toothpicker
play

ToothPicker Apple Picking in the iOS Bluetooth Stack TOOTHP CKER - PowerPoint PPT Presentation

Mar 12, 2023 •200 likes •578 views

ToothPicker Apple Picking in the iOS Bluetooth Stack TOOTHP CKER Dennis Heinze Jiska Classen, Matthias Hollick Technische Universitt Darmstadt Technische Universitt Darmstadt Secure Mobile Networking Lab - SEEMOO Secure Mobile Networking

  1. ToothPicker Apple Picking in the iOS Bluetooth Stack TOOTHP CKER Dennis Heinze Jiska Classen, Matthias Hollick Technische Universität Darmstadt Technische Universität Darmstadt Secure Mobile Networking Lab - SEEMOO Secure Mobile Networking Lab - SEEMOO ERNW Enno Rey Netzwerke GmbH

  2. Bluetooth in the Apple Ecosystem Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 2

  3. Bluetooth in the Apple Ecosystem The Apple ecosystem encourages turning on Bluetooth… Handoff Apple Watch Continuity AirPods (BT Headphones in general) … Apple TV Remote Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 3

  4. Bluetooth in the Apple Ecosystem Three different Bluetooth stack implementations: RTKit macOS iOS (AirPods, Siri Remote, …) Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 4

  5. Bluetooth in the Apple Ecosystem Three different Bluetooth stack implementations: Recent work: blogs.360.cn/post/ macOS_Bluetoothd_0-click.html RTKit macOS iOS (AirPods, Siri Remote, …) Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 4

  6. Bluetooth in the Apple Ecosystem Three different Bluetooth stack implementations: Recent work: Difficult to inspect (no debugging, no blogs.360.cn/post/ logs) macOS_Bluetoothd_0-click.html RTKit macOS iOS (AirPods, Siri Remote, …) Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 4

  7. Bluetooth in the Apple Ecosystem Three different Bluetooth stack implementations: Implements most of Apples Recent work: Difficult to inspect (no debugging, no proprietary Bluetooth protocols + is blogs.360.cn/post/ logs) carried around by people macOS_Bluetoothd_0-click.html RTKit macOS iOS (AirPods, Siri Remote, …) Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 4

  8. Bluetooth on iOS While it’s not a “remote” zero-click attack surface for targeted attacks, Bluetooth RCEs are easily worm-able 🐜 Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 5

  9. Proprietary Bluetooth Protocols Category Protocol iOS macOS RTKit Fixed L2CAP Channels MagicPairing ✓ ✓ ✓ Magnet ✓ ✓ - LEA{P,S} ✓ - ✓ FastConnect Discovery ✓ ✓ ✓ DoAP ✓ ✓ ✓ L2CAP Channels ExternalAccessory ✓ ✓ ✓ AAP ✓ ✓ ✓ Magnet Channels ✓ ✓ - FastConnect ✓ ✓ ✓ - Apple Pencil GATT ✓ ✓ Other BRO/UTP - - ✓ USB OOB Pairing - - ✓ Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 6

  10. Fuzzing iOS bluetoothd Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 7

  11. Bluetooth on iOS Lots of interaction with • bluetoothaudiod different system daemons Constant interaction with • sharingd ... the Bluetooth Chip Multiple Threads • StackLoop (for HCI 1 ) • bluetoothd RxLoop • TxLoop • … • Huge binary file • (Almost) no symbols • Bluetooth Chip 1: Host Controller Interface, interface to interact with BT Chip Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 8

  12. Over-the-Air Fuzzing Fuzzing Data macOS with PacketLogger Target iPhone Attacker iPhone with InternalBlue 1 1: https://github.com/seemoo-lab/internalblue Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 9

  13. Over-the-Air Fuzzing + few false positives + platform independence Fuzzing Data - connection termination - speed macOS with - coverage / feedback PacketLogger Target iPhone Attacker iPhone with InternalBlue 1 1: https://github.com/seemoo-lab/internalblue Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 10

  14. Fuzzing bluetoothd Coverage F Я IDA Stalker Feedback on crashes F Я IDA Exception Handler } No physical connection Virtual Connections by code injection No connection termination Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 11

  15. ToothPicker Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 12

  16. In-Process Fuzzing Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 13

  17. In-Process Fuzzing Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 13

  18. In-Process Fuzzing General Fuzzing Harness Specialized Fuzzing Harness Fuzzing Harness Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 14

  19. In-Process Fuzzing Send fuzzing input 2 3 Execute reception 4 handler Report BB coverage or crash 1 Generate Fuzzing Input General Fuzzing Harness Specialized Fuzzing Harness Fuzzing Harness Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 14

  20. In-Process Fuzzing Send fuzzing input 2 3 5 Execute Store coverage reception 4 information handler for input Report BB coverage Coverage or crash 1 Generate Fuzzing Input General Fuzzing Harness Specialized Fuzzing Harness Fuzzing Harness Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 14

  21. In-Process Fuzzing Send fuzzing input 2 3 5 Execute Store coverage reception 4 information handler for input Report BB coverage Coverage or crash 1 Generate Fuzzing 6a Input General Fuzzing Harness If new coverage: add input to Specialized Fuzzing Harness corpus Fuzzing Harness Corpus Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 14

  22. In-Process Fuzzing Crashes Send fuzzing input 2 If crash: store input and crash type 6b optional: put corpus in blocklist 3 5 Execute Store coverage reception 4 information handler for input Report BB coverage Coverage or crash 1 Generate Fuzzing 6a Input General Fuzzing Harness If new coverage: add input to Specialized Fuzzing Harness corpus Fuzzing Harness Corpus Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 14

  23. In-Process Fuzzing Send to OTA- 7 Crashes Fuzzer to verify Send fuzzing input 2 If crash: store input and crash type 6b optional: put corpus in blocklist 3 5 Execute Store coverage reception 4 information handler for input Report BB coverage Coverage or crash 1 Generate Fuzzing 6a Input General Fuzzing Harness If new coverage: add input to Specialized Fuzzing Harness corpus Fuzzing Harness Corpus Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 14

  24. In-Process Fuzzing Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 15

  25. In-Process Fuzzing Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 15

  26. In-Process Fuzzing void acl_reception_handler( short handle, size_t len, char * data) Connection Data and length handle value of of received ACL the Bluetooth data connection The functions and structures are named by us, Apple stripped all these symbols Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 16

  27. In-Process Fuzzing void acl_reception_handler( short handle, size_t len, char * data) Connection Data and length handle value of We need to of received ACL the Bluetooth create this! data connection The functions and structures are named by us, Apple stripped all these symbols Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 16

  28. In-Process Fuzzing bt_connection_t * allocate_connection( char * bd_addr, int state) Create a Bluetooth connection structure The functions and structures are named by us, Apple stripped all these symbols Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 17

  29. In-Process Fuzzing bt_connection_t * allocate_connection( char * bd_addr, int state) Create a Set the handle value of the connection: Bluetooth connection *( short *)connection = 0 x 11 ; structure The functions and structures are named by us, Apple stripped all these symbols Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 17

  30. In-Process Fuzzing bt_connection_t * allocate_connection( char * bd_addr, int state) Create a Set the handle value of the connection: Bluetooth connection *( short *)connection = 0 x 11 ; structure Now we can call the reception handler with our fuzzing data acl_reception_handler( 0 x 11 , len, data); The functions and structures are named by us, Apple stripped all these symbols Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 17

  31. In-Process Fuzzing Forge connection • - Call allocate_connection to create connection object Set handle value of the connection - Filter BT Chip interaction • - Overwrite other HCI-related functions that confuse bluetoothd ( the connection is not real and the BT chip does not know the handle value) Stabilize Connection • Overwrite functions that force-disconnect the handle - ➡ Similar process for BLE connections (more complex connection creation) Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 18

  32. Results Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 19

  33. Bluetooth Protocol Targets Category Protocol iOS macOS RTKit Accessibility Proprietary Knowledge Target Fixed L2CAP MagicPairing ✓ ✓ ✓ ↑ ✓ ↑ ✓ Channels GATT ✓ ✓ ( ✓ ) ↑ ↑ ✓ Signal Channel ✓ ✓ ✓ ↑ ↑ ✓ Magnet ? - - ✓ ✓ ✓ ✓ LEA{P,S} - - ✓ ✓ ✓ ✓ FastConnect Discovery ✓ ✓ ✓ ↑ ✓ ↑ ✓ L2CAP Channels SDP ✓ ✓ ✓ ↑ ↑ ✓ Other ACL ✓ ✓ ✓ ↑ ↑ ✓ Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 20

Recommend

More recommend