Pushing the state-of-the-art for Over-the-air Fuzzing

Home / Pushing the state-of-the-art for Over-the-air Fuzzing

16 April 2020

Wireless technology is the stepping-stone for the success of internet-of-things (IoTs). Among others, Bluetooth and Wi-Fi enabled devices are most common in the IoT world. For instance, the Bluetooth technology allows a highly diverse set of devices to be connected and communicate with each other.

As IoTs become increasingly important in several application domains, the security of IoT has also become critical. For example, in recent years, Bluetooth design has been under scrutiny due to several security flaws such as KNOB and BlueBorne. In contrast, little to no research has been carried out on the security of the diverse Bluetooth implementations out in the wild. The current practice is to leave the implementation tests to the Bluetooth certification process. This is with the mindset that once the design is sound, hardly anything can break in the implementation of the Bluetooth stack.

In a research project led by Assistant Professor Sudipta Chattopadhyay from the ISTD Pillar of SUTD, the team shows that there exists a significant gap in ensuring the security of wireless protocol implementation.

A better and secure IoT by design

The original idea of the research team led by Prof. Sudipta dates back to the beginning of 2019. While reading a Wi-Fi vulnerability KRACK (discovered in 2017), the team realized that discovering KRACK requires an extensive amount of effort, such as carefully reading the Wi-Fi standard and scrutinizing (manually) what can go wrong. This sparked the following research question: Instead of a manual inspection, why don’t we design a tool that will automatically find these vulnerabilities? By the end of May 2019, the team designed and implemented a technology that could detect existing vulnerabilities in Wi-Fi implementation. The next step was to take the design to the next level, i.e., to detect new and zero-day security vulnerabilities. This design was complete by August, 2019 and the team named the technology Greyhound. Greyhound is a dog breed that is famous for hunting fast. The team’s design was meant to catch security issues in IoT as soon as possible.

While designing such a framework, the research team’s idea was to keep the approach as modular as possible. This means that the approach can easily be adapted for new wireless protocols. It has a testing and validation engine and a protocol model, while the testing and validation engine can be reused across a variety of wireless protocols. Such a design was crucial, as IoTs employ a diverse set of protocols and they can easily be tested using the team’s idea.

The next step was to show the power of Greyhound for other wireless protocols beyond Wi-Fi. The research team then took the framework for security testing of Bluetooth Low Energy (BLE) implementation due to the prevalence of BLE in IoT market. This led to the discovery of SweynTooth – a critical set of vulnerabilities affecting a substantial number of IoT products, including medical devices, smart home devices, logistics products and wearable.

Impact through Industry Collaboration

The team worked in close collaboration with Keysight Technologies for this research. Keysight Technologies also generously funded the required devices and manpower required for the project. Such industry collaboration allowed the research team to understand the concrete need for security testing of IoT devices and the lack of comprehensive security testing during the certification process.

The collaboration resulted all the developed tools to be transferred to Keysight. Both Wi-Fi and BLE testing tools are being commercialized by Keysight Technologies. The research team foresees that such tools can certainly push the state-of-the-practice in IoT security.

Academic Impact

Systematic security testing of wireless protocols is almost unheard of in the academic community. The team believes such is the case for two reasons. Firstly, wireless technologies such as Bluetooth are large and complex. The imposed isolation between the Link Layer and other protocol layers makes the testing extremely challenging, in terms of controlling Link Layer packets directly from the user space. Secondly, such testing is mostly left to the certification process and the results from the certification are taken for granted.

The team’s design opens the door for new avenues in testing security of IoTs. As more complex protocols are coming into place, such as 4G/LTE, 5G and NB-IoT, all these protocol implementations require rigorous and systematic security testing. The research team’s Greyhound framework, as already launched for Wi-Fi and BLE, is just a starting point towards this goal. The Greyhound framework for the BLE will also be presented in the USENIX Annual Technical Conference (ATC), 2020.

Broader Impact

Zero-day vulnerabilities discovered by Greyhound have been widely covered by several International media and have also attracted attention from the Government agencies in Singapore and beyond. Specifically, some notable features are as follows:

  1. SweynTooth, a family of 12 new BLE vulnerabilities (more under non-disclosure), as automatically discovered by Greyhound, was featured in Wired and 20+ other news articles and podcasts all over the world.
  2. The team’s discovered vulnerabilities were independently evaluated by several industries to validate the criticality and credibility of the involved threat. After a successful validation, these industries are independently proposing security solutions over and above the patches produced by BLE chip vendors. One such example is here: https://www.protiviti.com/US-en/insights/022820-flash-report-iot-devices-security
  3. Health Science Authority (HSA) in Singapore collaborated with the research team to gain a better understanding of these vulnerabilities, as the discovered vulnerabilities affect medical devices and potentially threaten patient life. The public alert raised by HSA, Singapore can be found here: https://www.hsa.gov.sg/announcements/news/hsa-safety-communication-sweyntooth-cybersecurity-vulnerabilities-affecting-certain-bluetooth-enabled-medical-devices
  4. The Cyber Security Agency (CSA), Singapore also collaborated with the team to raise a public alert on the SweynTooth vulnerabilities: https://www.csa.gov.sg/singcert/alerts/multiple-vulnerabilities-in-bluetooth-low-energy-devices
  5. USA Department of Homeland Security is closely working with the team to generate an alert regarding the discovered security vulnerabilities. To this end, the team is also working with the Food and Drug Administration, USA, which regulates the usage of medical devices. The public alert raised by homeland security can be found here: https://www.us-cert.gov/ics/alerts/ics-alert-20-063-01
  6. The Food and Drug Administration, USA (FDA) alerts all medical device manufacturers about the SweynTooth vulnerabilities: https://www.fda.gov/medical-devices/safety-communications/sweyntooth-cybersecurity-vulnerabilities-may-affect-certain-medical-devices-fda-safety-communication
  7. Several medical device manufacturers have already independently evaluated SweynTooth and raised security advisories:
    1. Medtronic: https://global.medtronic.com/xg-en/product-security/security-bulletins/medtronic-security-alert-sweyntooth.html
    2. Abbot Medical: https://www.abbott.com/policies/cybersecurity/sweyntooth-ble.html
  8. Bluetooth Special Interest Group (SIG) is in contact with the research team to understand the vulnerabilities and amend the certification if possible.
  9. ASSET group researchers has been working with CSA and HSA to coordinate the non-disclosed vulnerabilities confidentially. CSA publicly acknowledges the research effort conducted by the ASSET group in their official facebook page: https://www.facebook.com/CSAsingapore/.
    Additionally, in a safety communication, HSA has announced that 32 medical devices are affected by the first batch of SweynTooth vulnerabilities. https://www.hsa.gov.sg/announcements/news/hsa-safety-communication-update-on-sweyntooth-cybersecurity-vulnerabilities-affecting-certain-bluetooth-enabled-medical-devices
  10. The research team’s publicly disclosed exploits are available for further research and development and it has indeed been used by many industries independently to discover security issues in their devices that were not monitored. Some notable industries include Texas Instruments, NxP semiconductor and Microchip among others. The exploits are available here: https://github.com/Matheus-Garbelini/sweyntooth_bluetooth_low_energy_attacks

For more details about this research work, contact Assistant Professor Sudipta Chattopadhyay at sudipta_chattopadhyay@sutd.edu.sg