Bluetooth Low Energy Security Testing with Combinatorial Methods

Dominik Philip Schreiber; Manuel Leithner; Jovan Zivanovic; Dimitris E. Simos

Bluetooth Low Energy Security Testing with Combinatorial Methods

Dominik Philip Schreiber
, Manuel Leithner
, Jovan Zivanovic
, Dimitris E. Simos

Networking & Cyber Security

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Wireless protocols such as Bluetooth Low Energy (BLE) play a vital role in ubiquitous computing and Internet of Things (IoT) devices. Numerous vulnerabilities in a variety of devices and components of the BLE stack have been uncovered in recent years, potentially affecting millions of customers. Being notoriously difficult to test due to the level of abstraction commonly enforced by the Host Controller Interface (HCI), a recent work successfully implements a fuzzing framework utilizing a custom firmware for a BLE device. However, fuzzing is inherently probabilistic, which may lead to faults remaining undiscovered. In this work, we enhance the aforementioned method with a Combinatorial Security Testing (CST) approach that provides a guaranteed degree of input space coverage. Through an evaluation targeting 10 BLE devices and a variety of firmware versions, we identify a total of 19 distinct issues, replicating findings of the previous work and uncovering additional faults. We additionally provide a performance overview of our tool and the original fuzzer, comparing their execution time and fault detection capabilities.

Original language	English
Title of host publication	USENIX ATC '25: Proceedings of the 2025 USENIX Conference on Usenix Annual Technical Conference
Publisher	USENIX Association
Pages	1625-1638
Number of pages	14
ISBN (Electronic)	978-1-939133-48-9
Publication status	Published - Sept 2025
Event	USENIX ATC '25: 2025 USENIX Conference on Usenix Annual Technical Conference - Boston, United States Duration: 7 Jul 2025 → 9 Jul 2025

Conference

Conference	USENIX ATC '25: 2025 USENIX Conference on Usenix Annual Technical Conference
Abbreviated title	USENIX ATC '25
Country/Territory	United States
City	Boston
Period	7/07/25 → 9/07/25

Classification according to Österreichische Systematik der Wissenschaftszweige (ÖFOS 2012)

Not applicable

Applied Research Level (ARL)

Not applicable

Research focus/foci

Not applicable

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

Access to Document

Cite this

@inproceedings{6b551851d5b94adcabcc5b2d90bd2455,

title = "Bluetooth Low Energy Security Testing with Combinatorial Methods",

abstract = "Wireless protocols such as Bluetooth Low Energy (BLE) play a vital role in ubiquitous computing and Internet of Things (IoT) devices. Numerous vulnerabilities in a variety of devices and components of the BLE stack have been uncovered in recent years, potentially affecting millions of customers. Being notoriously difficult to test due to the level of abstraction commonly enforced by the Host Controller Interface (HCI), a recent work successfully implements a fuzzing framework utilizing a custom firmware for a BLE device. However, fuzzing is inherently probabilistic, which may lead to faults remaining undiscovered. In this work, we enhance the aforementioned method with a Combinatorial Security Testing (CST) approach that provides a guaranteed degree of input space coverage. Through an evaluation targeting 10 BLE devices and a variety of firmware versions, we identify a total of 19 distinct issues, replicating findings of the previous work and uncovering additional faults. We additionally provide a performance overview of our tool and the original fuzzer, comparing their execution time and fault detection capabilities.",

author = "Schreiber, \{Dominik Philip\} and Manuel Leithner and Jovan Zivanovic and Simos, \{Dimitris E.\}",

note = "Publisher Copyright: {\textcopyright} 2025 by The USENIX Association. All rights reserved.; USENIX ATC '25: 2025 USENIX Conference on Usenix Annual Technical Conference, USENIX ATC '25 ; Conference date: 07-07-2025 Through 09-07-2025",

year = "2025",

month = sep,

language = "English",

pages = "1625--1638",

booktitle = "USENIX ATC '25: Proceedings of the 2025 USENIX Conference on Usenix Annual Technical Conference",

publisher = "USENIX Association",

}

Schreiber, DP, Leithner, M, Zivanovic, J & Simos, DE 2025, Bluetooth Low Energy Security Testing with Combinatorial Methods. in USENIX ATC '25: Proceedings of the 2025 USENIX Conference on Usenix Annual Technical Conference. USENIX Association, pp. 1625-1638, USENIX ATC '25: 2025 USENIX Conference on Usenix Annual Technical Conference, Boston, Massachusetts, United States, 7/07/25. <https://dl.acm.org/doi/10.5555/3768039.3768135>

Bluetooth Low Energy Security Testing with Combinatorial Methods. / Schreiber, Dominik Philip; Leithner, Manuel; Zivanovic, Jovan et al.
USENIX ATC '25: Proceedings of the 2025 USENIX Conference on Usenix Annual Technical Conference. USENIX Association, 2025. p. 1625-1638.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Bluetooth Low Energy Security Testing with Combinatorial Methods

AU - Schreiber, Dominik Philip

AU - Leithner, Manuel

AU - Zivanovic, Jovan

AU - Simos, Dimitris E.

PY - 2025/9

Y1 - 2025/9

N2 - Wireless protocols such as Bluetooth Low Energy (BLE) play a vital role in ubiquitous computing and Internet of Things (IoT) devices. Numerous vulnerabilities in a variety of devices and components of the BLE stack have been uncovered in recent years, potentially affecting millions of customers. Being notoriously difficult to test due to the level of abstraction commonly enforced by the Host Controller Interface (HCI), a recent work successfully implements a fuzzing framework utilizing a custom firmware for a BLE device. However, fuzzing is inherently probabilistic, which may lead to faults remaining undiscovered. In this work, we enhance the aforementioned method with a Combinatorial Security Testing (CST) approach that provides a guaranteed degree of input space coverage. Through an evaluation targeting 10 BLE devices and a variety of firmware versions, we identify a total of 19 distinct issues, replicating findings of the previous work and uncovering additional faults. We additionally provide a performance overview of our tool and the original fuzzer, comparing their execution time and fault detection capabilities.

AB - Wireless protocols such as Bluetooth Low Energy (BLE) play a vital role in ubiquitous computing and Internet of Things (IoT) devices. Numerous vulnerabilities in a variety of devices and components of the BLE stack have been uncovered in recent years, potentially affecting millions of customers. Being notoriously difficult to test due to the level of abstraction commonly enforced by the Host Controller Interface (HCI), a recent work successfully implements a fuzzing framework utilizing a custom firmware for a BLE device. However, fuzzing is inherently probabilistic, which may lead to faults remaining undiscovered. In this work, we enhance the aforementioned method with a Combinatorial Security Testing (CST) approach that provides a guaranteed degree of input space coverage. Through an evaluation targeting 10 BLE devices and a variety of firmware versions, we identify a total of 19 distinct issues, replicating findings of the previous work and uncovering additional faults. We additionally provide a performance overview of our tool and the original fuzzer, comparing their execution time and fault detection capabilities.

M3 - Conference contribution

SP - 1625

EP - 1638

BT - USENIX ATC '25: Proceedings of the 2025 USENIX Conference on Usenix Annual Technical Conference

PB - USENIX Association

T2 - USENIX ATC '25: 2025 USENIX Conference on Usenix Annual Technical Conference

Y2 - 7 July 2025 through 9 July 2025

ER -

Bluetooth Low Energy Security Testing with Combinatorial Methods

Abstract

Conference

Classification according to Österreichische Systematik der Wissenschaftszweige (ÖFOS 2012)

Applied Research Level (ARL)

Research focus/foci

UN SDGs

Access to Document

Fingerprint

Cite this