Fuzz Testing with Bluetooth Low Energy (BLE) Protocols

Overview

This topic covers testing for the following Bluetooth Low Energy (BLE) protocols and modules in beSTORM:

  • GAP

  • GATT

  • HID over GATT

  • Running Speed and Cadence

  • iBeacon

Decide on what kind of protocol you want to test. beSTORM can only fuzz central devices (which take the proactive role in the connection and act as information receivers), so any peripheral devices (the counterpart to the central device) will not work with this setup. Once you have selected a central BLE device under test (DUT), you will need to make a distinction between which modules need a connection since the setup changes slightly.

beSTORM behaves as a peripheral and as such, will advertise itself. You will need to use the DUT to look at the available BLE devices and connect to the beSTORM computer.

beSTORM fuzzes your DUT by sending data frames (signals of malformed data/fuzzing data) over the air for it to receive.

The GAP and iBeacon (connectionless) protocols do not need the DUT to connect to the beSTORM computer. All BLE devices within range of the beSTORM computer will receive the data frames as it is not possible to establish an exclusive connection to just one device for fuzzing purposes. The GATT, HID over GATT, and Running Speed and Cadence protocols require you to connect the DUT before you start fuzzing.

Testing environment requirements

  • beSTORM 13.2.0 or later (licensed)

  • Microsoft Windows 7 or later

  • PuTTY (open-source terminal emulator)

  • Adafruit Bluefruit LE Friend USB dongle (Two dongles are required to perform monitoring)

  • Central BLE device under test (DUT)

Setting up the Adafruit USB dongle

NOTE: If you have two Adafruit USB dongles (one for fuzzing and the other for monitoring), repeat these steps for each device.

To configure beSTORM to act as a BLE peripheral, do the following:

  1. On the Adafruit USB dongle board, set the Mode Selection Switch to CMD.

  2. Connect the Adafruit USB dongle to the beSTORM computer.

  3. In Windows, open Device Manager and make note of the COM<#> number assigned to the dongle. For this example, the dongle is assigned to COM3.

    NOTE: If the Adafruit USB dongle does not appear in Device Manager (“Silicon Labs CP201x USB to …”), download and install the CP210x USB to UART Bridge VCP driver for Windows.

  4. Download the Bluefruit LE Connect app to an iOS or Android device.

  5. Open the Bluefruit LE Connect app.

  6. Connect to Adafruit Bluefruit LE.

  7. Select Updates.

  8. Select Firmware Releases > Version 0.8.1 and update the firmware. Repeat these steps if you have an additional Adafruit USB dongle for monitoring purposes.

    NOTE: If you experience issues with 0.8.1, select Version 0.7.0 as a secondary option as extensive testing was performed with each version.

Verifying and resetting the Adafruit USB dongle

After installing the Adafruit firmware update, do the following to verify the firmware update was correctly installed and then reset and rename the Adafruit USB dongle (repeat these steps if you have an additional Adafruit USB dongle for monitoring purposes):

  1. Download and install PuTTY.

  2. Open PuTTY.

  3. In the Category pane, select Session.

  4. Under Connection type, select Serial.

  5. In the Serial line box, enter the COM<#> number assigned to your dongle (see step 3 of the Setting up the Adafruit USB dongle section). Leave the Speed parameter set to 9600.

  6. In the Category pane, select Connection > Serial.

  7. Confirm the following parameters have these values:

    1. Serial line to connect to - This value should be identical to step 5.

    2. Speed (baud) - 9600

    3. Data bits - 8

    4. Stop bits - 1

    5. Parity - None

    6. Flow control - RTS/CTS

  8. Select Open to start the terminal dialog in PuTTY.

  9. Enter ATI in the terminal dialog to reference the Adafruit USB dongle's current firmware. The fourth and fifth lines of the response should display 0.8.1. If this number is different, repeat the steps outlined in the Setting up the Adafruit USB dongle section.

  10. To verify the Adafruit USB dongle is functioning correctly and to rename it, individually enter the following commands in the terminal dialog. If no issues exist, an OK response will appear after each command:

    1. Reset the Adafruit USB dongle to its initial state: AT+FACTORYRESET

    2. Change the name of the Adafruit USB dongle: AT+GAPDEVNAME= beSTORM Adafruit

    3. If you are setting up an additional Adafruit USB dongle for monitoring, change its name to easily tell the two dongles apart: AT+GAPDEVNAME= beSTORM Monitoring

  11. Close PuTTY.

Monitoring with beSTORM

NOTE: Monitoring is optional. If you have an additional Adafruit USB dongle and want to set up monitoring your BLE central device, perform these steps before the Fuzzing with beSTORM section.

To monitor your BLE central device, you will need the following:

  1. beSTORM BLE Monitor

  2. A centralized DUT that can connect to multiple peripherals at once

  3. An additional Adafruit Bluefruit LE Friend USB dongle (renamed to beSTORM Monitoring, see step 10 in the Verifying and resetting the Adafruit USB dongle section)

To begin monitoring, do the following:

  1. Connect the beSTORM Monitoring Adafruit USB dongle to the DUT.

  2. In Windows, open Device Manager and make note of the COM<#> number assigned to the dongle.

  3. Open beSTORM BLE Monitor.

  4. In the COM Port box, enter the COM<#> value assigned to the beSTORM Monitoring Adafruit USB dongle in Device Manager.

  5. Confirm the Hostname value is for the computer running beSTORM. If you have installed the beSTORM BLE Monitor on the beSTORM computer, this value is identical for both (127.0.0.1).

  6. Select Start.

  7. Once the beSTORM BLE Monitor displays "Device connected. Monitoring started!", open beSTORM Client. Leave the beSTORM BLE Monitor application open and proceed to the Fuzzing with beSTORM section.

Fuzzing with beSTORM

Before you begin fuzzing, confirm the Adafruit USB dongle is accessible by way of Bluetooth from the DUT. From the DUT, you should see a device named beSTORM Adafruit (this name reflects the update you made in step 10 of the Verifying and resetting the Adafruit USB dongle section).

If you are testing a connection-based protocol (GATT, HID over GATT, or Running Speed and Cadence), connect the DUT to the Adafruit USB dongle using a persistent connection. Your DUT should have a way to automatically connect to the Adafruit USB dongle if it becomes disconnected. Otherwise, if you are using connectionless protocols (GAP and iBeacon), leave them disconnected.

To create a new project and begin fuzzing with beSTORM, do the following:

  1. Open beSTORM Client.

  2. Select New Project. The beSTORM New Project Wizard opens.

  3. On the Welcome page, do the following:

    1. In the Project Name box, enter a name.

    2. Optionally, select a different file location for your project in the Location Name box.

    3. Leave Please select the wizard set to Simple.

    4. Leave Perform a port scan, and service detection and assist me in choosing the relevant module unchecked.

  4. Select Next.

  5. On the Basic Configuration page, select one of the supported protocols (GAP, GATT, HID over GATT, Running Speed and Cadence, or iBeacon) from the beSTORM's predefined modules list.

  6. Select Next.

  7. On the Module Environment page, change the Serial COM value to match the COM<#> value you identified in step 3 of the Setting up the Adafruit USB dongle section.

  8. Select Next.

  9. If you completed the steps in the Monitoring with beSTORM section, on the Extra Configuration page, select External Monitor and then confirm the Incoming Command Port, Incoming Exception Port, and Outgoing Command Port parameter values match the same parameter values in the (see step 5 of the Monitoring with beSTORM section).

  10. Select Next.

  11. On the Complete beSTORM wizard page, select Finish. beSTORM will begin loading the module.

  12. Select Start to begin fuzzing your BLE device.

  13. Select Apply, and then select OK.

  14. On the beSTORM Monitor window, select Start to start monitoring.