springer.com/chapter/10.1007/3-540-45353-9_14](https://link.springer.com/chapter/10.1007/3-540-45353-9_14) | 针对非常旧的 1.0B 版本的过时攻击 | | | BadBluetooth | Prot | BT + 附加 | | 1 | 2019 | | | | 理论 | [https://staff.ie.cuhk.edu.hk/~khzhang/my-papers/2019-ndss-bluetooth.pdf](https://staff.ie.cuhk.edu.hk/~khzhang/my-papers/2019-ndss-bluetooth.pdf) | 假设前提过高（安装了恶意应用 + 设备已遭到破坏） | | BlueMirror | BlueMirror BT Mesh 配置文件爆破 | Prot | BT 配置文件 | 2.1-5.2 | 1 | 2021 | [CVE-2020-26556](https://www.cvedetails.com/cve/CVE-2020-26556/) | 7.5 | | | | 对 BT Mesh 1.0 和 1.0.1 中不足的随机 AuthValue 进行暴力破解以完成认证 | | BlueMirror | BlueMirror BT Mesh 配置文件爆破 2 | Prot | BT 配置文件 | 2.1-5.2 | 1 | 2021 | [CVE-2020-26557](https://www.cvedetails.com/cve/CVE-2020-26557/) | 7.5 | | | | 通过暴力破解攻击确定 BT Mesh 1.0 和 1.0.1 中的 Authvalue | | BlueMirror | BlueMirror BT Mesh 配置文件无爆破 | Prot | BT 配置文件 | 2.1-5.2 | 1 | 2021 | [CVE-2020-26559](https://www.cvedetails.com/cve/CVE-2020-26559/) | 8.8 | | | | Mesh 配置文件 1.0、1.0.1 中的认证绕过，无需暴力破解即可确定 authvalue 和其他数据 | | BlueMirror | BlueMirror BT Mesh 配置文件 | Prot | BT Profile | 1.0B-5.2 | 1 | 2020 | [CVE-2020-26560](https://www.cvedetails.com/cve/CVE-2020-26560/) | 8.1 | | | [https://kb.cert.org/vuls/id/799380](https://kb.cert.org/vuls/id/799380) | CVE-2020-26560 - Mesh 配置文件 1.0, 1.0.1 中的身份验证绕过 https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9474325 | | BlueMirror | BlueMirror 传统配对 | Prot | BT/BLE | 2.1-5.2 | 1 | 2021 | [CVE-2020-26555](https://www.cvedetails.com/cve/CVE-2020-26555/) | 5.4 | | | [https://kb.cert.org/vuls/id/799380](https://kb.cert.org/vuls/id/799380) | 在不知道 PIN 的情况下完成配对 https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9474325 https://www.ieee-security.org/TC/SP2021/SPW2021/WOOT21/files/woot21-claverie-slides.pdf | | BlueMirror | BlueMirror 密钥泄露 | Prot | BT/BLE | 2.1-5.2 | 1 | 2021 | [CVE-2020-26558](https://www.cvedetails.com/cve/CVE-2020-26558/) | 4.2 | | | | MitM 攻击者可以通过反射公钥来确定密钥值（每次可以泄露 1 位密钥值） | | Antonioli | BLURTooth | Prot | BT/BLE | 4.2, 5.0, 5.1, 5.2 | 4 | 2020 | [CVE-2020-15802](https://www.cvedetails.com/cve/CVE-2020-15802/) | 5.9 | | [https://github.com/francozappa/blur](https://github.com/francozappa/blur) | [https://hexhive.epfl.ch/BLURtooth/](https://hexhive.epfl.ch/BLURtooth/) | CVE-2020-15802 | | | Fixed Coord. Inv. Attack | Imp | BT/BLE | 2.1-5.2 | 1 | 2019 | [CVE-2018-5383](https://www.cvedetails.com/cve/CVE-2018-5383/) | | Nexus 5 (internalblue) 或 CY5677 | internalblue Nexus 5 示例 | [https://biham.cs.technion.ac.il/BT/](https://biham.cs.technion.ac.il/BT/) | 利用加密的 MITM（实现/协议攻击）CVE-2018-5383 | | Antonioli | KNOB | Prot | BT/BLE | <=5.0 | 1 | 2019 | [CVE-2019-9506](https://www.cvedetails.com/cve/CVE-2019-9506/) | 8.1 | Nexus 5 (internalblue) | [https://github.com/francozappa/knob](https://github.com/francozappa/knob) | [https://knobattack.com/](https://knobattack.com/) | [CVE-2019-9506](https://vuldb.com/?source_cve.140090) | | | Ghost attack | Prot | BT/BLE? | | 2 | 2023 | | | | | [https://www.ndss-symposium.org/wp-content/uploads/2023/02/ndss2023_s119_paper.pdf](https://www.ndss-symposium.org/wp-content/uploads/2023/02/ndss2023_s119_paper.pdf) | Ghost 攻击和群猜测攻击 | | | Qualcomm 9206 | Imp | BT/BLE? | | 1 | 2022 | [CVE-2022-40503](https://www.cvedetails.com/cve/CVE-2022-40503/) | 8.2 | | | [https://www.cvedetails.com/cve/CVE-2022-40503/?q=CVE-2022-40503](https://www.cvedetails.com/cve/CVE-2022-40503/?q=CVE-2022-40503) | A2DP 配置文件中的缓冲区越界读取 | | | Qualcomm APQ8009 | Imp | BT/BLE? | | 1 | 2022 | [CVE-2022-40537](https://www.cvedetails.com/cve/CVE-2022-40537/) | 7.3 | | | [https://www.cvedetails.com/cve/CVE-2022-40537/?q=CVE-2022-40537](https://www.cvedetails.com/cve/CVE-2022-40537/?q=CVE-2022-40537) | 处理 AVRC_PDU_GET_PLAYER_APP_VALUE_TEXT AVRCP 响应时发生内存损坏 | | | Qualcomm WSA8815 | Imp | BT/BLE? | | 1 | 2022 | [CVE-2022-33280](https://www.cvedetails.com/cve/CVE-2022-33280/) | 7.3 | | | [https://www.cvedetails.com/cve/CVE-2022-33280/?q=CVE-2022-33280](https://www.cvedetails.com/cve/CVE-2022-33280/?q=CVE-2022-33280) | 处理 AVRCP 数据包时发生内存损坏 | | | Qualcomm WSA8835 | Imp | BT/BLE? | | 1 | 2022 | [CVE-2022-33255](https://www.cvedetails.com/cve/CVE-2022-33255/) | 8.2 | | | [https://www.cvedetails.com/cve/CVE-2022-33255/?q=CVE-2022-33255](https://www.cvedetails.com/cve/CVE-2022-33255/?q=CVE-2022-33255) | 处理 GetFolderItems, GetItemAttributes 时发生 Bluetooth HOST 缓冲区越界读取 | | | Qualcomm WSA8835 | Imp | BT/BLE? | | 1 | 2022 | [CVE-2022-22088](https://www.cvedetails.com/cve/CVE-2022-22088/) | 9.8 | | | [https://www.cvedetails.com/cve/CVE-2022-22088/?q=CVE-2022-22088](https://www.cvedetails.com/cve/CVE-2022-22088/?q=CVE-2022-22088) | 处理来自远端的响应时发生蓝牙主机缓冲区溢出 | | | SnapDragon Auto | Imp | BT/BLE? | | 1 | 2021 | [CVE-2021-35068](https://www.cvedetails.com/cve/CVE-2021-35068/) | 9.8 | | | [https://www.cvedetails.com/cve/CVE-2021-35068/?q=CVE-2021-35068](https://www.cvedetails.com/cve/CVE-2021-35068/?q=CVE-2021-35068) | 释放 HFP 配置文件时发生空指针解引用 | | | Method Confusion | Prot | BT/BLE? | 2.1-5.2 | 1 | 2020 | [CVE-2020-10134](https://www.cvedetails.com/cve/CVE-2020-10134/) | 6.3 | 大量具有不同功能的选择。 | [https://github.com/maxdos64/BThack](https://github.com/maxdos64/BThack) | [https://www.sec.in.tum.de/i20/publications/method-confusion-attack-on-bluetooth-pairing/@@download/file/conference-proceeding.pdf](https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=web&cd=&ved=0CDcQw7AJahcKEwjAl4iK06KBAxUAAAAAHQAAAAAQAg&url=https%3A%2F%2Fwww.sec.in.tum.de%2Fi20%2Fpublications%2Fmethod-confusion-attack-on-bluetooth-pairing%2F%40%40download%2Ffile%2Fconference-proceeding.pdf&psig=AOvVaw1agi3H7gzMi_e-3uKrzh10&ust=1694524247587644&opi=89978449) | 在 2 个 BLE 或 BR/EDR 设备之间进行 MITM。需要特殊的硬件，CVE-2020-10134 | | | BlueSnarf revisited | Imp | OBEX | | 1 | 2011 | | | | | [https://inria.hal.science/hal-01587858/document](https://inria.hal.science/hal-01587858/document) | OBEX 路径遍历 (FTP) | YAML DSL 参考语法可在[此处](SYNTAX-REFERENCE.md)获取。 ### 许可证徽章：[![CC BY-NC-SA 4.0](https://img.shields.io/badge/License-CC%20BY--NC--SA%204.0-lightgrey.svg)][cc-by-nc-sa] BlueToolkit 基于 [知识共享署名-非商业性使用-相同方式共享 4.0 国际许可证][cc-by-nc-sa]进行授权。如需咨询，请通过 [https://linktr.ee/schwytz](https://linktr.ee/schwytz) 联系。 [![CC BY-NC-SA 4.0](https://licensebuttons.net/l/by-nc-sa/4.0/88x31.png)][cc-by-nc-sa]

标签：BLE, BlueToolkit, BR/EDR, 中间人攻击, 半自动化测试, 安全报告生成, 情报收集, 拒绝服务攻击, 汽车安全, 漏洞测试框架, 漏洞研究, 物联网安全, 编程工具, 网络安全, 蓝牙低能耗, 蓝牙安全, 蓝牙攻击框架, 蓝牙漏洞, 蓝牙黑客, 远程代码执行, 逆向工具, 隐私保护, 黑盒测试