Bluetooth Mesh is a mesh networking standard based on Bluetooth Low Energy. It was made public by Bluetooth Special Interest Group (Bluetooth SIG) in 2017. Bluetooth Mesh enables many-to-many device communications and is optimized for creating large-scale device networks. It is ideally suited for smart home, industrial deployments and other scenes. At present, Bluetooth Mesh specifications have been widely supported by major chip manufacturers. But in general, security of its implementation has not been paid enough attention.
In this topic, we dived into the Bluetooth Mesh protocol, divided the mesh process into two key stages: network build and network control. We focused on the security of implementation in these two stages. Based on the protocol analysis, an automatic fuzzing tool “BLE Mesh Fuzzer” is proposed. It can cover both network build and network control stages. We evaluated our tools on 8 well-known vendors and open source projects. BLE Mesh Fuzzer has found 17 memory corruption vulnerabilities and obtained 9 CVEs. Some of the vulnerabilities can cause remote code execution without user interaction. Even, they can cause the destruction of the whole mesh network and affect tens of millions of IoT devices. Also, we studied the security of protocol wrapper application. We found 10 vulnerabilities in a well-known vendor and obtained 10 CVEs. The vulnerabilities can lead to serious consequences such as privilege escalation.
In this talk, we will first introduce the background of Bluetooth Mesh. Then, we analyze the network build and network control protocols, illustrate the attack surfaces in their implementation and wrapper application. Next, we will share the design of BLE Mesh Fuzzer. And finally, we explain the causes of vulnerabilities through several real cases, and put forward our safety recommendations.