Bluetooth Threat Model

Device includes a microprocessor (MITRE EM3ED PID-11)

Controller Implementation

• Keys: Controller Implementation | BC
• Description: Controller/CPU Implementation missbehaviour can disclose sensitive data

• Attack Vectors and Threats:

  • Entropy downgrade (MITRE EM3ED TID-411)

    • Key Negotiation of Bluetooth (KNOB) on BC

    • Secure Connection Attack

    • Bluetooth Cross-Transport Key Derivation (BLUR)

  • Key brute force (MITRE EM3ED TID-317)

    • Profile switch

  • Authentication challenge reflection (MITRE EM3ED TID-221)

    • PIN pairing impersonation attack

    • Passkey entry impersonation attack

  • No IO downgrade (MITRE EM3ED TID-411)

    • MitM on Secure Simple Pairing

  • RCE (MITRE EM3ED TID-310)

    • Remote code execution

    • Heap overflow

    • Feature Pages Execution

    • SMP reception handler out-of-bounds read

  • DoS (MITRE EM3ED TID-404)

    • Out of bounds write in L2CAP reassembly

    • Messages Flooding

    • Truncated SCO Link Request

    • Duplicated IOCAP

    • LMP Overflow

    • Accept Truncated LMP

    • Invalid Setup Complete

    • Same Host Connection

    • Invalid Max Slot Type or Length

    • Invalid Timing Accuracy

    • Paging Scan Deadlock

  • Invalid ECC point (MITRE EM3ED TID-318)

    • Invalid Curve Attack

  • RID (MITRE EM3ED TID-327)

    • Information disclosure due to out-of-bounds heap read

  • Information Leak (MITRE EM3ED TID-310)

    • Information disclosure

    • Stack-Based information leak

  • Buffer overflowOut of Bounds (MITRE EM3ED TID-327)

    • Inquiry Response Heap Overflow

    • Heap overflow in ACL mode

    • Heap-Based buffer overflow

    • Heap-Based type confusion

  • Power Consumption Analysis Side Channel (MITRE EM3ED TID-101)

  • Electromagnetic Analysis Side Channel (MITRE EM3ED TID-102)

  • Microarchitectural Side Channels (MITRE EM3ED TID-103)

  • Hardware Fault Injection – Control Flow Modification (MITRE EM3ED TID-105)

EM3ED-only: Device includes Memory/Storage (external to CPU) (MITRE EM3ED PID-12)

• Attack Vectors and Threats:

EM3ED-only: Device includes buses for external memory/storage (MITRE EM3ED PID-121)

• Attack Vectors and Threats:

  • Data Bus Interception (MITRE EM3ED TID-106)

EM3ED-only: Device includes discrete chips/devices that have access to the same physical memory (MITRE EM3ED PID-122)

• Attack Vectors and Threats:

  • Unauthorized Direct Memory Access (DMA) (MITRE EM3ED TID-107)

EM3ED-only: Device includes ROM, VRAM, or removable Storage (MITRE EM3ED PID-123)

• Attack Vectors and Threats:

  • ROM/NVRAM Data Extraction or Modification (MITRE EM3ED TID-108)

EM3ED-only: Device includes Random Access Memory (RAM) chips (MITRE EM3ED PID-124)

• Attack Vectors and Threats:

  • RAM Chip Contents Readout (MITRE EM3ED TID-109)

EM3ED-only: Device includes DDR DRAM (MITRE EM3ED PID-1241)

• Attack Vectors and Threats:

  • Hardware Fault Injection – Data Manipulation (MITRE EM3ED TID-110)

EM3ED-only: Device includes peripheral chips and integrated data buses (MITRE EM3ED PID-13)

• Attack Vectors and Threats:

  • Unverified Peripheral Firmware Loaded (MITRE EM3ED TID-113)

  • Peripheral Data Bus Interception (MITRE EM3ED TID-114)

EM3ED-only: Device includes external peripheral interconnects (e.g., USB, Serial) (MITRE EM3ED PID-14)

• Attack Vectors and Threats:

  • Untrusted External Storage (MITRE EM3ED TID-111)

  • Weak Peripheral Port Electrical Damage Protection (MITRE EM3ED TID-118)

EM3ED-only: Device includes a hardware access port (e.g., UART, JTAG) (MITRE EM3ED PID-15)

• Attack Vectors and Threats:

  • Firmware/Data Extraction via Hardware Interface (MITRE EM3ED TID-115)

  • Latent Privileged Access Port (MITRE EM3ED TID-116)

  • Latent Hardware Debug Port Allows Memory/Code Manipulation (MITRE EM3ED TID-119)

EM3ED-only: Device includes a bootloader (MITRE EM3ED PID-21)

• Attack Vectors and Threats:

  • Inadequate Bootloader Protection and Verification (MITRE EM3ED TID-201)

EM3ED-only: Device includes a debugging capabilities (MITRE EM3ED PID-22)

• Attack Vectors and Threats:

  • Excessive Access via Software Diagnostic Features (MITRE EM3ED TID-224)

Device includes OS/kernel (MITRE EM3ED PID-23)

Kernel or Operating System

• Keys: Kernel or Operating System | OS | Linux | Kernel
• Description: Device includes OS/kernel

• Attack Vectors and Threats:

  • RCE (MITRE EM3ED TID-310)

    • Stack overflow in L2CAP

  • Exploitable System Network Stack Component (MITRE EM3ED TID-202)

  • Operating System Susceptible to Rootkit (MITRE EM3ED TID-218)

EM3ED-only: Device lacks firmware/software update support (MITRE EM3ED PID-26)

• Attack Vectors and Threats:

  • Device Vulnerabilities Unpatchable (MITRE EM3ED TID-210)

EM3ED-only: Device includes support for firmware/software updates (MITRE EM3ED PID-27)

• Attack Vectors and Threats:

EM3ED-only: Device has firmware or software that is not cryptographically checked for integrity validation (MITRE EM3ED PID-271)

• Attack Vectors and Threats:

  • Device Allows Unauthenticated Firmware Installation (MITRE EM3ED TID-211)

EM3ED-only: Device includes cryptographic firmware/software integrity protection mechanisms (MITRE EM3ED PID-272)

• Attack Vectors and Threats:

  • Secrets Extracted from Device Root of Trust (MITRE EM3ED TID-214)

  • Cryptographic Timing Side-Channel (MITRE EM3ED TID-330)

EM3ED-only: Device includes a shared key for firmware integrity validation (MITRE EM3ED PID-2721)

• Attack Vectors and Threats:

  • FW/SW Update Integrity Shared Secrets Extraction (MITRE EM3ED TID-212)

EM3ED-only: Device includes digitally signed firmware (with private key) (MITRE EM3ED PID-2722)

• Attack Vectors and Threats:

  • Faulty FW/SW Update Integrity Verification (MITRE EM3ED TID-213)

EM3ED-only: Device has unencrypted firmware updates (MITRE EM3ED PID-273)

• Attack Vectors and Threats:

  • Unencrypted SW/FW Updates (MITRE EM3ED TID-215)

EM3ED-only: Device includes user firmware/software version selection during updates (MITRE EM3ED PID-274)

• Attack Vectors and Threats:

  • Firmware Update Rollbacks Allowed (MITRE EM3ED TID-216)

EM3ED-only: Device includes remotely-initiated firmware/software updates (MITRE EM3ED PID-275)

• Attack Vectors and Threats:

  • Remotely Initiated Updates Can Cause DoS (MITRE EM3ED TID-217)

EM3ED-only: Device stores logs of system events and information (MITRE EM3ED PID-28)

• Attack Vectors and Threats:

  • Logs can be manipulated on the device (MITRE EM3ED TID-225)

  • Device leaks security information in logs (MITRE EM3ED TID-226)

EM3ED-only: Application-level software is present and running on the device (MITRE EM3ED PID-31)

• Attack Vectors and Threats:

  • Applications Binaries Modified (MITRE EM3ED TID-301)