ToothPicker Apple Picking in the iOS Bluetooth Stack TOOTHP CKER - - PowerPoint PPT Presentation

toothpicker
SMART_READER_LITE
LIVE PREVIEW

ToothPicker Apple Picking in the iOS Bluetooth Stack TOOTHP CKER - - PowerPoint PPT Presentation

Mar 12, 2023 200 likes •583 views

ToothPicker Apple Picking in the iOS Bluetooth Stack TOOTHP CKER Dennis Heinze Jiska Classen, Matthias Hollick Technische Universitt Darmstadt Technische Universitt Darmstadt Secure Mobile Networking Lab - SEEMOO Secure Mobile Networking

slide-1
SLIDE 1

ToothPicker

Apple Picking in the iOS Bluetooth Stack

TOOTHP CKER

Jiska Classen, Matthias Hollick Technische Universität Darmstadt Secure Mobile Networking Lab - SEEMOO Dennis Heinze Technische Universität Darmstadt Secure Mobile Networking Lab - SEEMOO ERNW Enno Rey Netzwerke GmbH

slide-2
SLIDE 2

Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack

Bluetooth in the Apple Ecosystem

2

slide-3
SLIDE 3

Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack

Bluetooth in the Apple Ecosystem

3

The Apple ecosystem encourages turning on Bluetooth… Handoff Continuity AirPods

(BT Headphones in general)

Apple Watch Apple TV Remote …

slide-4
SLIDE 4

Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack

Bluetooth in the Apple Ecosystem

4

Three different Bluetooth stack implementations: macOS iOS RTKit (AirPods, Siri Remote, …)

slide-5
SLIDE 5

Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack

Bluetooth in the Apple Ecosystem

4

Three different Bluetooth stack implementations: macOS iOS RTKit (AirPods, Siri Remote, …)

Recent work: blogs.360.cn/post/ macOS_Bluetoothd_0-click.html

slide-6
SLIDE 6

Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack

Bluetooth in the Apple Ecosystem

4

Three different Bluetooth stack implementations: macOS iOS RTKit (AirPods, Siri Remote, …)

Recent work: blogs.360.cn/post/ macOS_Bluetoothd_0-click.html Difficult to inspect (no debugging, no logs)

slide-7
SLIDE 7

Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack

Bluetooth in the Apple Ecosystem

4

Three different Bluetooth stack implementations: macOS iOS RTKit (AirPods, Siri Remote, …)

Recent work: blogs.360.cn/post/ macOS_Bluetoothd_0-click.html Difficult to inspect (no debugging, no logs) Implements most of Apples proprietary Bluetooth protocols + is carried around by people

slide-8
SLIDE 8

Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack

Bluetooth on iOS

5

🐜

While it’s not a “remote” zero-click attack surface for targeted attacks, Bluetooth RCEs are easily worm-able

slide-9
SLIDE 9

Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack

Proprietary Bluetooth Protocols

6

Category Protocol iOS macOS RTKit

Fixed L2CAP Channels MagicPairing

✓ ✓ ✓

Magnet

✓ ✓

  • LEA{P,S}

FastConnect Discovery

✓ ✓ ✓

DoAP

✓ ✓ ✓

L2CAP Channels ExternalAccessory

✓ ✓ ✓

AAP

✓ ✓ ✓

Magnet Channels

✓ ✓

  • FastConnect

✓ ✓ ✓

Apple Pencil GATT

Other BRO/UTP

USB OOB Pairing

slide-10
SLIDE 10

Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack

Fuzzing iOS bluetoothd

7

slide-11
SLIDE 11

Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack

Bluetooth on iOS

8

bluetoothd

bluetoothaudiod sharingd ...

Bluetooth Chip

  • Lots of interaction with

different system daemons

  • Constant interaction with

the Bluetooth Chip

  • Multiple Threads
  • StackLoop (for HCI1)
  • RxLoop
  • TxLoop
  • Huge binary file
  • (Almost) no symbols

1: Host Controller Interface, interface to interact with BT Chip

slide-12
SLIDE 12

Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 9

Over-the-Air Fuzzing

Attacker iPhone with InternalBlue1 Target iPhone macOS with PacketLogger Fuzzing Data

1: https://github.com/seemoo-lab/internalblue

slide-13
SLIDE 13

Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 10

Over-the-Air Fuzzing

Attacker iPhone with InternalBlue1 Target iPhone macOS with PacketLogger Fuzzing Data

1: https://github.com/seemoo-lab/internalblue

+ few false positives + platform independence

  • connection termination
  • speed
  • coverage / feedback
slide-14
SLIDE 14

Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack

Fuzzing bluetoothd

11

Coverage Feedback on crashes No physical connection No connection termination FЯIDA Stalker FЯIDA Exception Handler

}

Virtual Connections by code injection

slide-15
SLIDE 15

Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack

ToothPicker

12

slide-16
SLIDE 16

Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack

In-Process Fuzzing

13

slide-17
SLIDE 17

Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack

In-Process Fuzzing

13

slide-18
SLIDE 18

Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack

In-Process Fuzzing

14

General Fuzzing Harness Specialized Fuzzing Harness

Fuzzing Harness

slide-19
SLIDE 19

Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack

In-Process Fuzzing

14

1

Generate Fuzzing Input

2

Send fuzzing input

General Fuzzing Harness Specialized Fuzzing Harness

Fuzzing Harness

3

Execute reception handler

4

Report BB coverage

  • r crash
slide-20
SLIDE 20

Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack

In-Process Fuzzing

14

1

Generate Fuzzing Input

2

Send fuzzing input

General Fuzzing Harness Specialized Fuzzing Harness

Fuzzing Harness

3

Execute reception handler

4

Report BB coverage

  • r crash

Coverage

5

Store coverage information for input

slide-21
SLIDE 21

Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack

In-Process Fuzzing

14

1

Generate Fuzzing Input

2

Send fuzzing input

General Fuzzing Harness Specialized Fuzzing Harness

Fuzzing Harness

3

Execute reception handler

4

Report BB coverage

  • r crash

Corpus

6a

If new coverage: add input to corpus

Coverage

5

Store coverage information for input

slide-22
SLIDE 22

Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack

In-Process Fuzzing

14

1

Generate Fuzzing Input

2

Send fuzzing input

General Fuzzing Harness Specialized Fuzzing Harness

Fuzzing Harness

3

Execute reception handler

4

Report BB coverage

  • r crash

Corpus Crashes

6a

If new coverage: add input to corpus

Coverage

5

Store coverage information for input

6b

If crash: store input and crash type

  • ptional: put corpus in

blocklist

slide-23
SLIDE 23

Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack

In-Process Fuzzing

14

1

Generate Fuzzing Input

2

Send fuzzing input

General Fuzzing Harness Specialized Fuzzing Harness

Fuzzing Harness

3

Execute reception handler

4

Report BB coverage

  • r crash

Corpus Crashes

6a

If new coverage: add input to corpus

Coverage

5

Store coverage information for input

6b

If crash: store input and crash type

  • ptional: put corpus in

blocklist

Send to OTA- Fuzzer to verify

7

slide-24
SLIDE 24

Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack

In-Process Fuzzing

15

slide-25
SLIDE 25

Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack

In-Process Fuzzing

15

slide-26
SLIDE 26

Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack

void acl_reception_handler(short handle, size_t len, char *data)

In-Process Fuzzing

16

Connection handle value of the Bluetooth connection Data and length

  • f received ACL

data

The functions and structures are named by us, Apple stripped all these symbols

slide-27
SLIDE 27

Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack

void acl_reception_handler(short handle, size_t len, char *data)

In-Process Fuzzing

16

Connection handle value of the Bluetooth connection Data and length

  • f received ACL

data We need to create this!

The functions and structures are named by us, Apple stripped all these symbols

slide-28
SLIDE 28

Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack

bt_connection_t *allocate_connection(char *bd_addr, int state)

In-Process Fuzzing

17

Create a Bluetooth connection structure

The functions and structures are named by us, Apple stripped all these symbols

slide-29
SLIDE 29

Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack

bt_connection_t *allocate_connection(char *bd_addr, int state)

In-Process Fuzzing

17

Create a Bluetooth connection structure

*(short*)connection = 0x11;

Set the handle value of the connection:

The functions and structures are named by us, Apple stripped all these symbols

slide-30
SLIDE 30

Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack

bt_connection_t *allocate_connection(char *bd_addr, int state)

In-Process Fuzzing

17

Create a Bluetooth connection structure

*(short*)connection = 0x11;

Set the handle value of the connection:

acl_reception_handler(0x11, len, data);

Now we can call the reception handler with

  • ur fuzzing data

The functions and structures are named by us, Apple stripped all these symbols

slide-31
SLIDE 31

Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 18

In-Process Fuzzing

  • Forge connection
  • Call allocate_connection to create connection object
  • Set handle value of the connection
  • Filter BT Chip interaction
  • Overwrite other HCI-related functions that confuse bluetoothd

(the connection is not real and the BT chip does not know the handle value)

  • Stabilize Connection
  • Overwrite functions that force-disconnect the handle

➡ Similar process for BLE connections (more complex connection creation)

slide-32
SLIDE 32

Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack

Results

19

slide-33
SLIDE 33

Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack

Bluetooth Protocol Targets

20 Category Protocol iOS macOS RTKit Accessibility Proprietary Knowledge Target

Fixed L2CAP Channels

MagicPairing ✓ ✓ ✓ ↑ ✓ ↑ ✓ GATT ✓ ✓ (✓) ↑ ↑ ✓ Signal Channel ✓ ✓ ✓ ↑ ↑ ✓ Magnet ✓ ✓ ?

LEA{P,S} ✓ ✓

FastConnect Discovery ✓ ✓ ✓ ↑ ✓ ↑ ✓

L2CAP Channels

SDP ✓ ✓ ✓ ↑ ↑ ✓

Other

ACL ✓ ✓ ✓ ↑ ↑ ✓

slide-34
SLIDE 34

Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack

Performance

21

  • 25-30 messages per second
  • bottlenecks:
  • FЯIDA Instrumentation
  • radamsa input mutation1
  • n never devices: Pointer Authentication
  • Accumulated coverage: ~6.000 BBs of 153.620 BBs
  • coverage is only a small part of bluetoothd
  • however, ACL-based Bluetooth protocols prior to pairing are

also only a small part of bluetoothd

  • hard to determine the exact number of BBs for these

1: https://gitlab.com/akihe/radamsa/-/issues/66

slide-35
SLIDE 35

Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack

Results

22

ID Description Effect Detection Method OS Disclosure Status MP1 Ratchet AES SIV Crash ToothPicker iOS Oct 30 2019 Not fixed MP2 Hint Crash ToothPicker iOS Dec 4 2019 Not fixed MP7 Ratchet AES SIV Crash ToothPicker iOS Mar 13 2020 Not fixed MP8 Ratchet AES SIV Crash ToothPicker iOS Mar 13 2020 Not fixed L2CAP2 Group Message Crash ToothPicker iOS Mar 13 2020 Not fixed LEAP1 Version Leak Information Disclosure Manual iOS Mar 31 2020 Not fixed SMP1 SMP OOB Partial PC Control ToothPicker iOS Mar 31 2020 Fixed in iOS 13.5: CVE-2020-9838 SIG1 Missing Checks DoS ToothPicker iOS Mar 31 2020 Fixed in iOS 13.6: CVE-2020-9931

slide-36
SLIDE 36

Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack

Results

23

ID Description Effect Detection Method OS Disclosure Status MP1 Ratchet AES SIV Crash ToothPicker iOS Oct 30 2019 Not fixed MP2 Hint Crash ToothPicker iOS Dec 4 2019 Not fixed MP7 Ratchet AES SIV Crash ToothPicker iOS Mar 13 2020 Not fixed MP8 Ratchet AES SIV Crash ToothPicker iOS Mar 13 2020 Not fixed L2CAP2 Group Message Crash ToothPicker iOS Mar 13 2020 Not fixed LEAP1 Version Leak Information Disclosure Manual iOS Mar 31 2020 Not fixed SMP1 SMP OOB Partial PC Control ToothPicker iOS Mar 31 2020 Fixed in iOS 13.5: CVE-2020-9838 SIG1 Missing Checks DoS ToothPicker iOS Mar 31 2020 Fixed in iOS 13.6: CVE-2020-9931

slide-37
SLIDE 37

Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 24

TOOTHP CKER

github.com/seemoo-lab/toothpicker dennis@bluetooth.lol jiska@bluetooth.lol mhollick@seemoo.de Twitter: @ttdennis @naehrdine @seemoolab