Frankenstein: Advanced Wireless Fuzzing to Exploit New Bluetooth Escalation Targets

TL;DR

This paper introduces Frankenstein, a firmware emulation-based fuzzing framework that effectively uncovers Bluetooth vulnerabilities, including zero-click RCE exploits, in widely used chips and devices, enhancing security testing capabilities.

Contribution

Frankenstein advances wireless fuzzing by enabling high-speed, realistic firmware emulation, overcoming previous limitations in speed, repeatability, and debugging for discovering Bluetooth vulnerabilities.

Findings

Discovered three zero-click Bluetooth vulnerabilities in popular chips

Uncovered a Bluetooth specification flaw enabling link key extraction

Identified a Wi-Fi/Bluetooth coexistence issue causing OS kernel crashes

Abstract

Wireless communication standards and implementations have a troubled history regarding security. Since most implementations and firmwares are closed-source, fuzzing remains one of the main methods to uncover Remote Code Execution (RCE) vulnerabilities in deployed systems. Generic over-the-air fuzzing suffers from several shortcomings, such as constrained speed, limited repeatability, and restricted ability to debug. In this paper, we present Frankenstein, a fuzzing framework based on advanced firmware emulation, which addresses these shortcomings. Frankenstein brings firmware dumps "back to life", and provides fuzzed input to the chip's virtual modem. The speed-up of our new fuzzing method is sufficient to maintain interoperability with the attached operating system, hence triggering realistic full-stack behavior. We demonstrate the potential of Frankenstein by finding three zero-click vulnerabilities in the Broadcom and Cypress Bluetooth stack, which is used in most Apple devices, many Samsung smartphones, the Raspberry Pis, and many others. Given RCE on a Bluetooth chip, attackers may escalate their privileges beyond the chip's boundary. We uncover a Wi-Fi/Bluetooth coexistence issue that crashes multiple operating system kernels and a design flaw in the Bluetooth 5.2 specification that allows link key extraction from the host. Turning off Bluetooth will not fully disable the chip, making it hard to defend against RCE attacks. Moreover, when testing our chip-based vulnerabilities on those devices, we find BlueFrag, a chip-independent Android RCE.