Researchers focused on developing platform-independent tools that address longstanding challenges in Bluetooth security testing. According to the researchers, while numerous Bluetooth attack tools exist, most are poorly maintained, outdated, or incompatible with current systems.
The team created a cross-platform driver called "USB Bluetooth" that works on Windows, Linux, and macOS. This tool allows direct access to Bluetooth hardware through the Host Controller Interface (HCI) without being constrained by operating system limitations.
"We need a driver that is hardware-independent, platform-independent, and works regardless of programming language," the researchers explained in their presentation.
Through extensive reverse engineering of ESP32 firmware, the team discovered 29 undocumented vendor-specific HCI commands in ESP32 chips. These hidden commands provide powerful capabilities, including:
- Changing the device's MAC address to impersonate other devices
- Reading and writing directly to the chip's memory
- Sending and intercepting low-level Link Manager Protocol (LMP) and Link Layer Control Protocol (LLCP) packets
- Bypassing firmware verification mechanisms
The researchers emphasized the significant security implications of these findings, noting that ESP32 chips are found in over one billion IoT devices as of 2023. The chips are particularly common in smart home products, including lights, plugs, speakers, and thermostats.
"For any IoT device with an ESP32 where we can send HCI commands, we can implement Bluetooth attacks, pivot to other devices, execute code on the ESP32 through RAM writing commands, and potentially create rootkits or persistent implants," the researchers warned.
The team has published their cross-platform driver and related tools on GitHub, including Python and C# implementations with Scapy integration. They've also released Ghidra plugins to assist other researchers in analyzing ESP32 firmware.
This research represents a significant advancement in Bluetooth security assessment capabilities, making sophisticated attack techniques accessible with low-cost, widely available hardware.