L2Fuzz: Discovering Bluetooth L2CAP Vulnerabilities Using Stateful Fuzz Testing

Haram Park; Carlos Kayembe Nkuba; Seunghoon Woo; Heejo Lee

doi:10.1109/DSN53405.2022.00043

L2Fuzz: Discovering Bluetooth L2CAP Vulnerabilities Using Stateful Fuzz Testing

Haram Park, Carlos Kayembe Nkuba, Seunghoon Woo, Heejo Lee

Department of Computer Science and Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

1 Citation (Scopus)

Abstract

Bluetooth Basic Rate/Enhanced Data Rate (BR/EDR) is a wireless technology used in billions of devices. Recently, several Bluetooth fuzzing studies have been conducted to detect vulnerabilities in Bluetooth devices, but they fall short of effectively generating malformed packets. In this paper, we propose L2FUZZ, a stateful fuzzer to detect vulnerabilities in Bluetooth BR/EDR Logical Link Control and Adaptation Protocol (L2CAP) layer. By selecting valid commands for each state and mutating only the core fields of packets, L2FUZZ can generate valid malformed packets that are less likely to be rejected by the target device. Our experimental results confirmed that: (1) L2FUZZ generates up to 46 times more malformed packets with a much less packet rejection ratio compared to the existing techniques, and (2) L2FUZZ detected five zero-day vulnerabilities from eight real-world Bluetooth devices.

Original language	English
Title of host publication	Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	343-354
Number of pages	12
ISBN (Electronic)	9781665416931
DOIs	https://doi.org/10.1109/DSN53405.2022.00043
Publication status	Published - 2022
Event	52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022 - Baltimore, United States Duration: 2022 Jun 27 → 2022 Jun 30

Publication series

Name	Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022

Conference

Conference	52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022
Country/Territory	United States
City	Baltimore
Period	22/6/27 → 22/6/30

Keywords

Bluetooth
Fuzz Testing
Wireless Security

ASJC Scopus subject areas

Computer Networks and Communications
Hardware and Architecture
Information Systems
Information Systems and Management
Safety, Risk, Reliability and Quality

Access to Document

10.1109/DSN53405.2022.00043

Cite this

Park, H., Nkuba, C. K., Woo, S., & Lee, H. (2022). L2Fuzz: Discovering Bluetooth L2CAP Vulnerabilities Using Stateful Fuzz Testing. In Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022 (pp. 343-354). (Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/DSN53405.2022.00043

L2Fuzz: Discovering Bluetooth L2CAP Vulnerabilities Using Stateful Fuzz Testing. / Park, Haram; Nkuba, Carlos Kayembe; Woo, Seunghoon et al.
Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022. Institute of Electrical and Electronics Engineers Inc., 2022. p. 343-354 (Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Park, H, Nkuba, CK, Woo, S & Lee, H 2022, L2Fuzz: Discovering Bluetooth L2CAP Vulnerabilities Using Stateful Fuzz Testing. in Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022. Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022, Institute of Electrical and Electronics Engineers Inc., pp. 343-354, 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022, Baltimore, United States, 22/6/27. https://doi.org/10.1109/DSN53405.2022.00043

Park H, Nkuba CK, Woo S, Lee H. L2Fuzz: Discovering Bluetooth L2CAP Vulnerabilities Using Stateful Fuzz Testing. In Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022. Institute of Electrical and Electronics Engineers Inc. 2022. p. 343-354. (Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022). doi: 10.1109/DSN53405.2022.00043

Park, Haram ; Nkuba, Carlos Kayembe ; Woo, Seunghoon et al. / L2Fuzz : Discovering Bluetooth L2CAP Vulnerabilities Using Stateful Fuzz Testing. Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022. Institute of Electrical and Electronics Engineers Inc., 2022. pp. 343-354 (Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022).

@inproceedings{bcca6dad19464287a10650d30423924e,

title = "L2Fuzz: Discovering Bluetooth L2CAP Vulnerabilities Using Stateful Fuzz Testing",

abstract = "Bluetooth Basic Rate/Enhanced Data Rate (BR/EDR) is a wireless technology used in billions of devices. Recently, several Bluetooth fuzzing studies have been conducted to detect vulnerabilities in Bluetooth devices, but they fall short of effectively generating malformed packets. In this paper, we propose L2FUZZ, a stateful fuzzer to detect vulnerabilities in Bluetooth BR/EDR Logical Link Control and Adaptation Protocol (L2CAP) layer. By selecting valid commands for each state and mutating only the core fields of packets, L2FUZZ can generate valid malformed packets that are less likely to be rejected by the target device. Our experimental results confirmed that: (1) L2FUZZ generates up to 46 times more malformed packets with a much less packet rejection ratio compared to the existing techniques, and (2) L2FUZZ detected five zero-day vulnerabilities from eight real-world Bluetooth devices.",

keywords = "Bluetooth, Fuzz Testing, Wireless Security",

author = "Haram Park and Nkuba, {Carlos Kayembe} and Seunghoon Woo and Heejo Lee",

note = "Funding Information: We appreciate the anonymous reviewers and our shepherd for their helpful comments. This work was supported by Institute of Information & Communications Technology Planning & Evaluation (IITP) grant funded by the Korea government (MSIT) (No.2019-0-01697 Development of Automated Vulnerability Discovery Technologies for Blockchain Platform Security, No.2019-0-01343 Regional Strategic Industry Convergence Security Core Talent Training Business, and No.IITP-2022-2020-0-01819 ICT Creative Consilience program). Publisher Copyright: {\textcopyright} 2022 IEEE.; 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022 ; Conference date: 27-06-2022 Through 30-06-2022",

year = "2022",

doi = "10.1109/DSN53405.2022.00043",

language = "English",

series = "Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "343--354",

booktitle = "Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022",

}

TY - GEN

T1 - L2Fuzz

T2 - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022

AU - Park, Haram

AU - Nkuba, Carlos Kayembe

AU - Woo, Seunghoon

AU - Lee, Heejo

N1 - Funding Information: We appreciate the anonymous reviewers and our shepherd for their helpful comments. This work was supported by Institute of Information & Communications Technology Planning & Evaluation (IITP) grant funded by the Korea government (MSIT) (No.2019-0-01697 Development of Automated Vulnerability Discovery Technologies for Blockchain Platform Security, No.2019-0-01343 Regional Strategic Industry Convergence Security Core Talent Training Business, and No.IITP-2022-2020-0-01819 ICT Creative Consilience program). Publisher Copyright: © 2022 IEEE.

PY - 2022

Y1 - 2022

N2 - Bluetooth Basic Rate/Enhanced Data Rate (BR/EDR) is a wireless technology used in billions of devices. Recently, several Bluetooth fuzzing studies have been conducted to detect vulnerabilities in Bluetooth devices, but they fall short of effectively generating malformed packets. In this paper, we propose L2FUZZ, a stateful fuzzer to detect vulnerabilities in Bluetooth BR/EDR Logical Link Control and Adaptation Protocol (L2CAP) layer. By selecting valid commands for each state and mutating only the core fields of packets, L2FUZZ can generate valid malformed packets that are less likely to be rejected by the target device. Our experimental results confirmed that: (1) L2FUZZ generates up to 46 times more malformed packets with a much less packet rejection ratio compared to the existing techniques, and (2) L2FUZZ detected five zero-day vulnerabilities from eight real-world Bluetooth devices.

AB - Bluetooth Basic Rate/Enhanced Data Rate (BR/EDR) is a wireless technology used in billions of devices. Recently, several Bluetooth fuzzing studies have been conducted to detect vulnerabilities in Bluetooth devices, but they fall short of effectively generating malformed packets. In this paper, we propose L2FUZZ, a stateful fuzzer to detect vulnerabilities in Bluetooth BR/EDR Logical Link Control and Adaptation Protocol (L2CAP) layer. By selecting valid commands for each state and mutating only the core fields of packets, L2FUZZ can generate valid malformed packets that are less likely to be rejected by the target device. Our experimental results confirmed that: (1) L2FUZZ generates up to 46 times more malformed packets with a much less packet rejection ratio compared to the existing techniques, and (2) L2FUZZ detected five zero-day vulnerabilities from eight real-world Bluetooth devices.

KW - Bluetooth

KW - Fuzz Testing

KW - Wireless Security

UR - http://www.scopus.com/inward/record.url?scp=85136335950&partnerID=8YFLogxK

U2 - 10.1109/DSN53405.2022.00043

DO - 10.1109/DSN53405.2022.00043

M3 - Conference contribution

AN - SCOPUS:85136335950

T3 - Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022

SP - 343

EP - 354

BT - Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 27 June 2022 through 30 June 2022

ER -

L2Fuzz: Discovering Bluetooth L2CAP Vulnerabilities Using Stateful Fuzz Testing

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this