<!-- # BlueToolkit --> <h1 align="center"> <picture> <source srcset="/static/bluetoolkit_white.png" media="(prefers-color-scheme: dark)"> <img src="/static/bluetoolkit.png" width="300px" alt="BlueToolkit"> </picture> </h1> <h4 align="center">Extensible Bluetooth vulnerability testing framework for BR/EDR and BLE.</h4> <p align="center"> <a href="https://github.com/sgxgsx/BlueToolkit/wiki">Docs</a> • <a href="#install">Installation</a> • <a href="#usage">Usage</a> • <a href="#available-bluetooth-vulnerabilities-and-attacks">Exploits</a> • <a href="#hardware">Hardware</a> • <a href="#TODO-list">TODOs </a> • <a href="https://github.com/sgxgsx/BlueToolkit/tree/development/evaluation/README.md">Automotive Evaluation</a> • <a href="#bluetooth-vulnerabilities-and-attacks">Bluetooth Resources</a> • <a href="#license">License</a> </p>

---

BlueToolkit is a modular, black-box Bluetooth security testing framework for Bluetooth Classic (BR/EDR) and Bluetooth Low Energy (BLE). It supports semi-automated testing and has three main modules:

• Recon: gathers Bluetooth capabilities and security configuration.
• Exploit: executes tests for (currently) 43 public exploits (MitM, RCE, DoS, etc.). The vulnerability templates are in the exploits folder. Support for more can be added by TODO.
• Report: generates structured, machine- and human-readable JSON reports.

<!-- TODO: talk about extensibility --> <!-- The framework works in a Black-box fashion, but it is also possible to operate the toolkit in a Gray-box fashion. For that one needs to extend the framework and connect it to the Operating System of the target so that it would be possible to observe Bluetooth logs and guarantee no false positives. -->

We evaluated BlueToolkit on 22 cars from different vendors (Audi, BMW, Chevrolet, Honda, Hyundai, Mercedes-Benz, Mini, Opel, Polestar, Renault, Skoda, Toyota, VW, Tesla) and uncovered 128 vulnerabilities.

In addition, we show how to Hijack online accounts via MAP for already established connections or with a MitM position.

This work led to a research paper accepted at WOOT 25': add missing link when we have it

Installation

BlueToolkit can be installed on bare metal Ubuntu/Debian systems (recommended) or using a Virtual Machine. In both cases the installer will prompt to install the specific modules for Braktooth and BluetoothAssistant, which require specific hardware devices to be available and plugged in. Standalone modules installation can also be done separately by running the installer again.

<details> <summary>Normal Installation</summary> Installation:

git clone https://github.com/sgxgsx/BlueToolkit
chmod +x ./BlueToolkit/install.sh
sudo ./BlueToolkit/install.sh [-dev]

</details> <details> <summary>VM Installation</summary>

Prerequisites:

• Virtualbox https://www.virtualbox.org
• vagrant https://developer.hashicorp.com/vagrant/install?product_intent=vagrant

git clone https://github.com/sgxgsx/BlueToolkit --recurse-submodules
cd BlueToolkit/vagrant
vagrant up

After Installation:

• You need to allow the virtual machine to access the Bluetooth module or additional hardware through USB, which requires you to do the following:
• USB support is already switched on, that's why open VirtualBox
• Find a running virtual machine and click on "Show"
• Click on "Devices" -> "USB"
• You will be presented with multiple devices that you can switch on for the virtual machine
• Tick any device that you need (Bluetooth module, hardware, phone) or tick all devices to be sure.

</details>

Usage

Run bluekit -h to display BlueToolkit usage information:

usage: bluekit [-h] [-t TARGET] [-l] [-c] [-ct] [-ch] [-v VERBOSITY] [-ex EXCLUDEEXPLOITS [EXCLUDEEXPLOITS ...]] [-e EXPLOITS [EXPLOITS ...]] [-r] [-re] [-rej] [-hh HARDWARE [HARDWARE ...]] ...

positional arguments:
  rest

options:
  -h, --help            show this help message and exit
  -t TARGET, --target TARGET
                        target MAC address
  -l, --listexploits    List exploits or not
  -c, --checksetup      Check whether Braktooth is available and setup
  -ct, --checktarget    Check connectivity and availability of the target
  -ch, --checkpoint     Start from a checkpoint
  -v VERBOSITY, --verbosity VERBOSITY
                        Verbosity level
  -ex EXCLUDEEXPLOITS [EXCLUDEEXPLOITS ...], --excludeexploits EXCLUDEEXPLOITS [EXCLUDEEXPLOITS ...]
                        Exclude exploits, example --exclude exploit1, exploit2
  -e EXPLOITS [EXPLOITS ...], --exploits EXPLOITS [EXPLOITS ...]
                        Scan only for provided --exploits exploit1, exploit2; --exclude is not taken into account
  -r, --recon           Run a recon script
  -re, --report         Create a report for a target device
  -rej, --reportjson    Create a report for a target device
  -hh HARDWARE [HARDWARE ...], --hardware HARDWARE [HARDWARE ...]
                        Scan only for provided exploits based on hardware --hardware hardware1 hardware2; --exclude and --exploit are not taken into account

Some usage examples are:

• List all available exploits (no root required):

  bluekit -l

• Run recon:

  sudo bluekit -t AA:BB:CC:DD:EE:FF -r

• Test connectivity:

  sudo bluekit -t AA:BB:CC:DD:EE:FF -ct

• Test one or more exploits (space separated):

  sudo bluekit -t AA:BB:CC:DD:EE:FF -e invalid_max_slot au_rand_flooding internalblue_knob

More documentation is available in our wiki

Hardware

Some attacks require specific hardware:

• ESP-WROVER-KIT-VE for Braktooth vulnerabilities
• Nexus5 phone for Internalblue. Could be replaced with a CYW20735 but two exploits won't work and it would need a new hardware profile.
• CYW920819M2EVB-01 for BIAS, BLUR and BLUFFS attacks.

Available Bluetooth Vulnerabilities and Attacks

BlueToolkit automatically downloads all vulnerability and hardware templates. BlueToolkit templates repository provides a full list of ready-to-use templates. Additionally, you can write your own templates and checks as well as add new hardware by following BlueToolkit's templating guide The YAML reference syntax is available here

We collected and classified Bluetooth vulnerabilities in an "Awesome Bluetooth Security" way. We used the following sources - ACM, IEEE SP, Blackhat, DEFCON, Car Hacking Village, NDSS, and Google Scholars. Looked for the following keywords in Search Engines such as Google, Baidu, Yandex, Bing - Bluetooth security toolkit, Bluetooth exploits github, Bluetooth security framework, bluetooth pentesting toolkit. We also parsed all Github repositories based on the following parameters - topic:bluetooth topic:exploit, topic:bluetooth topic:security.

Currently BlueToolkit check the following vulnerabilities and attacks:

For manual attacks refer to the documentation.

| Vulnerability | Category | Type | Verification type | Hardware req. | Tested | |----------------------------------------------| :---: | :---: | :---: | :---: | :---: | | Always pairable | Chaining | Chaining | Manual | | ✓ | | Only vehicle can initiate a connection | Chaining | Chaining | Manual | | ✓ | | Fast reboot | Chaining | Chaining | Manual | | ✓ | | SC not supported | Chaining | Info | Automated | | ✓ | | possible check for BLUR | Chaining | Info | Automated | | ✓ | | My name is keyboard | Critical | RCE | Semi-automated | | ✓ | | CVE-2017-0785 | Critical | Memory leak | Automated | | ✓ | | CVE-2018-19860 | Critical | Memory execution | Automated | | ✓ | | V13 Invalid Max Slot Type | DoS | DoS | Automated | ✓ | ✓ | | V3 Duplicated IOCAP | DoS | DoS | Automated | ✓ | ✓ | | NiNo check | MitM | MitM | Semi-automated | | ✓ | | Legacy pairing used | MitM | MitM | Automated | | ✓ | | KNOB | MitM | MiTM | Semi-automated | ✓ | ✓ | | CVE-2018-5383 | MitM | MiTM | Automated | ✓ | ✓ | | Method Confusion attack | MitM | MiTM | Automated | | ✓ | | SSP supported <= 4.0 weak crypto or SSP at all | MitM | Info/MitM | Automated | | ✓ | | CVE-2020-24490 | Critical | DoS | Automated | | ✓ | | CVE-2017-1000250 | Critical | Info leak | Automated | | ✓ | | CVE-2020-12351 | Critical | RCE/DoS | Automated | | ✓ | | CVE-2017-1000251 | Critical | RCE/DoS | Automated | | ✓ | | V1 Featur