Name |
BlueSmacking |
|
Likelyhood of attack |
Typical severity |
Medium |
Medium |
|
Summary |
An adversary uses Bluetooth flooding to transfer large packets to Bluetooth enabled devices over the L2CAP protocol with the goal of creating a DoS. This attack must be carried out within close proximity to a Bluetooth enabled device. |
Prerequisites |
The system/application has Bluetooth enabled. |
Execution Flow |
Step |
Phase |
Description |
Techniques |
1 |
Explore |
[Scan for Bluetooth Enabled Devices] Using BlueZ along with an antenna, an adversary searches for devices with Bluetooth on. |
- Note the MAC address of the device you want to attack.
|
2 |
Experiment |
[Change L2CAP Packet Length] The adversary must change the L2CAP packet length to create packets that will overwhelm a Bluetooth enabled device. |
- An adversary downloads and installs BlueZ, the standard Bluetooth utility package for Linux.
|
3 |
Exploit |
[Flood] An adversary sends the packets to the target device, and floods it until performance is degraded. |
|
|
Solutions | Disable Bluetooth when not being used. When using Bluetooth, set it to hidden or non-discoverable mode. |
Related Weaknesses |
CWE ID
|
Description
|
CWE-404 |
Improper Resource Shutdown or Release |
|
Related CAPECS |
CAPEC ID
|
Description
|
CAPEC-125 |
An adversary consumes the resources of a target by rapidly engaging in a large number of interactions with the target. This type of attack generally exposes a weakness in rate limiting or flow. When successful this attack prevents legitimate users from accessing the service and can cause the target to crash. This attack differs from resource depletion through leaks or allocations in that the latter attacks do not rely on the volume of requests made to the target but instead focus on manipulation of the target's operations. The key factor in a flooding attack is the number of requests the adversary can make in a given period of time. The greater this number, the more likely an attack is to succeed against a given target. |
|
Taxonomy: ATTACK |
Entry ID
|
Entry Name
|
1498.001 |
Network Denial of Service: Direct Network Flood |
1499.001 |
Endpoint Denial of Service: OS Exhaustion Flood |
|