Packet forging/injection attacks

BR/EDR

BLE

A packet injection attack is the deliberate sending of altered or crafted data packets for the purpose of manipulating or disrupting the normal operations of your connected devices. This is possible when there is no verification that the packet is correctly formatted or sent by a legitimate device.

If an application requires custom security methods and decides to use cryptography for a particular service, application layer security methods must be adecuate to prevent packet forging and injection attacks.

Not complying with this control may mean that, despite of the efforts of using application level security measures, theese can be bypassed.

Description

The procedure consists on studying and analyzing if the selected encryption methods are secure against packet forging and packet injection attacks.

This control is considered satisfactory when it is verified that the mechanism for generating a valid packet is not so trivial that it allows the creation of new packets without knowledge of the encryption key for the packet.

To check this control, the following resources may be useful:

IDDescription
BSAM-RES-04Bluetooth connections sniffing
BSAM-RES-05Capture of a Bluetooth connection

Example case

During an audit, a device with custom application layer encryption is found. Particularly, an user is able to set a secret password in the device that cyphers the traffic at application layer.

Data packets exchanged with the device include a PDU that contains a sequence number to avoid replay attacks, as in BSAM-AP-05 (Replay attacks). This number gets incremented each time a packet is sent and it is checked that the new number is greater than the latest record in the device. The PDU also contains a CRC32 field to verify the integrity of the packet.

Packets are encrypted using an stream cypher. This means that a pseudo-random stream is generated and xored to the original packet.

In this scenario, an attacker can captura an encrypted message c for a an unknown plaintext m. The attacker can compute an encrypted message c’ = c ⊕ (Δ, CRC(Δ)) that will correctly decrypt to a message m’ = m ⊕ Δ . If the attacker uses the Δ changes to modify the sequence number part of the message, it is able to reinject packets back to the device without knowing its contents.