Stealthily Access Your Android Phones: Bypass the Bluetooth Authentication

Presented at Black Hat USA 2020 Virtual, Aug. 5, 2020, 2:30 p.m. (40 minutes).

Every Android phone loves Bluetooth, a short-range wireless communication technology. We can find a large number of Bluetooth devices in any public place. Many of their security issues have been exposed before, such as BlueBorne, KNOB, and BadBluetooth. Today, due to the security risks in AOSP (Android Open Source Project) and the negligence of some well-known mobile phone manufacturers, we have another 0day vulnerability that can be played. And it was named BlueRepli (Bluetooth Replicant).

At the application layer, Bluetooth is like a parent who over-disciplined. It defines various implementation standards for a variety of complex application scenarios. These standards are called profiles. Some of these profiles will access extremely sensitive user data, such as PBAP (Phone Book Access Profile) for synchronizing phonebook, MAP (Message Access Profile) that can access SMS data, SAP (SIM Access Profile) that serves remote devices using local SIM cards and so on. Of course, the use of these profiles by remote devices requires authorization from local users and strict authentication from local Android phones.

However, this study found two new ways to bypass these authentications and gain profile access. The first method is a new attack idea. It can obtain permissions when the target has only one interaction, and attackers can make this interaction very deceptive. The second method will use the undisclosed 0day vulnerability BlueRepli, which can get profile access without any sense. We also prepared rich video demos to show the exploits we implemented, such as stealing mobile phone contact information, call history, stealing SMS verification codes, and sending fake text messages using the vulnerable phone.


Presenters:

  • Sourcell Xu - Security Researcher, DBAPPSecurity
    Currently working at DBAPPSecurity Co., Ltd. as a Security Researcher, Sourcell Xu is engaged in IoT security research and protocol analysis focusing on exploring new IoT attack ideas and cracking various smart devices. He owns and maintains the bluescan open source project and is a project contributor to pybluez and pygatt.
  • Xin Xin - Security Researcher, DBAPPSecurity
    Xin Xin is a Security Researcher at DBAPPSecurity Co., Ltd. His research focuses on IoT security research with an emphasis on low-level hardware security. He is also interested in special hardware R & D production.

Links:

Similar Presentations: