Bluetooth MITRE EMB3D and ADF Mapping

EM3ED-only: Application-level software is present and running on the device (MITRE EM3ED PID-31)

• Attack Vectors and Threats:

  • Applications Binaries Modified (MITRE EM3ED TID-301)

Device includes OS/kernel (MITRE EM3ED PID-23)

Kernel or Operating System

• Keys: Kernel or Operating System | OS | Linux | Kernel
• Description: Device includes OS/kernel

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Stack overflow in L2CAP

    • Stack overflow in L2CAP

  • RID (MITRE EM3ED TID-327)

    • Information disclosure due to out-of-bounds heap read

    • Information disclosure due to out-of-bounds heap read

  • Information Leak (MITRE EM3ED TID-310)

    • Stack-Based information leak

    • Stack-Based information leak

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based buffer overflow

    • Heap-Based type confusion

    • Heap-Based type confusion

  • Exploitable System Network Stack Component (MITRE EM3ED TID-202)

  • Operating System Susceptible to Rootkit (MITRE EM3ED TID-218)

EM3ED-only: Device includes an operating system that uses drivers/modules that can be loaded (MITRE EM3ED PID-231)

• Attack Vectors and Threats:

  • Malicious OS Kernel Driver/Module Installable (MITRE EM3ED TID-203)

Device includes a microprocessor (MITRE EM3ED PID-11)

Controller Implementation

• Keys: Controller Implementation | BC
• Description: Controller/CPU Implementation missbehaviour can disclose sensitive data

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Key Negotiation of Bluetooth (KNOB) on BC

    • Secure Connection Attack

    • Bluetooth Cross-Transport Key Derivation (BLUR)

  • Key brute force (MITRE EM3ED TID-317)

    • Profile switch

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

    • Passkey entry impersonation attack

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

  • RCE (MITRE EM3ED TID-310)

    • Stack overflow in L2CAP

    • Remote code execution

    • Heap overflow

    • Feature Pages Execution

    • SMP reception handler out-of-bounds read

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

    • Messages Flooding

    • Truncated SCO Link Request

    • Duplicated IOCAP

    • LMP Overflow

    • Accept Truncated LMP

    • Invalid Setup Complete

    • Same Host Connection

    • Invalid Max Slot Type or Length

    • Invalid Timing Accuracy

    • Paging Scan Deadlock

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

  • RID (MITRE EM3ED TID-327)

    • Information disclosure due to out-of-bounds heap read

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

    • Stack-Based information leak

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Inquiry Response Heap Overflow

    • Heap overflow in ACL mode

    • Heap-Based buffer overflow

    • Heap-Based type confusion

  • Power Consumption Analysis Side Channel (MITRE EM3ED TID-101)

  • Electromagnetic Analysis Side Channel (MITRE EM3ED TID-102)

  • Microarchitectural Side Channels (MITRE EM3ED TID-103)

  • Hardware Fault Injection – Control Flow Modification (MITRE EM3ED TID-105)

Device exposes remote network services (MITRE EM3ED PID-41)

Session

• Keys: Session | Session
• Description: Session

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Key Negotiation of Bluetooth (KNOB) on BC

    • Secure Connection Attack

    • BLE reconnection spoofing

  • Key brute force (MITRE EM3ED TID-317)

    • Profile switch

  • DoS (MITRE EM3ED TID-404)

    • Link Layer LLID Deadlock

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Link Layer Length Overflow

  • Critical System Service May Be Disabled (MITRE EM3ED TID-222)

  • Remotely Accessible Unauthenticated Services (MITRE EM3ED TID-310)

  • Undocumented Protocol Features (MITRE EM3ED TID-401)

  • Remotely Triggerable Deadlock/DoS (MITRE EM3ED TID-404)

  • Network Stack Resource Exhaustion (MITRE EM3ED TID-405)

  • Missing Message Replay Protection (MITRE EM3ED TID-407)

Device includes cryptographic functions for sensitive data, such as encryption or authentication (MITRE EM3ED PID-4113)

Entropy Negotiation

• Keys: Entropy Negotiation | Entropy neg | Entropy negotiation
• Description: Entropy negotiation

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Key Negotiation of Bluetooth (KNOB) on BC

Security Manager Protocol

• Keys: Security Manager Protocol | SMP
• Description: Security Manager Protocol

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Key Negotiation of Bluetooth (KNOB) on BC

    • Bluetooth Cross-Transport Key Derivation (BLUR)

    • Downgrade attacks on BLE SCO

    • Zero LTK Installation

  • Key brute force (MITRE EM3ED TID-317)

    • BLE Key Derivation (CRACKLE)

  • Authentication skip (MITRE EM3ED TID-411)

    • Method confusion attack

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on BLE SSP

  • DoS (MITRE EM3ED TID-404)

    • Key Size Overflow

    • PHY packet injection

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • BLE Crafted packet buffer overflow

Bond Management

• Keys: Bond Management | BM
• Description: Bond Management

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

  • Authentication Bypass By Message Replay (MITRE EM3ED TID-221)

  • Incorrect Certificate Verification Allows Authentication Bypass (MITRE EM3ED TID-316)

  • Predictable Cryptographic Key (MITRE EM3ED TID-317)

  • Insecure Cryptographic Implementation (MITRE EM3ED TID-318)

  • Cryptographic Protocol Side Channel (MITRE EM3ED TID-410)

  • Weak/Insecure Cryptographic Protocol (MITRE EM3ED TID-411)

Device lacks protocol support for message authentication (MITRE EM3ED PID-4111)

BLE

• Keys: BLE | BLE | BLE-Stack
• Description: BLE

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

    • Downgrade attacks on BLE SCO

    • BLE reconnection spoofing

    • Zero LTK Installation

  • Key brute force (MITRE EM3ED TID-317)

    • BLE Key Derivation (CRACKLE)

  • Authentication skip (MITRE EM3ED TID-411)

    • Method confusion attack

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on BLE SSP

  • DoS (MITRE EM3ED TID-404)

    • Link Layer LLID Deadlock

    • Key Size Overflow

    • PHY packet injection

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Malformed packet buffer overflow in BLE beacons parsing

    • Malformed packet buffer overflow in BLE beacons parsing

    • Heap overflow in BLE PDUs parsing

    • Link Layer Length Overflow

    • BLE Crafted packet buffer overflow

  • Eavesdropping

    • GATT Fingerprinting and Tracking

  • Unauthorized Messages or Connections (MITRE EM3ED TID-406)

ADF-Only Surfaces (No MITRE EM3ED PID)

Pairing

• Keys: Pairing | Pairing
• Description: Pairing

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Key Negotiation of Bluetooth (KNOB) on BC

    • Bluetooth Cross-Transport Key Derivation (BLUR)

    • Downgrade attacks on BLE SCO

    • Zero LTK Installation

  • Authentication skip (MITRE EM3ED TID-411)

    • Method confusion attack

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

    • MitM on BLE SSP

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

  • DoS (MITRE EM3ED TID-404)

    • Key Size Overflow

    • Messages Flooding

    • Truncated SCO Link Request

    • Duplicated IOCAP

    • LMP Overflow

    • Accept Truncated LMP

    • Invalid Setup Complete

    • Same Host Connection

    • Invalid Max Slot Type or Length

    • Invalid Timing Accuracy

    • Paging Scan Deadlock

    • PHY packet injection

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • BLE Crafted packet buffer overflow

Authentication

• Keys: Authentication | Authentication
• Description: Authentication

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Secure Connection Attack

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

Feature Exchange

• Keys: Feature Exchange | Feature exchange
• Description: Feature exchange

• Attack Vectors and Threats:

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

LMP

• Keys: LMP | LMP
• Description: LMP

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

CTKD

• Keys: CTKD | CTKD
• Description: Cross-Transport Key Derivation

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

Legacy pairing

• Keys: Legacy pairing | Legacy pairing
• Description: Legacy pairing

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • BLE Key Derivation (CRACKLE)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

Key agreement

• Keys: Key agreement | Key agreement
• Description: Key agreement

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

Association

• Keys: Association | Association
• Description: Association

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on BLE SSP

Provisioning

• Keys: Provisioning | Provisioning
• Description: Provisioning

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

BlueZ

• Keys: BlueZ | BlueZ
• Description: BlueZ

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Stack overflow in L2CAP

  • RID (MITRE EM3ED TID-327)

    • Information disclosure due to out-of-bounds heap read

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

Android

• Keys: Android | Android
• Description: Android

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

Flouride

• Keys: Flouride | Flouride
• Description: Flouride

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

iOS

• Keys: iOS | iOS
• Description: iOS

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

    • SMP reception handler out-of-bounds read

LEAP

• Keys: LEAP | LEAP
• Description: LEAP

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

Scanning

• Keys: Scanning | Scanning
• Description: Scanning

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Inquiry Response Heap Overflow

MagicPairing

• Keys: MagicPairing | MagicPairing
• Description: MagicPairing

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • SMP reception handler out-of-bounds read

HCI

• Keys: HCI | HCI
• Description: HCI

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

A2MP

• Keys: A2MP | A2MP
• Description: A2MP

• Attack Vectors and Threats:

  • Information Leak (MITRE EM3ED TID-310)

    • Stack-Based information leak

GATT

• Keys: GATT | GATT
• Description: GATT

• Attack Vectors and Threats:

  • Eavesdropping

    • GATT Fingerprinting and Tracking

ADF-Only Surfaces (No MITRE EM3ED PID)

Pairing

• Keys: Pairing | Pairing
• Description: Pairing

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Key Negotiation of Bluetooth (KNOB) on BC

    • Bluetooth Cross-Transport Key Derivation (BLUR)

    • Downgrade attacks on BLE SCO

    • Zero LTK Installation

  • Authentication skip (MITRE EM3ED TID-411)

    • Method confusion attack

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

    • MitM on BLE SSP

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

  • DoS (MITRE EM3ED TID-404)

    • Key Size Overflow

    • Messages Flooding

    • Truncated SCO Link Request

    • Duplicated IOCAP

    • LMP Overflow

    • Accept Truncated LMP

    • Invalid Setup Complete

    • Same Host Connection

    • Invalid Max Slot Type or Length

    • Invalid Timing Accuracy

    • Paging Scan Deadlock

    • PHY packet injection

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • BLE Crafted packet buffer overflow

Authentication

• Keys: Authentication | Authentication
• Description: Authentication

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Secure Connection Attack

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

Feature Exchange

• Keys: Feature Exchange | Feature exchange
• Description: Feature exchange

• Attack Vectors and Threats:

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

LMP

• Keys: LMP | LMP
• Description: LMP

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

CTKD

• Keys: CTKD | CTKD
• Description: Cross-Transport Key Derivation

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

Legacy pairing

• Keys: Legacy pairing | Legacy pairing
• Description: Legacy pairing

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • BLE Key Derivation (CRACKLE)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

Key agreement

• Keys: Key agreement | Key agreement
• Description: Key agreement

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

Association

• Keys: Association | Association
• Description: Association

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on BLE SSP

Provisioning

• Keys: Provisioning | Provisioning
• Description: Provisioning

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

BlueZ

• Keys: BlueZ | BlueZ
• Description: BlueZ

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Stack overflow in L2CAP

  • RID (MITRE EM3ED TID-327)

    • Information disclosure due to out-of-bounds heap read

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

Android

• Keys: Android | Android
• Description: Android

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

Flouride

• Keys: Flouride | Flouride
• Description: Flouride

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

iOS

• Keys: iOS | iOS
• Description: iOS

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

    • SMP reception handler out-of-bounds read

LEAP

• Keys: LEAP | LEAP
• Description: LEAP

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

Scanning

• Keys: Scanning | Scanning
• Description: Scanning

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Inquiry Response Heap Overflow

MagicPairing

• Keys: MagicPairing | MagicPairing
• Description: MagicPairing

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • SMP reception handler out-of-bounds read

HCI

• Keys: HCI | HCI
• Description: HCI

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

A2MP

• Keys: A2MP | A2MP
• Description: A2MP

• Attack Vectors and Threats:

  • Information Leak (MITRE EM3ED TID-310)

    • Stack-Based information leak

GATT

• Keys: GATT | GATT
• Description: GATT

• Attack Vectors and Threats:

  • Eavesdropping

    • GATT Fingerprinting and Tracking

ADF-Only Surfaces (No MITRE EM3ED PID)

Pairing

• Keys: Pairing | Pairing
• Description: Pairing

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Key Negotiation of Bluetooth (KNOB) on BC

    • Bluetooth Cross-Transport Key Derivation (BLUR)

    • Downgrade attacks on BLE SCO

    • Zero LTK Installation

  • Authentication skip (MITRE EM3ED TID-411)

    • Method confusion attack

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

    • MitM on BLE SSP

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

  • DoS (MITRE EM3ED TID-404)

    • Key Size Overflow

    • Messages Flooding

    • Truncated SCO Link Request

    • Duplicated IOCAP

    • LMP Overflow

    • Accept Truncated LMP

    • Invalid Setup Complete

    • Same Host Connection

    • Invalid Max Slot Type or Length

    • Invalid Timing Accuracy

    • Paging Scan Deadlock

    • PHY packet injection

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • BLE Crafted packet buffer overflow

Authentication

• Keys: Authentication | Authentication
• Description: Authentication

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Secure Connection Attack

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

Feature Exchange

• Keys: Feature Exchange | Feature exchange
• Description: Feature exchange

• Attack Vectors and Threats:

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

LMP

• Keys: LMP | LMP
• Description: LMP

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

CTKD

• Keys: CTKD | CTKD
• Description: Cross-Transport Key Derivation

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

Legacy pairing

• Keys: Legacy pairing | Legacy pairing
• Description: Legacy pairing

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • BLE Key Derivation (CRACKLE)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

Key agreement

• Keys: Key agreement | Key agreement
• Description: Key agreement

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

Association

• Keys: Association | Association
• Description: Association

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on BLE SSP

Provisioning

• Keys: Provisioning | Provisioning
• Description: Provisioning

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

BlueZ

• Keys: BlueZ | BlueZ
• Description: BlueZ

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Stack overflow in L2CAP

  • RID (MITRE EM3ED TID-327)

    • Information disclosure due to out-of-bounds heap read

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

Android

• Keys: Android | Android
• Description: Android

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

Flouride

• Keys: Flouride | Flouride
• Description: Flouride

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

iOS

• Keys: iOS | iOS
• Description: iOS

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

    • SMP reception handler out-of-bounds read

LEAP

• Keys: LEAP | LEAP
• Description: LEAP

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

Scanning

• Keys: Scanning | Scanning
• Description: Scanning

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Inquiry Response Heap Overflow

MagicPairing

• Keys: MagicPairing | MagicPairing
• Description: MagicPairing

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • SMP reception handler out-of-bounds read

HCI

• Keys: HCI | HCI
• Description: HCI

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

A2MP

• Keys: A2MP | A2MP
• Description: A2MP

• Attack Vectors and Threats:

  • Information Leak (MITRE EM3ED TID-310)

    • Stack-Based information leak

GATT

• Keys: GATT | GATT
• Description: GATT

• Attack Vectors and Threats:

  • Eavesdropping

    • GATT Fingerprinting and Tracking

ADF-Only Surfaces (No MITRE EM3ED PID)

Pairing

• Keys: Pairing | Pairing
• Description: Pairing

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Key Negotiation of Bluetooth (KNOB) on BC

    • Bluetooth Cross-Transport Key Derivation (BLUR)

    • Downgrade attacks on BLE SCO

    • Zero LTK Installation

  • Authentication skip (MITRE EM3ED TID-411)

    • Method confusion attack

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

    • MitM on BLE SSP

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

  • DoS (MITRE EM3ED TID-404)

    • Key Size Overflow

    • Messages Flooding

    • Truncated SCO Link Request

    • Duplicated IOCAP

    • LMP Overflow

    • Accept Truncated LMP

    • Invalid Setup Complete

    • Same Host Connection

    • Invalid Max Slot Type or Length

    • Invalid Timing Accuracy

    • Paging Scan Deadlock

    • PHY packet injection

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • BLE Crafted packet buffer overflow

Authentication

• Keys: Authentication | Authentication
• Description: Authentication

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Secure Connection Attack

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

Feature Exchange

• Keys: Feature Exchange | Feature exchange
• Description: Feature exchange

• Attack Vectors and Threats:

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

LMP

• Keys: LMP | LMP
• Description: LMP

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

CTKD

• Keys: CTKD | CTKD
• Description: Cross-Transport Key Derivation

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

Legacy pairing

• Keys: Legacy pairing | Legacy pairing
• Description: Legacy pairing

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • BLE Key Derivation (CRACKLE)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

Key agreement

• Keys: Key agreement | Key agreement
• Description: Key agreement

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

Association

• Keys: Association | Association
• Description: Association

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on BLE SSP

Provisioning

• Keys: Provisioning | Provisioning
• Description: Provisioning

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

BlueZ

• Keys: BlueZ | BlueZ
• Description: BlueZ

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Stack overflow in L2CAP

  • RID (MITRE EM3ED TID-327)

    • Information disclosure due to out-of-bounds heap read

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

Android

• Keys: Android | Android
• Description: Android

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

Flouride

• Keys: Flouride | Flouride
• Description: Flouride

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

iOS

• Keys: iOS | iOS
• Description: iOS

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

    • SMP reception handler out-of-bounds read

LEAP

• Keys: LEAP | LEAP
• Description: LEAP

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

Scanning

• Keys: Scanning | Scanning
• Description: Scanning

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Inquiry Response Heap Overflow

MagicPairing

• Keys: MagicPairing | MagicPairing
• Description: MagicPairing

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • SMP reception handler out-of-bounds read

HCI

• Keys: HCI | HCI
• Description: HCI

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

A2MP

• Keys: A2MP | A2MP
• Description: A2MP

• Attack Vectors and Threats:

  • Information Leak (MITRE EM3ED TID-310)

    • Stack-Based information leak

GATT

• Keys: GATT | GATT
• Description: GATT

• Attack Vectors and Threats:

  • Eavesdropping

    • GATT Fingerprinting and Tracking

ADF-Only Surfaces (No MITRE EM3ED PID)

Pairing

• Keys: Pairing | Pairing
• Description: Pairing

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Key Negotiation of Bluetooth (KNOB) on BC

    • Bluetooth Cross-Transport Key Derivation (BLUR)

    • Downgrade attacks on BLE SCO

    • Zero LTK Installation

  • Authentication skip (MITRE EM3ED TID-411)

    • Method confusion attack

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

    • MitM on BLE SSP

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

  • DoS (MITRE EM3ED TID-404)

    • Key Size Overflow

    • Messages Flooding

    • Truncated SCO Link Request

    • Duplicated IOCAP

    • LMP Overflow

    • Accept Truncated LMP

    • Invalid Setup Complete

    • Same Host Connection

    • Invalid Max Slot Type or Length

    • Invalid Timing Accuracy

    • Paging Scan Deadlock

    • PHY packet injection

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • BLE Crafted packet buffer overflow

Authentication

• Keys: Authentication | Authentication
• Description: Authentication

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Secure Connection Attack

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

Feature Exchange

• Keys: Feature Exchange | Feature exchange
• Description: Feature exchange

• Attack Vectors and Threats:

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

LMP

• Keys: LMP | LMP
• Description: LMP

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

CTKD

• Keys: CTKD | CTKD
• Description: Cross-Transport Key Derivation

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

Legacy pairing

• Keys: Legacy pairing | Legacy pairing
• Description: Legacy pairing

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • BLE Key Derivation (CRACKLE)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

Key agreement

• Keys: Key agreement | Key agreement
• Description: Key agreement

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

Association

• Keys: Association | Association
• Description: Association

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on BLE SSP

Provisioning

• Keys: Provisioning | Provisioning
• Description: Provisioning

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

BlueZ

• Keys: BlueZ | BlueZ
• Description: BlueZ

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Stack overflow in L2CAP

  • RID (MITRE EM3ED TID-327)

    • Information disclosure due to out-of-bounds heap read

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

Android

• Keys: Android | Android
• Description: Android

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

Flouride

• Keys: Flouride | Flouride
• Description: Flouride

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

iOS

• Keys: iOS | iOS
• Description: iOS

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

    • SMP reception handler out-of-bounds read

LEAP

• Keys: LEAP | LEAP
• Description: LEAP

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

Scanning

• Keys: Scanning | Scanning
• Description: Scanning

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Inquiry Response Heap Overflow

MagicPairing

• Keys: MagicPairing | MagicPairing
• Description: MagicPairing

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • SMP reception handler out-of-bounds read

HCI

• Keys: HCI | HCI
• Description: HCI

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

A2MP

• Keys: A2MP | A2MP
• Description: A2MP

• Attack Vectors and Threats:

  • Information Leak (MITRE EM3ED TID-310)

    • Stack-Based information leak

GATT

• Keys: GATT | GATT
• Description: GATT

• Attack Vectors and Threats:

  • Eavesdropping

    • GATT Fingerprinting and Tracking

ADF-Only Surfaces (No MITRE EM3ED PID)

Pairing

• Keys: Pairing | Pairing
• Description: Pairing

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Key Negotiation of Bluetooth (KNOB) on BC

    • Bluetooth Cross-Transport Key Derivation (BLUR)

    • Downgrade attacks on BLE SCO

    • Zero LTK Installation

  • Authentication skip (MITRE EM3ED TID-411)

    • Method confusion attack

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

    • MitM on BLE SSP

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

  • DoS (MITRE EM3ED TID-404)

    • Key Size Overflow

    • Messages Flooding

    • Truncated SCO Link Request

    • Duplicated IOCAP

    • LMP Overflow

    • Accept Truncated LMP

    • Invalid Setup Complete

    • Same Host Connection

    • Invalid Max Slot Type or Length

    • Invalid Timing Accuracy

    • Paging Scan Deadlock

    • PHY packet injection

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • BLE Crafted packet buffer overflow

Authentication

• Keys: Authentication | Authentication
• Description: Authentication

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Secure Connection Attack

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

Feature Exchange

• Keys: Feature Exchange | Feature exchange
• Description: Feature exchange

• Attack Vectors and Threats:

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

LMP

• Keys: LMP | LMP
• Description: LMP

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

CTKD

• Keys: CTKD | CTKD
• Description: Cross-Transport Key Derivation

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

Legacy pairing

• Keys: Legacy pairing | Legacy pairing
• Description: Legacy pairing

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • BLE Key Derivation (CRACKLE)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

Key agreement

• Keys: Key agreement | Key agreement
• Description: Key agreement

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

Association

• Keys: Association | Association
• Description: Association

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on BLE SSP

Provisioning

• Keys: Provisioning | Provisioning
• Description: Provisioning

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

BlueZ

• Keys: BlueZ | BlueZ
• Description: BlueZ

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Stack overflow in L2CAP

  • RID (MITRE EM3ED TID-327)

    • Information disclosure due to out-of-bounds heap read

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

Android

• Keys: Android | Android
• Description: Android

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

Flouride

• Keys: Flouride | Flouride
• Description: Flouride

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

iOS

• Keys: iOS | iOS
• Description: iOS

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

    • SMP reception handler out-of-bounds read

LEAP

• Keys: LEAP | LEAP
• Description: LEAP

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

Scanning

• Keys: Scanning | Scanning
• Description: Scanning

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Inquiry Response Heap Overflow

MagicPairing

• Keys: MagicPairing | MagicPairing
• Description: MagicPairing

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • SMP reception handler out-of-bounds read

HCI

• Keys: HCI | HCI
• Description: HCI

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

A2MP

• Keys: A2MP | A2MP
• Description: A2MP

• Attack Vectors and Threats:

  • Information Leak (MITRE EM3ED TID-310)

    • Stack-Based information leak

GATT

• Keys: GATT | GATT
• Description: GATT

• Attack Vectors and Threats:

  • Eavesdropping

    • GATT Fingerprinting and Tracking

ADF-Only Surfaces (No MITRE EM3ED PID)

Pairing

• Keys: Pairing | Pairing
• Description: Pairing

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Key Negotiation of Bluetooth (KNOB) on BC

    • Bluetooth Cross-Transport Key Derivation (BLUR)

    • Downgrade attacks on BLE SCO

    • Zero LTK Installation

  • Authentication skip (MITRE EM3ED TID-411)

    • Method confusion attack

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

    • MitM on BLE SSP

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

  • DoS (MITRE EM3ED TID-404)

    • Key Size Overflow

    • Messages Flooding

    • Truncated SCO Link Request

    • Duplicated IOCAP

    • LMP Overflow

    • Accept Truncated LMP

    • Invalid Setup Complete

    • Same Host Connection

    • Invalid Max Slot Type or Length

    • Invalid Timing Accuracy

    • Paging Scan Deadlock

    • PHY packet injection

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • BLE Crafted packet buffer overflow

Authentication

• Keys: Authentication | Authentication
• Description: Authentication

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Secure Connection Attack

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

Feature Exchange

• Keys: Feature Exchange | Feature exchange
• Description: Feature exchange

• Attack Vectors and Threats:

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

LMP

• Keys: LMP | LMP
• Description: LMP

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

CTKD

• Keys: CTKD | CTKD
• Description: Cross-Transport Key Derivation

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

Legacy pairing

• Keys: Legacy pairing | Legacy pairing
• Description: Legacy pairing

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • BLE Key Derivation (CRACKLE)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

Key agreement

• Keys: Key agreement | Key agreement
• Description: Key agreement

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

Association

• Keys: Association | Association
• Description: Association

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on BLE SSP

Provisioning

• Keys: Provisioning | Provisioning
• Description: Provisioning

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

BlueZ

• Keys: BlueZ | BlueZ
• Description: BlueZ

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Stack overflow in L2CAP

  • RID (MITRE EM3ED TID-327)

    • Information disclosure due to out-of-bounds heap read

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

Android

• Keys: Android | Android
• Description: Android

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

Flouride

• Keys: Flouride | Flouride
• Description: Flouride

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

iOS

• Keys: iOS | iOS
• Description: iOS

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

    • SMP reception handler out-of-bounds read

LEAP

• Keys: LEAP | LEAP
• Description: LEAP

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

Scanning

• Keys: Scanning | Scanning
• Description: Scanning

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Inquiry Response Heap Overflow

MagicPairing

• Keys: MagicPairing | MagicPairing
• Description: MagicPairing

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • SMP reception handler out-of-bounds read

HCI

• Keys: HCI | HCI
• Description: HCI

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

A2MP

• Keys: A2MP | A2MP
• Description: A2MP

• Attack Vectors and Threats:

  • Information Leak (MITRE EM3ED TID-310)

    • Stack-Based information leak

GATT

• Keys: GATT | GATT
• Description: GATT

• Attack Vectors and Threats:

  • Eavesdropping

    • GATT Fingerprinting and Tracking

ADF-Only Surfaces (No MITRE EM3ED PID)

Pairing

• Keys: Pairing | Pairing
• Description: Pairing

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Key Negotiation of Bluetooth (KNOB) on BC

    • Bluetooth Cross-Transport Key Derivation (BLUR)

    • Downgrade attacks on BLE SCO

    • Zero LTK Installation

  • Authentication skip (MITRE EM3ED TID-411)

    • Method confusion attack

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

    • MitM on BLE SSP

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

  • DoS (MITRE EM3ED TID-404)

    • Key Size Overflow

    • Messages Flooding

    • Truncated SCO Link Request

    • Duplicated IOCAP

    • LMP Overflow

    • Accept Truncated LMP

    • Invalid Setup Complete

    • Same Host Connection

    • Invalid Max Slot Type or Length

    • Invalid Timing Accuracy

    • Paging Scan Deadlock

    • PHY packet injection

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • BLE Crafted packet buffer overflow

Authentication

• Keys: Authentication | Authentication
• Description: Authentication

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Secure Connection Attack

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

Feature Exchange

• Keys: Feature Exchange | Feature exchange
• Description: Feature exchange

• Attack Vectors and Threats:

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

LMP

• Keys: LMP | LMP
• Description: LMP

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

CTKD

• Keys: CTKD | CTKD
• Description: Cross-Transport Key Derivation

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

Legacy pairing

• Keys: Legacy pairing | Legacy pairing
• Description: Legacy pairing

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • BLE Key Derivation (CRACKLE)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

Key agreement

• Keys: Key agreement | Key agreement
• Description: Key agreement

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

Association

• Keys: Association | Association
• Description: Association

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on BLE SSP

Provisioning

• Keys: Provisioning | Provisioning
• Description: Provisioning

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

BlueZ

• Keys: BlueZ | BlueZ
• Description: BlueZ

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Stack overflow in L2CAP

  • RID (MITRE EM3ED TID-327)

    • Information disclosure due to out-of-bounds heap read

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

Android

• Keys: Android | Android
• Description: Android

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

Flouride

• Keys: Flouride | Flouride
• Description: Flouride

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

iOS

• Keys: iOS | iOS
• Description: iOS

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

    • SMP reception handler out-of-bounds read

LEAP

• Keys: LEAP | LEAP
• Description: LEAP

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

Scanning

• Keys: Scanning | Scanning
• Description: Scanning

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Inquiry Response Heap Overflow

MagicPairing

• Keys: MagicPairing | MagicPairing
• Description: MagicPairing

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • SMP reception handler out-of-bounds read

HCI

• Keys: HCI | HCI
• Description: HCI

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

A2MP

• Keys: A2MP | A2MP
• Description: A2MP

• Attack Vectors and Threats:

  • Information Leak (MITRE EM3ED TID-310)

    • Stack-Based information leak

GATT

• Keys: GATT | GATT
• Description: GATT

• Attack Vectors and Threats:

  • Eavesdropping

    • GATT Fingerprinting and Tracking

ADF-Only Surfaces (No MITRE EM3ED PID)

Pairing

• Keys: Pairing | Pairing
• Description: Pairing

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Key Negotiation of Bluetooth (KNOB) on BC

    • Bluetooth Cross-Transport Key Derivation (BLUR)

    • Downgrade attacks on BLE SCO

    • Zero LTK Installation

  • Authentication skip (MITRE EM3ED TID-411)

    • Method confusion attack

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

    • MitM on BLE SSP

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

  • DoS (MITRE EM3ED TID-404)

    • Key Size Overflow

    • Messages Flooding

    • Truncated SCO Link Request

    • Duplicated IOCAP

    • LMP Overflow

    • Accept Truncated LMP

    • Invalid Setup Complete

    • Same Host Connection

    • Invalid Max Slot Type or Length

    • Invalid Timing Accuracy

    • Paging Scan Deadlock

    • PHY packet injection

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • BLE Crafted packet buffer overflow

Authentication

• Keys: Authentication | Authentication
• Description: Authentication

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Secure Connection Attack

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

Feature Exchange

• Keys: Feature Exchange | Feature exchange
• Description: Feature exchange

• Attack Vectors and Threats:

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

LMP

• Keys: LMP | LMP
• Description: LMP

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

CTKD

• Keys: CTKD | CTKD
• Description: Cross-Transport Key Derivation

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

Legacy pairing

• Keys: Legacy pairing | Legacy pairing
• Description: Legacy pairing

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • BLE Key Derivation (CRACKLE)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

Key agreement

• Keys: Key agreement | Key agreement
• Description: Key agreement

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

Association

• Keys: Association | Association
• Description: Association

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on BLE SSP

Provisioning

• Keys: Provisioning | Provisioning
• Description: Provisioning

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

BlueZ

• Keys: BlueZ | BlueZ
• Description: BlueZ

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Stack overflow in L2CAP

  • RID (MITRE EM3ED TID-327)

    • Information disclosure due to out-of-bounds heap read

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

Android

• Keys: Android | Android
• Description: Android

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

Flouride

• Keys: Flouride | Flouride
• Description: Flouride

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

iOS

• Keys: iOS | iOS
• Description: iOS

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

    • SMP reception handler out-of-bounds read

LEAP

• Keys: LEAP | LEAP
• Description: LEAP

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

Scanning

• Keys: Scanning | Scanning
• Description: Scanning

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Inquiry Response Heap Overflow

MagicPairing

• Keys: MagicPairing | MagicPairing
• Description: MagicPairing

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • SMP reception handler out-of-bounds read

HCI

• Keys: HCI | HCI
• Description: HCI

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

A2MP

• Keys: A2MP | A2MP
• Description: A2MP

• Attack Vectors and Threats:

  • Information Leak (MITRE EM3ED TID-310)

    • Stack-Based information leak

GATT

• Keys: GATT | GATT
• Description: GATT

• Attack Vectors and Threats:

  • Eavesdropping

    • GATT Fingerprinting and Tracking

ADF-Only Surfaces (No MITRE EM3ED PID)

Pairing

• Keys: Pairing | Pairing
• Description: Pairing

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Key Negotiation of Bluetooth (KNOB) on BC

    • Bluetooth Cross-Transport Key Derivation (BLUR)

    • Downgrade attacks on BLE SCO

    • Zero LTK Installation

  • Authentication skip (MITRE EM3ED TID-411)

    • Method confusion attack

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

    • MitM on BLE SSP

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

  • DoS (MITRE EM3ED TID-404)

    • Key Size Overflow

    • Messages Flooding

    • Truncated SCO Link Request

    • Duplicated IOCAP

    • LMP Overflow

    • Accept Truncated LMP

    • Invalid Setup Complete

    • Same Host Connection

    • Invalid Max Slot Type or Length

    • Invalid Timing Accuracy

    • Paging Scan Deadlock

    • PHY packet injection

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • BLE Crafted packet buffer overflow

Authentication

• Keys: Authentication | Authentication
• Description: Authentication

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Secure Connection Attack

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

Feature Exchange

• Keys: Feature Exchange | Feature exchange
• Description: Feature exchange

• Attack Vectors and Threats:

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

LMP

• Keys: LMP | LMP
• Description: LMP

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

CTKD

• Keys: CTKD | CTKD
• Description: Cross-Transport Key Derivation

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

Legacy pairing

• Keys: Legacy pairing | Legacy pairing
• Description: Legacy pairing

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • BLE Key Derivation (CRACKLE)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

Key agreement

• Keys: Key agreement | Key agreement
• Description: Key agreement

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

Association

• Keys: Association | Association
• Description: Association

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on BLE SSP

Provisioning

• Keys: Provisioning | Provisioning
• Description: Provisioning

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

BlueZ

• Keys: BlueZ | BlueZ
• Description: BlueZ

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Stack overflow in L2CAP

  • RID (MITRE EM3ED TID-327)

    • Information disclosure due to out-of-bounds heap read

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

Android

• Keys: Android | Android
• Description: Android

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

Flouride

• Keys: Flouride | Flouride
• Description: Flouride

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

iOS

• Keys: iOS | iOS
• Description: iOS

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

    • SMP reception handler out-of-bounds read

LEAP

• Keys: LEAP | LEAP
• Description: LEAP

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

Scanning

• Keys: Scanning | Scanning
• Description: Scanning

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Inquiry Response Heap Overflow

MagicPairing

• Keys: MagicPairing | MagicPairing
• Description: MagicPairing

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • SMP reception handler out-of-bounds read

HCI

• Keys: HCI | HCI
• Description: HCI

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

A2MP

• Keys: A2MP | A2MP
• Description: A2MP

• Attack Vectors and Threats:

  • Information Leak (MITRE EM3ED TID-310)

    • Stack-Based information leak

GATT

• Keys: GATT | GATT
• Description: GATT

• Attack Vectors and Threats:

  • Eavesdropping

    • GATT Fingerprinting and Tracking

ADF-Only Surfaces (No MITRE EM3ED PID)

Pairing

• Keys: Pairing | Pairing
• Description: Pairing

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Key Negotiation of Bluetooth (KNOB) on BC

    • Bluetooth Cross-Transport Key Derivation (BLUR)

    • Downgrade attacks on BLE SCO

    • Zero LTK Installation

  • Authentication skip (MITRE EM3ED TID-411)

    • Method confusion attack

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

    • MitM on BLE SSP

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

  • DoS (MITRE EM3ED TID-404)

    • Key Size Overflow

    • Messages Flooding

    • Truncated SCO Link Request

    • Duplicated IOCAP

    • LMP Overflow

    • Accept Truncated LMP

    • Invalid Setup Complete

    • Same Host Connection

    • Invalid Max Slot Type or Length

    • Invalid Timing Accuracy

    • Paging Scan Deadlock

    • PHY packet injection

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • BLE Crafted packet buffer overflow

Authentication

• Keys: Authentication | Authentication
• Description: Authentication

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Secure Connection Attack

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

Feature Exchange

• Keys: Feature Exchange | Feature exchange
• Description: Feature exchange

• Attack Vectors and Threats:

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

LMP

• Keys: LMP | LMP
• Description: LMP

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

CTKD

• Keys: CTKD | CTKD
• Description: Cross-Transport Key Derivation

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

Legacy pairing

• Keys: Legacy pairing | Legacy pairing
• Description: Legacy pairing

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • BLE Key Derivation (CRACKLE)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

Key agreement

• Keys: Key agreement | Key agreement
• Description: Key agreement

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

Association

• Keys: Association | Association
• Description: Association

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on BLE SSP

Provisioning

• Keys: Provisioning | Provisioning
• Description: Provisioning

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

BlueZ

• Keys: BlueZ | BlueZ
• Description: BlueZ

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Stack overflow in L2CAP

  • RID (MITRE EM3ED TID-327)

    • Information disclosure due to out-of-bounds heap read

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

Android

• Keys: Android | Android
• Description: Android

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

Flouride

• Keys: Flouride | Flouride
• Description: Flouride

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

iOS

• Keys: iOS | iOS
• Description: iOS

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

    • SMP reception handler out-of-bounds read

LEAP

• Keys: LEAP | LEAP
• Description: LEAP

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

Scanning

• Keys: Scanning | Scanning
• Description: Scanning

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Inquiry Response Heap Overflow

MagicPairing

• Keys: MagicPairing | MagicPairing
• Description: MagicPairing

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • SMP reception handler out-of-bounds read

HCI

• Keys: HCI | HCI
• Description: HCI

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

A2MP

• Keys: A2MP | A2MP
• Description: A2MP

• Attack Vectors and Threats:

  • Information Leak (MITRE EM3ED TID-310)

    • Stack-Based information leak

GATT

• Keys: GATT | GATT
• Description: GATT

• Attack Vectors and Threats:

  • Eavesdropping

    • GATT Fingerprinting and Tracking

ADF-Only Surfaces (No MITRE EM3ED PID)

Pairing

• Keys: Pairing | Pairing
• Description: Pairing

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Key Negotiation of Bluetooth (KNOB) on BC

    • Bluetooth Cross-Transport Key Derivation (BLUR)

    • Downgrade attacks on BLE SCO

    • Zero LTK Installation

  • Authentication skip (MITRE EM3ED TID-411)

    • Method confusion attack

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

    • MitM on BLE SSP

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

  • DoS (MITRE EM3ED TID-404)

    • Key Size Overflow

    • Messages Flooding

    • Truncated SCO Link Request

    • Duplicated IOCAP

    • LMP Overflow

    • Accept Truncated LMP

    • Invalid Setup Complete

    • Same Host Connection

    • Invalid Max Slot Type or Length

    • Invalid Timing Accuracy

    • Paging Scan Deadlock

    • PHY packet injection

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • BLE Crafted packet buffer overflow

Authentication

• Keys: Authentication | Authentication
• Description: Authentication

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Secure Connection Attack

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

Feature Exchange

• Keys: Feature Exchange | Feature exchange
• Description: Feature exchange

• Attack Vectors and Threats:

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

LMP

• Keys: LMP | LMP
• Description: LMP

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

CTKD

• Keys: CTKD | CTKD
• Description: Cross-Transport Key Derivation

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

Legacy pairing

• Keys: Legacy pairing | Legacy pairing
• Description: Legacy pairing

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • BLE Key Derivation (CRACKLE)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

Key agreement

• Keys: Key agreement | Key agreement
• Description: Key agreement

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

Association

• Keys: Association | Association
• Description: Association

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on BLE SSP

Provisioning

• Keys: Provisioning | Provisioning
• Description: Provisioning

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

BlueZ

• Keys: BlueZ | BlueZ
• Description: BlueZ

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Stack overflow in L2CAP

  • RID (MITRE EM3ED TID-327)

    • Information disclosure due to out-of-bounds heap read

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

Android

• Keys: Android | Android
• Description: Android

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

Flouride

• Keys: Flouride | Flouride
• Description: Flouride

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

iOS

• Keys: iOS | iOS
• Description: iOS

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

    • SMP reception handler out-of-bounds read

LEAP

• Keys: LEAP | LEAP
• Description: LEAP

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

Scanning

• Keys: Scanning | Scanning
• Description: Scanning

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Inquiry Response Heap Overflow

MagicPairing

• Keys: MagicPairing | MagicPairing
• Description: MagicPairing

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • SMP reception handler out-of-bounds read

HCI

• Keys: HCI | HCI
• Description: HCI

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

A2MP

• Keys: A2MP | A2MP
• Description: A2MP

• Attack Vectors and Threats:

  • Information Leak (MITRE EM3ED TID-310)

    • Stack-Based information leak

GATT

• Keys: GATT | GATT
• Description: GATT

• Attack Vectors and Threats:

  • Eavesdropping

    • GATT Fingerprinting and Tracking

ADF-Only Surfaces (No MITRE EM3ED PID)

Pairing

• Keys: Pairing | Pairing
• Description: Pairing

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Key Negotiation of Bluetooth (KNOB) on BC

    • Bluetooth Cross-Transport Key Derivation (BLUR)

    • Downgrade attacks on BLE SCO

    • Zero LTK Installation

  • Authentication skip (MITRE EM3ED TID-411)

    • Method confusion attack

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

    • MitM on BLE SSP

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

  • DoS (MITRE EM3ED TID-404)

    • Key Size Overflow

    • Messages Flooding

    • Truncated SCO Link Request

    • Duplicated IOCAP

    • LMP Overflow

    • Accept Truncated LMP

    • Invalid Setup Complete

    • Same Host Connection

    • Invalid Max Slot Type or Length

    • Invalid Timing Accuracy

    • Paging Scan Deadlock

    • PHY packet injection

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • BLE Crafted packet buffer overflow

Authentication

• Keys: Authentication | Authentication
• Description: Authentication

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Secure Connection Attack

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

Feature Exchange

• Keys: Feature Exchange | Feature exchange
• Description: Feature exchange

• Attack Vectors and Threats:

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

LMP

• Keys: LMP | LMP
• Description: LMP

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

CTKD

• Keys: CTKD | CTKD
• Description: Cross-Transport Key Derivation

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

Legacy pairing

• Keys: Legacy pairing | Legacy pairing
• Description: Legacy pairing

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • BLE Key Derivation (CRACKLE)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

Key agreement

• Keys: Key agreement | Key agreement
• Description: Key agreement

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

Association

• Keys: Association | Association
• Description: Association

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on BLE SSP

Provisioning

• Keys: Provisioning | Provisioning
• Description: Provisioning

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

BlueZ

• Keys: BlueZ | BlueZ
• Description: BlueZ

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Stack overflow in L2CAP

  • RID (MITRE EM3ED TID-327)

    • Information disclosure due to out-of-bounds heap read

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

Android

• Keys: Android | Android
• Description: Android

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

Flouride

• Keys: Flouride | Flouride
• Description: Flouride

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

iOS

• Keys: iOS | iOS
• Description: iOS

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

    • SMP reception handler out-of-bounds read

LEAP

• Keys: LEAP | LEAP
• Description: LEAP

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

Scanning

• Keys: Scanning | Scanning
• Description: Scanning

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Inquiry Response Heap Overflow

MagicPairing

• Keys: MagicPairing | MagicPairing
• Description: MagicPairing

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • SMP reception handler out-of-bounds read

HCI

• Keys: HCI | HCI
• Description: HCI

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

A2MP

• Keys: A2MP | A2MP
• Description: A2MP

• Attack Vectors and Threats:

  • Information Leak (MITRE EM3ED TID-310)

    • Stack-Based information leak

GATT

• Keys: GATT | GATT
• Description: GATT

• Attack Vectors and Threats:

  • Eavesdropping

    • GATT Fingerprinting and Tracking

ADF-Only Surfaces (No MITRE EM3ED PID)

Pairing

• Keys: Pairing | Pairing
• Description: Pairing

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Key Negotiation of Bluetooth (KNOB) on BC

    • Bluetooth Cross-Transport Key Derivation (BLUR)

    • Downgrade attacks on BLE SCO

    • Zero LTK Installation

  • Authentication skip (MITRE EM3ED TID-411)

    • Method confusion attack

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

    • MitM on BLE SSP

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

  • DoS (MITRE EM3ED TID-404)

    • Key Size Overflow

    • Messages Flooding

    • Truncated SCO Link Request

    • Duplicated IOCAP

    • LMP Overflow

    • Accept Truncated LMP

    • Invalid Setup Complete

    • Same Host Connection

    • Invalid Max Slot Type or Length

    • Invalid Timing Accuracy

    • Paging Scan Deadlock

    • PHY packet injection

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • BLE Crafted packet buffer overflow

Authentication

• Keys: Authentication | Authentication
• Description: Authentication

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Secure Connection Attack

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

Feature Exchange

• Keys: Feature Exchange | Feature exchange
• Description: Feature exchange

• Attack Vectors and Threats:

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

LMP

• Keys: LMP | LMP
• Description: LMP

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

CTKD

• Keys: CTKD | CTKD
• Description: Cross-Transport Key Derivation

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

Legacy pairing

• Keys: Legacy pairing | Legacy pairing
• Description: Legacy pairing

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • BLE Key Derivation (CRACKLE)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

Key agreement

• Keys: Key agreement | Key agreement
• Description: Key agreement

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

Association

• Keys: Association | Association
• Description: Association

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on BLE SSP

Provisioning

• Keys: Provisioning | Provisioning
• Description: Provisioning

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

BlueZ

• Keys: BlueZ | BlueZ
• Description: BlueZ

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Stack overflow in L2CAP

  • RID (MITRE EM3ED TID-327)

    • Information disclosure due to out-of-bounds heap read

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

Android

• Keys: Android | Android
• Description: Android

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

Flouride

• Keys: Flouride | Flouride
• Description: Flouride

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

iOS

• Keys: iOS | iOS
• Description: iOS

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

    • SMP reception handler out-of-bounds read

LEAP

• Keys: LEAP | LEAP
• Description: LEAP

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

Scanning

• Keys: Scanning | Scanning
• Description: Scanning

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Inquiry Response Heap Overflow

MagicPairing

• Keys: MagicPairing | MagicPairing
• Description: MagicPairing

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • SMP reception handler out-of-bounds read

HCI

• Keys: HCI | HCI
• Description: HCI

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

A2MP

• Keys: A2MP | A2MP
• Description: A2MP

• Attack Vectors and Threats:

  • Information Leak (MITRE EM3ED TID-310)

    • Stack-Based information leak

GATT

• Keys: GATT | GATT
• Description: GATT

• Attack Vectors and Threats:

  • Eavesdropping

    • GATT Fingerprinting and Tracking

ADF-Only Surfaces (No MITRE EM3ED PID)

Pairing

• Keys: Pairing | Pairing
• Description: Pairing

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Key Negotiation of Bluetooth (KNOB) on BC

    • Bluetooth Cross-Transport Key Derivation (BLUR)

    • Downgrade attacks on BLE SCO

    • Zero LTK Installation

  • Authentication skip (MITRE EM3ED TID-411)

    • Method confusion attack

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

    • MitM on BLE SSP

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

  • DoS (MITRE EM3ED TID-404)

    • Key Size Overflow

    • Messages Flooding

    • Truncated SCO Link Request

    • Duplicated IOCAP

    • LMP Overflow

    • Accept Truncated LMP

    • Invalid Setup Complete

    • Same Host Connection

    • Invalid Max Slot Type or Length

    • Invalid Timing Accuracy

    • Paging Scan Deadlock

    • PHY packet injection

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • BLE Crafted packet buffer overflow

Authentication

• Keys: Authentication | Authentication
• Description: Authentication

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Secure Connection Attack

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

Feature Exchange

• Keys: Feature Exchange | Feature exchange
• Description: Feature exchange

• Attack Vectors and Threats:

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

LMP

• Keys: LMP | LMP
• Description: LMP

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

CTKD

• Keys: CTKD | CTKD
• Description: Cross-Transport Key Derivation

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

Legacy pairing

• Keys: Legacy pairing | Legacy pairing
• Description: Legacy pairing

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • BLE Key Derivation (CRACKLE)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

Key agreement

• Keys: Key agreement | Key agreement
• Description: Key agreement

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

Association

• Keys: Association | Association
• Description: Association

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on BLE SSP

Provisioning

• Keys: Provisioning | Provisioning
• Description: Provisioning

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

BlueZ

• Keys: BlueZ | BlueZ
• Description: BlueZ

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Stack overflow in L2CAP

  • RID (MITRE EM3ED TID-327)

    • Information disclosure due to out-of-bounds heap read

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

Android

• Keys: Android | Android
• Description: Android

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

Flouride

• Keys: Flouride | Flouride
• Description: Flouride

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

iOS

• Keys: iOS | iOS
• Description: iOS

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

    • SMP reception handler out-of-bounds read

LEAP

• Keys: LEAP | LEAP
• Description: LEAP

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

Scanning

• Keys: Scanning | Scanning
• Description: Scanning

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Inquiry Response Heap Overflow

MagicPairing

• Keys: MagicPairing | MagicPairing
• Description: MagicPairing

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • SMP reception handler out-of-bounds read

HCI

• Keys: HCI | HCI
• Description: HCI

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

A2MP

• Keys: A2MP | A2MP
• Description: A2MP

• Attack Vectors and Threats:

  • Information Leak (MITRE EM3ED TID-310)

    • Stack-Based information leak

GATT

• Keys: GATT | GATT
• Description: GATT

• Attack Vectors and Threats:

  • Eavesdropping

    • GATT Fingerprinting and Tracking

ADF-Only Surfaces (No MITRE EM3ED PID)

Pairing

• Keys: Pairing | Pairing
• Description: Pairing

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Key Negotiation of Bluetooth (KNOB) on BC

    • Bluetooth Cross-Transport Key Derivation (BLUR)

    • Downgrade attacks on BLE SCO

    • Zero LTK Installation

  • Authentication skip (MITRE EM3ED TID-411)

    • Method confusion attack

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

    • MitM on BLE SSP

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

  • DoS (MITRE EM3ED TID-404)

    • Key Size Overflow

    • Messages Flooding

    • Truncated SCO Link Request

    • Duplicated IOCAP

    • LMP Overflow

    • Accept Truncated LMP

    • Invalid Setup Complete

    • Same Host Connection

    • Invalid Max Slot Type or Length

    • Invalid Timing Accuracy

    • Paging Scan Deadlock

    • PHY packet injection

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • BLE Crafted packet buffer overflow

Authentication

• Keys: Authentication | Authentication
• Description: Authentication

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Secure Connection Attack

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

Feature Exchange

• Keys: Feature Exchange | Feature exchange
• Description: Feature exchange

• Attack Vectors and Threats:

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

LMP

• Keys: LMP | LMP
• Description: LMP

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

CTKD

• Keys: CTKD | CTKD
• Description: Cross-Transport Key Derivation

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

Legacy pairing

• Keys: Legacy pairing | Legacy pairing
• Description: Legacy pairing

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • BLE Key Derivation (CRACKLE)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

Key agreement

• Keys: Key agreement | Key agreement
• Description: Key agreement

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

Association

• Keys: Association | Association
• Description: Association

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on BLE SSP

Provisioning

• Keys: Provisioning | Provisioning
• Description: Provisioning

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

BlueZ

• Keys: BlueZ | BlueZ
• Description: BlueZ

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Stack overflow in L2CAP

  • RID (MITRE EM3ED TID-327)

    • Information disclosure due to out-of-bounds heap read

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

Android

• Keys: Android | Android
• Description: Android

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

Flouride

• Keys: Flouride | Flouride
• Description: Flouride

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

iOS

• Keys: iOS | iOS
• Description: iOS

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

    • SMP reception handler out-of-bounds read

LEAP

• Keys: LEAP | LEAP
• Description: LEAP

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

Scanning

• Keys: Scanning | Scanning
• Description: Scanning

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Inquiry Response Heap Overflow

MagicPairing

• Keys: MagicPairing | MagicPairing
• Description: MagicPairing

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • SMP reception handler out-of-bounds read

HCI

• Keys: HCI | HCI
• Description: HCI

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

A2MP

• Keys: A2MP | A2MP
• Description: A2MP

• Attack Vectors and Threats:

  • Information Leak (MITRE EM3ED TID-310)

    • Stack-Based information leak

GATT

• Keys: GATT | GATT
• Description: GATT

• Attack Vectors and Threats:

  • Eavesdropping

    • GATT Fingerprinting and Tracking

ADF-Only Surfaces (No MITRE EM3ED PID)

Pairing

• Keys: Pairing | Pairing
• Description: Pairing

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Key Negotiation of Bluetooth (KNOB) on BC

    • Bluetooth Cross-Transport Key Derivation (BLUR)

    • Downgrade attacks on BLE SCO

    • Zero LTK Installation

  • Authentication skip (MITRE EM3ED TID-411)

    • Method confusion attack

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

    • MitM on BLE SSP

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

  • DoS (MITRE EM3ED TID-404)

    • Key Size Overflow

    • Messages Flooding

    • Truncated SCO Link Request

    • Duplicated IOCAP

    • LMP Overflow

    • Accept Truncated LMP

    • Invalid Setup Complete

    • Same Host Connection

    • Invalid Max Slot Type or Length

    • Invalid Timing Accuracy

    • Paging Scan Deadlock

    • PHY packet injection

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • BLE Crafted packet buffer overflow

Authentication

• Keys: Authentication | Authentication
• Description: Authentication

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Secure Connection Attack

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

Feature Exchange

• Keys: Feature Exchange | Feature exchange
• Description: Feature exchange

• Attack Vectors and Threats:

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

LMP

• Keys: LMP | LMP
• Description: LMP

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

CTKD

• Keys: CTKD | CTKD
• Description: Cross-Transport Key Derivation

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

Legacy pairing

• Keys: Legacy pairing | Legacy pairing
• Description: Legacy pairing

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • BLE Key Derivation (CRACKLE)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

Key agreement

• Keys: Key agreement | Key agreement
• Description: Key agreement

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

Association

• Keys: Association | Association
• Description: Association

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on BLE SSP

Provisioning

• Keys: Provisioning | Provisioning
• Description: Provisioning

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

BlueZ

• Keys: BlueZ | BlueZ
• Description: BlueZ

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Stack overflow in L2CAP

  • RID (MITRE EM3ED TID-327)

    • Information disclosure due to out-of-bounds heap read

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

Android

• Keys: Android | Android
• Description: Android

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

Flouride

• Keys: Flouride | Flouride
• Description: Flouride

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

iOS

• Keys: iOS | iOS
• Description: iOS

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

    • SMP reception handler out-of-bounds read

LEAP

• Keys: LEAP | LEAP
• Description: LEAP

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

Scanning

• Keys: Scanning | Scanning
• Description: Scanning

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Inquiry Response Heap Overflow

MagicPairing

• Keys: MagicPairing | MagicPairing
• Description: MagicPairing

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • SMP reception handler out-of-bounds read

HCI

• Keys: HCI | HCI
• Description: HCI

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

A2MP

• Keys: A2MP | A2MP
• Description: A2MP

• Attack Vectors and Threats:

  • Information Leak (MITRE EM3ED TID-310)

    • Stack-Based information leak

GATT

• Keys: GATT | GATT
• Description: GATT

• Attack Vectors and Threats:

  • Eavesdropping

    • GATT Fingerprinting and Tracking

ADF-Only Surfaces (No MITRE EM3ED PID)

Pairing

• Keys: Pairing | Pairing
• Description: Pairing

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Key Negotiation of Bluetooth (KNOB) on BC

    • Bluetooth Cross-Transport Key Derivation (BLUR)

    • Downgrade attacks on BLE SCO

    • Zero LTK Installation

  • Authentication skip (MITRE EM3ED TID-411)

    • Method confusion attack

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

    • MitM on BLE SSP

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

  • DoS (MITRE EM3ED TID-404)

    • Key Size Overflow

    • Messages Flooding

    • Truncated SCO Link Request

    • Duplicated IOCAP

    • LMP Overflow

    • Accept Truncated LMP

    • Invalid Setup Complete

    • Same Host Connection

    • Invalid Max Slot Type or Length

    • Invalid Timing Accuracy

    • Paging Scan Deadlock

    • PHY packet injection

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • BLE Crafted packet buffer overflow

Authentication

• Keys: Authentication | Authentication
• Description: Authentication

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Secure Connection Attack

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

Feature Exchange

• Keys: Feature Exchange | Feature exchange
• Description: Feature exchange

• Attack Vectors and Threats:

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

LMP

• Keys: LMP | LMP
• Description: LMP

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

CTKD

• Keys: CTKD | CTKD
• Description: Cross-Transport Key Derivation

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

Legacy pairing

• Keys: Legacy pairing | Legacy pairing
• Description: Legacy pairing

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • BLE Key Derivation (CRACKLE)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

Key agreement

• Keys: Key agreement | Key agreement
• Description: Key agreement

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

Association

• Keys: Association | Association
• Description: Association

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on BLE SSP

Provisioning

• Keys: Provisioning | Provisioning
• Description: Provisioning

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

BlueZ

• Keys: BlueZ | BlueZ
• Description: BlueZ

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Stack overflow in L2CAP

  • RID (MITRE EM3ED TID-327)

    • Information disclosure due to out-of-bounds heap read

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

Android

• Keys: Android | Android
• Description: Android

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

Flouride

• Keys: Flouride | Flouride
• Description: Flouride

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

iOS

• Keys: iOS | iOS
• Description: iOS

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

    • SMP reception handler out-of-bounds read

LEAP

• Keys: LEAP | LEAP
• Description: LEAP

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

Scanning

• Keys: Scanning | Scanning
• Description: Scanning

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Inquiry Response Heap Overflow

MagicPairing

• Keys: MagicPairing | MagicPairing
• Description: MagicPairing

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • SMP reception handler out-of-bounds read

HCI

• Keys: HCI | HCI
• Description: HCI

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

A2MP

• Keys: A2MP | A2MP
• Description: A2MP

• Attack Vectors and Threats:

  • Information Leak (MITRE EM3ED TID-310)

    • Stack-Based information leak

GATT

• Keys: GATT | GATT
• Description: GATT

• Attack Vectors and Threats:

  • Eavesdropping

    • GATT Fingerprinting and Tracking

ADF-Only Surfaces (No MITRE EM3ED PID)

Pairing

• Keys: Pairing | Pairing
• Description: Pairing

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Key Negotiation of Bluetooth (KNOB) on BC

    • Bluetooth Cross-Transport Key Derivation (BLUR)

    • Downgrade attacks on BLE SCO

    • Zero LTK Installation

  • Authentication skip (MITRE EM3ED TID-411)

    • Method confusion attack

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

    • MitM on BLE SSP

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

  • DoS (MITRE EM3ED TID-404)

    • Key Size Overflow

    • Messages Flooding

    • Truncated SCO Link Request

    • Duplicated IOCAP

    • LMP Overflow

    • Accept Truncated LMP

    • Invalid Setup Complete

    • Same Host Connection

    • Invalid Max Slot Type or Length

    • Invalid Timing Accuracy

    • Paging Scan Deadlock

    • PHY packet injection

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • BLE Crafted packet buffer overflow

Authentication

• Keys: Authentication | Authentication
• Description: Authentication

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Secure Connection Attack

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

Feature Exchange

• Keys: Feature Exchange | Feature exchange
• Description: Feature exchange

• Attack Vectors and Threats:

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

  • RCE (MITRE EM3ED TID-310)

    • Feature Pages Execution

LMP

• Keys: LMP | LMP
• Description: LMP

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

CTKD

• Keys: CTKD | CTKD
• Description: Cross-Transport Key Derivation

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Bluetooth Cross-Transport Key Derivation (BLUR)

Legacy pairing

• Keys: Legacy pairing | Legacy pairing
• Description: Legacy pairing

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • BLE Key Derivation (CRACKLE)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

Key agreement

• Keys: Key agreement | Key agreement
• Description: Key agreement

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

Association

• Keys: Association | Association
• Description: Association

• Attack Vectors and Threats:

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • Passkey entry impersonation attack

    • Reflection attack on passkey entry

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on BLE SSP

Provisioning

• Keys: Provisioning | Provisioning
• Description: Provisioning

• Attack Vectors and Threats:

  • Key brute force (MITRE EM3ED TID-317)

    • Predictable or brute forceable AuthValue in BM Provisioning (M-A2)

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • MitM and auth reflection on BMP (M-A1)

BlueZ

• Keys: BlueZ | BlueZ
• Description: BlueZ

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Stack overflow in L2CAP

  • RID (MITRE EM3ED TID-327)

    • Information disclosure due to out-of-bounds heap read

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

Android

• Keys: Android | Android
• Description: Android

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

Flouride

• Keys: Flouride | Flouride
• Description: Flouride

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

iOS

• Keys: iOS | iOS
• Description: iOS

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

    • SMP reception handler out-of-bounds read

LEAP

• Keys: LEAP | LEAP
• Description: LEAP

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Heap overflow

Scanning

• Keys: Scanning | Scanning
• Description: Scanning

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Inquiry Response Heap Overflow

MagicPairing

• Keys: MagicPairing | MagicPairing
• Description: MagicPairing

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • SMP reception handler out-of-bounds read

HCI

• Keys: HCI | HCI
• Description: HCI

• Attack Vectors and Threats:

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Heap-Based buffer overflow

    • Heap-Based type confusion

A2MP

• Keys: A2MP | A2MP
• Description: A2MP

• Attack Vectors and Threats:

  • Information Leak (MITRE EM3ED TID-310)

    • Stack-Based information leak

GATT

• Keys: GATT | GATT
• Description: GATT

• Attack Vectors and Threats:

  • Eavesdropping

    • GATT Fingerprinting and Tracking