iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
cee5f20fec
linux/net/bluetooth
History
Howard Chung cee5f20fec Bluetooth: secure bluetooth stack from bluedump attack 
Attack scenario:
1. A Chromebook (let's call this device A) is paired to a legitimate
   Bluetooth classic device (e.g. a speaker) (let's call this device
   B).
2. A malicious device (let's call this device C) pretends to be the
   Bluetooth speaker by using the same BT address.
3. If device A is not currently connected to device B, device A will
   be ready to accept connection from device B in the background
   (technically, doing Page Scan).
4. Therefore, device C can initiate connection to device A
   (because device A is doing Page Scan) and device A will accept the
   connection because device A trusts device C's address which is the
   same as device B's address.
5. Device C won't be able to communicate at any high level Bluetooth
   profile with device A because device A enforces that device C is
   encrypted with their common Link Key, which device C doesn't have.
   But device C can initiate pairing with device A with just-works
   model without requiring user interaction (there is only pairing
   notification). After pairing, device A now trusts device C with a
   new different link key, common between device A and C.
6. From now on, device A trusts device C, so device C can at anytime
   connect to device A to do any kind of high-level hijacking, e.g.
   speaker hijack or mouse/keyboard hijack.

Since we don't know whether the repairing is legitimate or not,
leave the decision to user space if all the conditions below are met.
- the pairing is initialized by peer
- the authorization method is just-work
- host already had the link key to the peer

Signed-off-by: Howard Chung <howardchung@google.com>
Acked-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2020-02-14 16:01:00 +01:00
..
bnep netdev: pass the stuck queue to the timeout handler 2019-12-12 21:38:57 -08:00
cmtp treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
hidp Bluetooth: optimize barrier usage for Rmw atomics 2020-01-29 19:50:44 +01:00
rfcomm Bluetooth: remove __get_channel/dir and __dir 2020-02-05 09:07:30 +01:00
6lowpan.c net: core: add generic lockdep keys 2019-10-24 14:53:48 -07:00
a2mp.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 284 2019-06-05 17:36:37 +02:00
a2mp.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 284 2019-06-05 17:36:37 +02:00
af_bluetooth.c net: use helpers to change sk_ack_backlog 2019-11-06 16:14:48 -08:00
amp.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 284 2019-06-05 17:36:37 +02:00
amp.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 284 2019-06-05 17:36:37 +02:00
ecdh_helper.c Bluetooth: let the crypto subsystem generate the ecc privkey 2017-10-06 20:35:47 +02:00
ecdh_helper.h Bluetooth: let the crypto subsystem generate the ecc privkey 2017-10-06 20:35:47 +02:00
hci_conn.c Bluetooth: Fix memory leak in hci_connect_le_scan 2019-11-22 10:42:53 +01:00
hci_core.c Bluetooth: Add missing checks for HCI_ISODATA_PKT packet type 2020-01-25 16:33:46 +02:00
hci_debugfs.c Bluetooth: Move {min,max}_key_size debugfs into hci_debugfs_create_le 2020-01-25 16:33:52 +02:00
hci_debugfs.h
hci_event.c Bluetooth: secure bluetooth stack from bluedump attack 2020-02-14 16:01:00 +01:00
hci_request.c Bluetooth: Fix advertising duplicated flags 2019-11-04 10:12:05 +02:00
hci_request.h Bluetooth: Use controller sets when available 2019-07-06 15:38:18 +02:00
hci_sock.c Bluetooth: Fix race condition in hci_release_sock() 2020-01-26 10:34:17 +02:00
hci_sysfs.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-04 09:26:51 +09:00
Kconfig crypto: skcipher - rename the crypto_blkcipher module and kconfig option 2019-11-01 13:42:47 +08:00
l2cap_core.c Bluetooth: Fix refcount use-after-free issue 2020-01-29 04:53:12 +01:00
l2cap_sock.c Bluetooth: prefetch channel before killing sock 2020-02-05 09:05:04 +01:00
leds.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
leds.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
lib.c Bluetooth: Adding a bt_dev_warn_ratelimited macro. 2020-01-04 10:41:03 +01:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mgmt_util.c
mgmt_util.h
mgmt.c Bluetooth: fix appearance typo in mgmt.c 2020-01-22 21:23:16 +01:00
sco.c net: rework SIOCGSTAMP ioctl handling 2019-04-19 14:07:40 -07:00
selftest.c Bluetooth: Fix compiler warning with selftest duration calculation 2017-10-06 21:49:13 +03:00
selftest.h
smp.c Bluetooth: secure bluetooth stack from bluedump attack 2020-02-14 16:01:00 +01:00
smp.h Bluetooth: SMP: fix crash in unpairing 2018-09-26 12:39:32 +03:00