Bluetooth Security Testing with BlueToolkit: a Large-Scale Automotive Case Study

Bluetooth is a wireless data-transfer protocol used by billions of heterogeneous devices, including vehicles, smartphones, and laptops. Bluetooth devices are affected by security issues whose automated large-scale testing is challenging. In this work, we focus on Bluetooth Classic (BC) as there is no comprehensive open-source security testing framework. We fill this gap by designing and implementing BlueToolkit, a new BC security testing framework for automating recon, exploit testing, and report generation. Our tool tests the target over the air using a black-box approach, thus without prior hardware or software configuration knowledge. BlueToolkit tests 44 design and implementation exploits from six databases, including critical Machine-in-the-Middle (MITM), Remote Code Execution (RCE), and Denial of Service (DoS) ones. Moreover, it is extensible via a configuration system based on YAML files, allowing, among others, the integration of future exploits.

Despite the rise of Bluetooth usage in vehicles, its security in the automotive domain has been widely overlooked. We address this challenge using BlueToolkit to perform a comprehensive security assessment of real-world automotive In-Vehicle Infotainment (IVI) units. We evaluate 22 vehicles produced between 2016 and 2023 from 14 leading manufacturers. Each car underwent up to 44 tests, including design and implementation attacks, resulting in a total of 891 tests and 128 vulnerabilities. We also present four attacks we discovered during the experiments with the help of BlueToolkit. Our evaluation demonstrates that automotive Bluetooth security posture is inadequate and that BlueToolkit is effective in real-world use cases. We responsibly disclosed our findings to all affected vendors and open-sourced BlueToolkit.