About the vulnerable source code about sweyntooth_bluetooth_low_energy_attacks HOT 10 CLOSED

Hi @cxjcxggg unfortunately not.
ESP32 (and Microchip) uses intellectual Property from Riviera Waves RF Subsystem for Bluetooth and Wi-Fi, so even if Espressif wants, they cannot share their source code due to legal reasons (NDA).

from sweyntooth_bluetooth_low_energy_attacks.

Hi @Matheus-Garbelini , sad to know that. I am also interested in zephyr vulnerabilities you found. The zephyr project is open-source, does that mean I can have the source code which triggers the CVEs?

from sweyntooth_bluetooth_low_energy_attacks.

@cxjcxggg yes, for zephyr you can find the specific merges here:
https://docs.zephyrproject.org/latest/security/vulnerabilities.html#cve-2020-10069

from sweyntooth_bluetooth_low_energy_attacks.

@Matheus-Garbelini , I got it, thanks a lot!

from sweyntooth_bluetooth_low_energy_attacks.

Hi @Matheus-Garbelini , it's me again. I won't open a new issue so that I won't bother you. I am trying to reproduce the invalid channel map vulnerability (CVE-2020-10069) on Zephyr project, it is fixed in zephyr v2.3.0, so I need to use v2.2.0 or v2.2.1. I successfully connected the nrf52840 dongle with the nrf52840 DK via bluetooth using bluetooth peripheral sample in the latest zephyr project. But when I try to build the sample in zephyr v2.2.0, some problems arose because of the different zephyr project version.

Therefore, I think I may also need to change the Zephyr SDK's version so that it could work with zephyr v2.2.0. But which one should I use? How can I reproduce the attack? Thank you so much.

from sweyntooth_bluetooth_low_energy_attacks.

from sweyntooth_bluetooth_low_energy_attacks.

Hi @Matheus-Garbelini , thanks for your help. I have addressed the issues about the zephyr project.

Then I set the nrf52840 dongle in DFU mode and use command nrfutil dfu usb-serial -p COM_PORT -pkg nRF52_driver_firmware.zip to flash the firmware, "Device programmed" is printed (the blue led goes off). So I replug the dongle (the green led begins to blink) and open the Bluetooth Low Energy app in the nRF Connect for Desktop, but encounter the problem as shown below.

So I try to manually flash the firmware with the Programmer app in nRF connect for Desktop, but still fails.

Close the Programmer and open the BLE app, but the device can't be opened.

I don't know which step goes wrong. Do I have to use the firmware you provide? I can establish BLE connection with my nrf52840 DK with sniffer hex on nrf52840 dongle. Can I run the invalid_channel_map.py with sniffer firmware?

from sweyntooth_bluetooth_low_energy_attacks.

Hi @cxjcxggg I'm not sure what you are trying to do. The sniffer and our attacker firmware are different things.

If you see your led blinking green after flashing our firmware than you can run the exploits. Do not try to use it as an sniffer instead.
Let me know how it goes.

Regards.

from sweyntooth_bluetooth_low_energy_attacks.

Hi @Matheus-Garbelini , sorry for the confuse. I have finally successfully reproduced the vulnerability! Lol!

I always thought that I needed to connect the nrf52840 dongle to the peripheral before running the script. What I was trying to say yesterday is that I couldn't establish the bluetooth connection with the peripheral after flashing the firmware. So I actually got stuck because of misunderstanding about the way to use the script you provide.

Anyway, I am so excited. Appreciate your kindness a lot!

Regards.

from sweyntooth_bluetooth_low_energy_attacks.

@cxjcxggg good to know. Use it with responsibility 😃 👍

Division by zero is always funny.

from sweyntooth_bluetooth_low_energy_attacks.