CN112640513B - Method and device for detecting Bluetooth vulnerability attack - Google Patents

Method and device for detecting Bluetooth vulnerability attack Download PDF

Info

Publication number
CN112640513B
CN112640513B CN202080004433.8A CN202080004433A CN112640513B CN 112640513 B CN112640513 B CN 112640513B CN 202080004433 A CN202080004433 A CN 202080004433A CN 112640513 B CN112640513 B CN 112640513B
Authority
CN
China
Prior art keywords
communication data
bluetooth
determining
encryption key
equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202080004433.8A
Other languages
Chinese (zh)
Other versions
CN112640513A (en
Inventor
那键
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of CN112640513A publication Critical patent/CN112640513A/en
Application granted granted Critical
Publication of CN112640513B publication Critical patent/CN112640513B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices

Abstract

The application discloses a method and a device for detecting Bluetooth vulnerability attack, which can realize man-in-the-middle attack detection aiming at different communication stages involved in a Bluetooth protocol and solve the problem that effective precautionary measures aiming at the Bluetooth man-in-the-middle attack are rare in the prior art. The method comprises the following steps: identifying the Bluetooth equipment to be detected in a preset range, and determining the Bluetooth equipment pair to be detected according to the pairing result of the Bluetooth equipment to be detected; acquiring and analyzing first communication data from a communication data transmitting device in the first Bluetooth device pair, and acquiring and analyzing second communication data from a communication data receiving device in the first Bluetooth device pair; and judging whether the first communication data is the same as the second communication data, and if not, determining that the first Bluetooth equipment attacks the man-in-the-middle.

Description

Method and device for detecting Bluetooth vulnerability attack
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for detecting a bluetooth vulnerability attack.
Background
Bluetooth is a technology for low-cost, short-range wireless communication between mobile phones and other accessories. With the continuous development of smart phones, smart homes and smart medical treatment, the application scene of bluetooth communication is continuously expanded, equipment with a bluetooth function is deep into the aspects of daily working and life, the number of accompanying bluetooth attack events is also continuously increased, bluetooth vulnerabilities become important components of public vulnerability libraries, and the prevention of harm caused by the attack of the bluetooth vulnerabilities becomes one of important works of relevant equipment manufacturers.
Currently, with the development of bluetooth technology, attack technologies for bluetooth are also evolving, mainly including attack technologies such as replay attack, denial of service attack, man-in-the-middle attack, and the like. In many attack technologies, man-in-the-middle attack is a common technology, and the man-in-the-middle attack can monitor, collect and even tamper communication contents of two communication parties, so that normal communication is interrupted, the two communication parties are often difficult to find, and the man-in-the-middle attack thinks that the man-in-the-middle attack is still in normal communication.
Disclosure of Invention
The application provides a method and a device for detecting Bluetooth vulnerability attack, which aim to solve the problem that effective precautionary measures for Bluetooth man-in-the-middle attack are rare in the prior art.
In a first aspect, an embodiment of the present application provides a method for detecting a bluetooth vulnerability attack, including: identifying Bluetooth equipment to be detected in a preset range, and determining a Bluetooth equipment pair to be detected according to the result of pairwise pairing of the Bluetooth equipment to be detected; acquiring and analyzing first communication data from a communication data transmitting device in a first Bluetooth device pair, and acquiring and analyzing second communication data from a communication data receiving device in the first Bluetooth device pair; the first Bluetooth device pair is any Bluetooth device pair to be detected, the first communication data is communication data sent by the communication data sending device to the communication data receiving device through Bluetooth connection, and the second communication data is communication data which is received by the communication data receiving device through Bluetooth connection and carries identification information of the communication data sending device; and judging whether the first communication data is the same as the second communication data or not, and if not, determining that the first Bluetooth equipment attacks the man-in-the-middle.
Based on the above technical solution, for different communication stages involved in a bluetooth protocol, communication data, i.e. first communication data and second communication data, in the same communication stage when a communication data transmitting device and a communication data receiving device in a first bluetooth device pair perform bluetooth communication are collected and analyzed, if a man-in-the-middle attack does not exist between the communication data transmitting device and the communication data receiving device, the communication data of the communication data transmitting device and the communication data receiving device in the same communication stage should be the same, and if a man-in-the-middle attack exists between the communication data transmitting device and the communication data receiving device, the man-in-the-middle will tamper the communication data in the same communication stage when the communication data transmitting device and the communication data receiving device perform bluetooth communication, so that the communication data of the communication data transmitting device and the communication data of the communication data receiving device in the same communication stage are different, and determining whether the first Bluetooth device pair has man-in-the-middle attack or not by judging whether the first communication data is the same as the second communication data or not. The method provided by the embodiment of the application expands the application range of man-in-the-middle attack detection from the viewpoint of the layering characteristic of the Bluetooth protocol, and the detection method is not only suitable for man-in-the-middle attack detection in the encryption key negotiation stage, but also suitable for man-in-the-middle attack detection after the encryption session is established. And the detection equipment only needs to have the functions of acquisition and analysis and data comparison, does not need to have complex functions of cipher algorithm negotiation, data encryption and decryption, equipment pairing and the like, and has lower cost.
In one possible design, the collecting and parsing out first communication data from a communication data sending device in a first bluetooth device pair and collecting and parsing out second communication data from a communication data receiving device in the first bluetooth device pair includes: when the first Bluetooth device pair carries out encryption key negotiation, acquiring all encryption key length negotiation requests sent by the communication data sending device through Bluetooth connection from the communication data sending device, and acquiring all encryption key length negotiation requests received by the communication data receiving device through Bluetooth connection from the communication data receiving device; according to the identification information of the communication data sending equipment and the communication data receiving equipment, determining a first encryption key length negotiation request sent to the communication data receiving equipment from all encryption key length negotiation requests sent by the communication data sending equipment through Bluetooth connection, and determining a second encryption key length negotiation request carrying the identification information of the communication data sending equipment from all encryption key length negotiation requests received by the communication data receiving equipment through Bluetooth connection; determining a first encryption key length in the first encryption key length negotiation request as the first communication data, and determining a second encryption key length in the second encryption key length negotiation request as the second communication data.
In one possible design, the determining whether the first communication data is the same as the second communication data, and if not, determining that the first bluetooth device has man-in-the-middle attack includes: judging whether the length of the first encryption key is the same as that of the second encryption key; and if the length of the first encryption key is different from that of the second encryption key, determining that the first Bluetooth device attacks the man-in-the-middle.
In one possible design, the collecting and parsing out first communication data from a communication data sending device in a first bluetooth device pair and collecting and parsing out second communication data from a communication data receiving device in the first bluetooth device pair includes: collecting all communication data sent by a communication data sending device through a Bluetooth connection from a communication data sending device in a first Bluetooth device pair, and collecting all communication data received by a communication data receiving device through the Bluetooth connection from a communication data receiving device in the first Bluetooth device pair; according to the identification information of the communication data sending device and the communication data receiving device, the first communication data is determined from all communication data sent by the communication data sending device through Bluetooth connection, and the second communication data is determined from all communication data received by the communication data receiving device through Bluetooth connection.
In one possible design, the identifying bluetooth devices to be detected within a preset range includes: acquiring a Bluetooth broadcast message of the Bluetooth equipment within the preset range; the Bluetooth broadcast message carries identification information of the Bluetooth equipment; and determining the Bluetooth equipment to be detected in the preset range according to the Bluetooth broadcast message.
In one possible design, after the determining that the first bluetooth device has a man-in-the-middle attack, the method further comprises: judging whether the first Bluetooth device pair has encrypted session data or not; if the encrypted session data exist, determining that the first Bluetooth equipment attacks the man-in-the-middle and the attack is successful; and if the encrypted session data does not exist, determining that the first Bluetooth device attacks the man-in-the-middle but the attack is not successful.
In one possible design, the determining whether encrypted session data is present includes: if an encryption transmission starting request sent by the communication data sending device to the communication data receiving device through a Bluetooth connection is acquired from the communication data sending device, or an encryption transmission starting request carrying identification information of the communication data sending device and received by the communication data receiving device through the Bluetooth connection is acquired from the communication data receiving device, determining that encrypted session data exists; or acquiring and analyzing communication data between the communication data sending equipment and the communication data receiving equipment, and determining whether encrypted session data exists according to the statistical characteristics of the communication data.
Based on the technical scheme, aiming at the encryption key negotiation stage related to the Bluetooth protocol, the communication data in the encryption key negotiation of the communication data sending device and the communication data receiving device in the first Bluetooth device pair during Bluetooth communication is acquired and analyzed, namely the length of the first encryption key and the length of the second encryption key, and whether man-in-the-middle attack exists in the first Bluetooth device pair is determined by judging whether the length of the first encryption key is the same as that of the second encryption key, so that man-in-the-middle attack detection in the encryption key negotiation stage is realized.
In one possible design, the collecting and parsing out first communication data from a communication data sending device in a first bluetooth device pair and collecting and parsing out second communication data from a communication data receiving device in the first bluetooth device pair includes: when the first Bluetooth device pair carries out encryption transmission, acquiring first bidirectional communication data between the communication data sending device and the communication data receiving device from the communication data sending device, and acquiring second bidirectional communication data between the communication data receiving device and the communication data sending device from the communication data receiving device; determining, from the first bidirectional communication data and the second bidirectional communication data, first encrypted session data and second encrypted session data as the first communication data and the second communication data, respectively.
In a possible design, the determining whether the first communication data is the same as the second communication data, and if not, determining that the first bluetooth device has a man-in-the-middle attack includes: judging whether the first encrypted session data is the same as the second encrypted session data; if the first encrypted session data is the same as the second encrypted session data, determining that the first Bluetooth device does not have man-in-the-middle attack on the first Bluetooth device; and if the first encrypted session data is different from the second encrypted session data, determining that the first Bluetooth device attacks the man-in-the-middle.
Based on the technical scheme, aiming at the encryption transmission stage related in the Bluetooth protocol, the communication data in encryption transmission of the communication data sending device and the communication data receiving device in the first Bluetooth device pair during Bluetooth communication, namely the first encryption session data and the second encryption session data, is acquired and analyzed, and whether man-in-the-middle attack exists in the first Bluetooth device pair is determined by judging whether the first encryption session data and the second encryption session data are the same, so that man-in-the-middle attack detection after the encryption session is established is realized.
In a second aspect, the present application further provides a device for detecting a bluetooth vulnerability attack, where the device for detecting a bluetooth vulnerability attack has a function of implementing the first aspect or any one of the possible design methods of the first aspect, and the function may be implemented by hardware or by hardware executing corresponding software. The hardware or software comprises one or more modules corresponding to the functions, such as a first determination module, an acquisition and analysis module and a second determination module.
The first determining module is used for identifying the to-be-detected Bluetooth equipment in a preset range and determining the to-be-detected Bluetooth equipment pair according to the pairing result of the to-be-detected Bluetooth equipment;
the acquisition and analysis module is used for acquiring and analyzing first communication data from a communication data sending device in a first Bluetooth device pair and acquiring and analyzing second communication data from a communication data receiving device in the first Bluetooth device pair; the first Bluetooth device pair is any Bluetooth device pair to be detected, the first communication data is communication data sent by the communication data sending device to the communication data receiving device through Bluetooth connection, and the second communication data is communication data which is received by the communication data receiving device through Bluetooth connection and carries identification information of the communication data sending device;
the second determining module is configured to determine whether the first communication data is the same as the second communication data, and if not, determine that the first bluetooth device attacks a man-in-the-middle.
In one possible design, the collection analysis module is specifically configured to: when the first Bluetooth device pair carries out encryption key negotiation, acquiring all encryption key length negotiation requests sent by the communication data sending device through Bluetooth connection from the communication data sending device, and acquiring all encryption key length negotiation requests received by the communication data receiving device through Bluetooth connection from the communication data receiving device; according to the identification information of the communication data sending equipment and the communication data receiving equipment, determining a first encryption key length negotiation request sent to the communication data receiving equipment from all encryption key length negotiation requests sent by the communication data sending equipment through Bluetooth connection, and determining a second encryption key length negotiation request carrying the identification information of the communication data sending equipment from all encryption key length negotiation requests received by the communication data receiving equipment through Bluetooth connection; determining a first encryption key length in the first encryption key length negotiation request as the first communication data, and determining a second encryption key length in the second encryption key length negotiation request as the second communication data.
In one possible design, the second determining module is specifically configured to: judging whether the length of the first encryption key is the same as that of the second encryption key; and if the length of the first encryption key is different from that of the second encryption key, determining that the first Bluetooth device attacks the man-in-the-middle.
In one possible design, the collection analysis module is specifically configured to: collecting all communication data sent by a communication data sending device through a Bluetooth connection from a communication data sending device in a first Bluetooth device pair, and collecting all communication data received by a communication data receiving device through the Bluetooth connection from a communication data receiving device in the first Bluetooth device pair; according to the identification information of the communication data sending device and the communication data receiving device, the first communication data is determined from all communication data sent by the communication data sending device through Bluetooth connection, and the second communication data is determined from all communication data received by the communication data receiving device through Bluetooth connection.
In one possible design, the first determining module is specifically configured to: acquiring a Bluetooth broadcast message of a to-be-detected Bluetooth device within a preset range; the Bluetooth broadcast message carries identification information of the Bluetooth equipment; and determining the Bluetooth equipment to be detected within a preset range according to the Bluetooth broadcast message.
In one possible design, after the second determining module determines that the first bluetooth device has a man-in-the-middle attack, the second determining module is further configured to: judging whether the first Bluetooth device pair has encrypted session data or not; if the encrypted session data exist, determining that the first Bluetooth equipment attacks the man-in-the-middle and the attack is successful; and if the encrypted session data does not exist, determining that the first Bluetooth device attacks the man-in-the-middle but the attack is not successful.
In one possible design, after the second determining module determines that the first bluetooth device has a man-in-the-middle attack, the second determining module is specifically configured to: if an encryption transmission starting request sent by the communication data sending device to the communication data receiving device through a Bluetooth connection is acquired from the communication data sending device, or an encryption transmission starting request carrying identification information of the communication data sending device and received by the communication data receiving device through the Bluetooth connection is acquired from the communication data receiving device, determining that encrypted session data exists; or acquiring and analyzing communication data between the communication data sending equipment and the communication data receiving equipment, and determining whether encrypted session data exists according to the statistical characteristics of the communication data.
In one possible design, the collection analysis module is specifically configured to: when the first Bluetooth device pair carries out encryption transmission, acquiring first bidirectional communication data between the communication data sending device and the communication data receiving device from the communication data sending device, and acquiring second bidirectional communication data between the communication data receiving device and the communication data sending device from the communication data receiving device; determining, from the first bidirectional communication data and the second bidirectional communication data, first encrypted session data and second encrypted session data as the first communication data and the second communication data, respectively.
In one possible design, the second determining module is specifically configured to: judging whether the first encrypted session data is the same as the second encrypted session data; if the first encrypted session data is the same as the second encrypted session data, determining that the first Bluetooth device does not have man-in-the-middle attack on the first Bluetooth device; and if the first encrypted session data is different from the second encrypted session data, determining that the first Bluetooth device attacks the man-in-the-middle.
In a third aspect, the present application further provides an apparatus for detecting a bluetooth vulnerability attack, where the apparatus for detecting a bluetooth vulnerability attack may include: at least one processor; and a memory communicatively coupled to the at least one processor, a communication interface; wherein the memory stores instructions executable by the at least one processor to perform the functions of the method as described in the first aspect above or in any one of the possible designs of the first aspect by executing the instructions stored by the memory.
In a fourth aspect, the present application also provides a computer-readable storage medium comprising a computer program which, when run on a computer, causes the computer to perform the method of the first aspect or any one of the possible designs of the first aspect.
In a fifth aspect, the present application further provides a program product for causing a computer to perform the method of the first aspect or any one of the possible designs of the first aspect when the program product is run on the computer.
In a sixth aspect, the present application further provides a chip, which may be coupled to a memory of an apparatus for detecting a bluetooth vulnerability attack, and is configured to call a computer program stored in the memory and execute the first aspect or any one of the possible design-wise methods of the first aspect.
Drawings
Fig. 1 is a schematic diagram illustrating a principle of a prior SSL man-in-the-middle attack;
FIG. 2 is a system architecture diagram according to an embodiment of the present application;
FIG. 3 is a schematic diagram of a user interface provided by an embodiment of the present application;
FIG. 4 is a schematic diagram of another user interface provided by embodiments of the present application;
fig. 5 is a schematic flowchart of a method for detecting a bluetooth vulnerability attack according to an embodiment of the present application;
fig. 6a is a schematic diagram of a bluetooth communication according to an embodiment of the present application;
fig. 6b is a schematic diagram of a bluetooth vulnerability attack in an encryption key negotiation stage according to an embodiment of the present application;
fig. 6c is a schematic diagram of a bluetooth vulnerability attack at an encryption transmission stage according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of an apparatus for detecting a bluetooth vulnerability attack according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of another apparatus for detecting a bluetooth vulnerability attack according to an embodiment of the present application.
Detailed Description
The technical solution in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application.
In order to facilitate understanding of the embodiments of the present application, the following description will be made of terms used in the embodiments of the present application.
With the development of Bluetooth (BT) technology, attack technologies for bluetooth have evolved, mainly including attack technologies such as replay attack, denial of service attack, and man-in-the-middle attack.
Replay attack
Replay attack, also known as replay attack and replay attack, refers to an attacker sending a data packet to a system, which is received by a target host, so as to achieve the purpose of deceiving the system, and is mainly used for destroying the correctness of authentication in the process of identity authentication. Replay attacks may be performed by the originator, or by an attacker who intercepts and retransmits packets. The attacker steals the authentication credential by using network monitoring or other methods, and then retransmits the authentication credential to the authentication server. Replay attacks can occur in any network communication process and are one of the attack methods commonly used by hackers in the world of computers.
Second, denial of service attacks
Denial of service attacks refer to an attacker who wants to make a target machine stop providing services, and are one of attack means commonly used by hackers.
Third, Man-in-the-Middle Attack (Man-in-the-Middle Attack, abbreviated as "MITM Attack")
The MITM attack is an "indirect" intrusion attack in which a computer under the control of an intruder is virtually placed between two communicating computers in a network connection by various techniques, known as a "man-in-the-middle". In short, the so-called MITM attack is performed by intercepting normal network communication data and performing data tampering and sniffing, without both parties being aware of it. The MITM attack is a long-standing network attack technology, and there is still a wide development space so far, and attacks such as Server Message Block (SMB) session hijacking, Domain Name System (DNS) spoofing and the like are typical MITM attacks.
With the sophistication of network technology, MITM attacks are becoming more and more diverse. Initially, networks such as hyperText transfer protocol (HTTP), File Transfer Protocol (FTP), Telnet, etc. are all plaintext transmissions, and an attacker sets a computer network card in a promiscuous mode and pretends to be a proxy server to perform traffic monitoring, so that the attacker can complete the attack. Later, with the widespread use of switches, man-in-the-middle attacks based on sniffing have been unsuccessful, and Address Resolution Protocol (ARP) spoofing operations must first be performed. At present, most network service providers (such as internet banking, mailboxes, social software, browsers, etc.) adopt an encryption communication mode based on a Secure Socket Layer (SSL) protocol, such as a hyperText transfer protocol secure (HTTPS) protocol, a File Transfer Protocol Secure (FTPS) protocol, etc., which are encryption protocols established on SSL. As shown in fig. 1, a more complex operation is required for a man-in-the-middle attack on communication between a client and a server, which is a schematic diagram of the existing SSL man-in-the-middle attack. In the process of establishing communication between a client and a server, if man-in-the-middle attack occurs, the actual communication process is as follows: the client establishes communication with the man-in-the-middle, and the server establishes communication with the man-in-the-middle; and the man-in-the-middle pretends to be the client and establishes the SSL communication with the server, and the man-in-the-middle pretends to be the certificate and establishes the SSL communication with the client. The client side is considered to be in communication with the server side, the server side is considered to be in communication with the client side, then the middleman exchanges keys with two communication sides respectively, an encryption transmission channel is established, and attack is completed.
Therefore, the detection technology of man-in-the-middle attack mainly aims at the SSL protocol in the TCP stack at present, and needs to combine multiple links involved in the SSL encryption protocol, so the detection technology of treating such man-in-the-middle attack includes: the man-in-the-middle detection technology based on certificate verification, the DNS man-in-the-middle detection based on a trusted address list and the man-in-the-middle detection technology based on HTTP proxy server identification can be combined for use in order to enhance the detection effect, such as the SSL man-in-the-middle attack detection technology based on the combination of a certificate and a trusted address list. Compared with an IP encryption communication protocol SSL protocol, the detection method of the middleman is less researched as a Bluetooth protocol of short-distance wireless communication.
In view of this, the embodiment of the present application implements effective countermeasure against the bluetooth man-in-the-middle attack by performing man-in-the-middle attack detection on the encryption key negotiation and the encryption transmission involved in the bluetooth protocol.
It should be understood that the embodiments of the present application may be applied to a system for detecting bluetooth vulnerability attack, where the system includes an electronic device and at least two bluetooth devices, and the electronic device is configured to perform bluetooth vulnerability attack detection on bluetooth communication between the bluetooth devices (i.e., to implement the method of the embodiments of the present application).
The electronic device may be a portable electronic device including functions such as a personal digital assistant and/or a music player, such as a mobile phone, a tablet computer, a wearable device (e.g., a smart watch) with wireless communication function, and the like. Exemplary embodiments of the portable electronic device include, but are not limited to, a mount
Figure BDA0002934895350000071
Or other operating system. The portable electronic device described above may also be other portable electronic devices such as laptop computers (laptop) with touch sensitive surfaces (e.g. touch panels) and the like. It should also be understood that in other embodiments of the present application, the electronic device may not be a portable electronic device, but may be a desktop computer having a touch-sensitive surface (e.g., a touch panel). It should also be understood that in the embodiment of the present application, the electronic device may or may not support the bluetooth function, and when the electronic device supports the bluetooth function, the electronic device will turn off the bluetooth function in order to avoid the electronic device itself being attacked by a man-in-the-middle. For convenience of description, the embodiment of the present application takes an example in which the electronic device supports a bluetooth function.
The bluetooth device can include cell-phone, bluetooth earphone, bluetooth mouse, panel computer, notebook computer, desktop, display screen, bluetooth keyboard, bluetooth printer, bluetooth facsimile machine, car networking device etc. for the convenience of explanation, this application embodiment uses bluetooth device as car networking device for the example.
Exemplarily, as shown in fig. 2, an architecture diagram of a system provided in the embodiment of the present application is shown, where the system includes an electronic device 100, and may further include a plurality of car networking devices, and in fig. 2, three car networking devices are exemplarily depicted, which are a car networking device 200, a car networking device 300, and a car networking device 400. In the embodiment of the application, the specific form of the car networking device is not limited, and all devices which perform bluetooth communication in a car networking scene can be used as the car networking device. The vehicles can transmit vehicle information (such as vehicle identification), road condition information, vehicle owner information and the like after the Bluetooth connection is established.
The internet of vehicles device may also be a roadway facility. The road facility can be a speed measuring device or a monitoring device arranged beside a road, and can monitor the running speed of vehicles coming and going. The asset may also be a base station that may broadcast information to and from vehicles, collect vehicle information or owner information for vehicles, etc. The road facilities can also be intelligent traffic lights arranged at intersections, and the intelligent traffic lights can adjust the lighting time of the traffic lights according to the real-time traffic flow at the intersections or road sections. The road facility can also be an automatic toll station or an automatic gas station arranged on the roadside, the automatic toll station can acquire the information of the passing vehicles and deduct the fee of the passing vehicles, the automatic gas station can acquire the information of the vehicles needing to be refueled, and after the information authentication of the vehicles is passed, the vehicles can be refueled and a fee deduction request is initiated to the vehicles. The road facilities can interact with vehicles and other road facilities, for example, between intelligent traffic lights of two adjacent intersections, one intelligent traffic light can send real-time traffic flow of the intersection or the road section to the other intelligent traffic light after the other intelligent traffic light establishes Bluetooth connection, and the other intelligent traffic light can adjust the lighting time of the traffic light according to the traffic flow of the intersection or the road section after receiving the traffic flow.
In the system architecture shown in fig. 2, the car networking devices 200 and 300 are vehicles, and the car networking device 400 is an asset, for example, the embodiments of the present application do not limit the number and specific forms of the car networking devices included in the system.
The electronic device 100 is used for performing bluetooth vulnerability attack detection (i.e., implementing the method of the embodiment of the present application) on bluetooth communication between devices in the vehicle networking system (such as the devices 200, 300 and 400), and it should be understood that in the embodiment of the present application, the electronic device 100 may be connected to devices in the vehicle networking system (such as the devices 200, 300 and 400). For example, the electronic device 100 is connected to the collection device disposed on the car networking device 300 by wire, when the car networking device 300 performs bluetooth communication with the car networking device 200, the electronic device 100 may acquire, by wire transmission, communication data of the car networking device 300 collected by the collection device air port disposed on the car networking device 300 during bluetooth communication, and the electronic device 100 may acquire, by wireless transmission (for example, WiFi), communication data of the car networking device 200 collected by the collection device air port disposed on the car networking device 200 during bluetooth communication. The electronic device 100 may not be connected to the car networking device, which is not specifically limited in this embodiment of the present application, and for convenience of description, the electronic device 100 is not connected to the car networking device in this embodiment of the present application.
It should be understood that, in this application embodiment, because the collection technology that collection equipment used is empty mouthful collection technology, only need confirm that internet of vehicles equipment is located collection equipment effective scope, need not reform transform internet of vehicles equipment promptly, if internet of vehicles equipment is the road equipment, then need not place collection equipment on internet of vehicles equipment, if internet of vehicles equipment is the vehicle, because the vehicle is in the mobile state for a long time, then need place collection equipment on internet of vehicles equipment.
It should be understood that the electronic device 100 in the embodiment of the present application generally provides various functions for the user through the application program. Illustratively, the application program may be a system application (also referred to as a native application) or may be a third-party application. Such as drawing, presentation, word processing, gaming, telephony, video player, music player, email, instant messaging, photo management, camera, browser, calendar, clock, payment, application marketplace, desktop, and health management applications. For example, the electronic device 100 in the embodiment of the present application may run a plurality of applications simultaneously.
Illustratively, a in fig. 3 is a schematic view of a graphical user interface according to an embodiment of the present application. The graphical user interface is referred to below simply as the user interface. The electronic device 100 displays a user interface through a display screen. Specifically, the user interface may be a main interface, a negative screen, or a user interface of an application. For example, the home interface may be a user interface 300 as shown in a in fig. 3. As shown, the user interface 300 may include a status bar 301, a time and weather Widget302, a concealable navigation bar 303, and icons for multiple applications, such as a settings icon 304. The status bar 301 may include the name of the operator (china mobile), the mobile network (e.g. 4G), the time and the remaining power. In some other embodiments of the present application, the status bar 301 may include the name of the operator (china mobile), the signal strength of the mobile network, the time and the remaining power. In other embodiments of the present application, the status bar 301 may further include one or more of a bluetooth icon, a WiFi icon, a screen lock icon, an add-on icon, and the like. For example, taking the bluetooth icon as an example, in the embodiment of the present application, the electronic device 100 may display the bluetooth icon in the status bar 301 after the bluetooth function is turned on, and may not display the bluetooth icon in the status bar 301 after the bluetooth function is turned off. The navigation bar 303 may include a back button (back button), a home screen button (home button), and a history task view button (menu button). It will also be appreciated that in other embodiments, the user interface 300 may also include a Dock bar. Icons of common applications, such as a telephone icon, a short message icon, a mail icon, a weather icon, and the like, can be included in the Dock bar. It should be understood that the user can set icons of common applications in the Dock bar according to the requirement of the user.
In other embodiments, as shown in a of fig. 3, the electronic device 100 may also include a home screen key 305. The main screen key 305 may be a physical key or a virtual key. The home screen key 305 is used to return a user interface of an application or a user interface such as minus one screen displayed on the display screen to the home interface according to the operation of the user, so that the user can conveniently view the home interface at any time and operate controls (such as icons) on the home interface. The operation may be specifically the user pressing the home screen key 305. In some other embodiments of the present application, the home screen key 305 may also be integrated with a fingerprint sensor, so that when the user presses the home screen key 305, the electronic device 100 may perform fingerprint collection to confirm the user identity. In other embodiments, electronic device 100 may not include home screen key 305.
For example, when the display screen of the electronic apparatus 100 displays the user interface 300, a system setting interface may be displayed on the display screen in response to a touch operation of the user on the setting icon 304. The system setting interface includes various function buttons for performing corresponding settings on the electronic device 100. For example, the system setup interface may be a user interface 310 as shown in b in fig. 3, including a bluetooth button 311. In addition, the user interface 310 may further include function buttons for account login, cloud backup opening, screen locking, and the like. The electronic device 100 may display a bluetooth settings interface on the display screen in response to user operation of the bluetooth button 311. Wherein, the bluetooth setting interface is used for opening or closing the bluetooth function.
For example, when the bluetooth function of the electronic device 100 is not turned on, the bluetooth setup interface may be the user interface 320 as shown in c of fig. 3. As shown in c of fig. 3, the user interface 320 includes a bluetooth button 321, and the bluetooth button 321 is in an OFF (OFF) state. When the bluetooth button 321 is in the off state, the bluetooth function of the electronic device 100 is not turned on. The electronic device 100 may turn ON the bluetooth function by placing the bluetooth button 321 ON (ON) in response to the user operating the bluetooth button 321, the bluetooth setting interface may be the user interface 320 as shown in d in fig. 3, and the available device list 322 includes Sql, 200, and Watch.
Furthermore, in other embodiments, when the display screen of the electronic device 100 displays a certain user interface (e.g., the user interface 300) after being locked or unlocked, the shortcut setup user interface may be displayed on the display screen in response to a pull-down operation or a pull-up operation by the user. Specifically, the shortcut setting interface includes a shortcut button for setting various functions, such as a shortcut button for turning on or off a bluetooth function. For example, the quick setup user interface may be the user interface 400 shown in FIG. 4. A bluetooth button 401 is included on the user interface 400. The electronic device 100 may turn the bluetooth function on or off in response to the user's operation of the bluetooth button 401. For example, the electronic apparatus 100 may turn on the bluetooth function in response to the user's operation of the bluetooth button 401 when the bluetooth function is not turned on. For another example, when the bluetooth function is turned on, the electronic device 100 may turn off the bluetooth function in response to the user's operation of the bluetooth button 401. In addition, in some embodiments, the user interface 400 may further include functional buttons such as WiFi, personal hotspot, flight mode, do-not-disturb, ring, move data, brightness adjustment, and the like, so that the user can quickly set the corresponding function. It should be noted that, in the embodiment of the present application, the electronic device 100 may also turn on or turn off the bluetooth function by other manners, for example, a voice command, a shortcut gesture operation, and the like, which is not limited to this.
The electronic device and the vehicle networking device provided by the embodiment of the application are introduced above, and the method for detecting the bluetooth vulnerability attack provided by the embodiment of the application is introduced below with reference to the accompanying drawings.
It should be understood that the terms "first" and "second" in the embodiments of the present application are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implying any number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature. "at least one" means one or more, "a plurality" means two or more. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a alone, A and B together, and B alone, wherein A and B may be singular or plural. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of the singular or plural items. For example, at least one (one) of a, b, or c, may represent: a, b, c, a and b, a and c, b and c, or a and b and c.
As shown in fig. 5, a schematic flowchart of a method for detecting a bluetooth vulnerability attack according to an embodiment of the present application is provided, and the method for detecting a bluetooth vulnerability attack may be applied to the systems shown in fig. 2 to 4 or similar to the functional structures shown in fig. 2 to 4. The specific flow of the method for detecting the bluetooth vulnerability attack is described as follows.
S501, the electronic device 100 identifies the Bluetooth device to be detected within a preset range.
In some embodiments, when the bluetooth function is turned on, the electronic device 100 may broadcast a message, and the electronic device 100 may receive the broadcast message of the bluetooth function-turned on car networking devices (e.g., car networking device 200, car networking device 300, car networking device 400) within a preset range, wherein the bluetooth function-turned on car networking devices within the preset range may broadcast the message periodically, which helps the electronic device 100 to recognize the discovery.
It should be noted that, in the embodiment of the present application, the broadcast message may be a specific bluetooth broadcast. The bluetooth broadcast may be a connectable undirected event type, and may include broadcast data and scan response data. Alternatively, the bluetooth broadcast may be a scannable undirected event type (scannable undirected event type), also referred to as a discoverable broadcast, which cannot be used to initiate a bluetooth connection, but which allows other devices to scan for the device that sent the broadcast, but cannot establish a bluetooth connection based on the broadcast. Of course, the broadcast message may be other content, and is not limited herein.
Taking the example that the electronic device 100 receives the broadcast message of the car networking device 200, the broadcast message of the car networking device 200 includes a device identifier of the car networking device 200, specifically, the device identifier is information for uniquely identifying the car networking device, where if the car networking device 200 is a vehicle, the identifier of the car networking device 200 may be a license plate or a Vehicle Identification Number (VIN), and if the car networking device 200 is a road facility, the identifier of the car networking device 200 may also be a device identifier of the road facility. The type of the identification is not limited in the embodiment of the application, and all information capable of identifying the car networking device 200 is suitable for the embodiment of the application. It should be understood that the electronic device 100 receives the broadcast message of the car networking device 200, and then the electronic device 100 determines that the car networking device 200 is a bluetooth device to be detected within a preset range.
It should be noted that, in this embodiment of the application, the electronic device 100 may also broadcast the identification request, so that after receiving the identification request, the vehicle networking device with the bluetooth function being turned on within the preset range (e.g., the vehicle networking device 200, the vehicle networking device 300, or the vehicle networking device 400), the electronic device 100 sends an identification response to the electronic device 100, so that the electronic device 100 discovers the vehicle networking device with the bluetooth function being turned on within the preset range.
It should be noted that, in the embodiment of the present application, the electronic device 100 is used as a device for detecting a bluetooth vulnerability attack, in order to avoid the electronic device 100 itself being attacked by a man-in-the-middle, the electronic device 100 may turn OFF the bluetooth function, for example, the electronic device 100 may respond to the operation of the first bluetooth button by a user, and display a bluetooth setting interface on the display screen, where the bluetooth setting interface includes a function key (e.g., a second bluetooth button) for turning on or turning OFF the bluetooth function, and when the second bluetooth button is in an OFF (OFF) state, the bluetooth function of the electronic device 100 is not turned on, and the electronic device 100 may respond to the operation of the second bluetooth button by the user, and turn OFF (OFF) the second bluetooth button, thereby turning OFF the bluetooth function.
S502, determining the Bluetooth device pair to be detected according to the result of pairing the Bluetooth devices to be detected.
In some embodiments, after identifying the car networking devices (e.g., the car networking device 200, the car networking device 300, and the car networking device 400) with bluetooth functions enabled within the preset range, the electronic device 100 may determine the pair of bluetooth devices to be detected according to a result of pairing of every two car networking devices, so as to perform bluetooth vulnerability attack detection on any pair of bluetooth devices to be detected, and determine whether a man-in-the-middle attack exists between the pair of bluetooth devices. Specifically, the electronic device 100 determines that the car networking device with the bluetooth function in the preset range is the car networking device 200, the car networking device 300 and the car networking device 400, and then determines that the bluetooth device pair to be detected is the car networking device 200 and the car networking device 300, the car networking device 200 and the car networking device 400, and the car networking device 300 and the car networking device 400 according to the result of pairwise pairing of the car networking device 200, the car networking device 300 and the car networking device 400, and the electronic device 100 can detect any bluetooth device pair in the bluetooth device pair to be detected.
Taking the car networking device 200 as an example, after the car networking device 200 has started the bluetooth function, the slave device (slave) may be scanned and discovered by the car networking device that has started the bluetooth function nearby, and may also be scanned and discovered by the master device (master) that has started the bluetooth function nearby. For example, if the bluetooth function is enabled for both the devices 200 and 300, and the device 300 is located near the device 200, and the device 200 is the master device and the device 300 is the slave device, the device 200 may perform a device scanning process to discover the device 300 after the bluetooth function is enabled, so that the device 200 can establish a bluetooth connection with the device 300. If the car networking device 200 and the car networking device 300 are both bluetooth devices to be detected within a preset range determined by the electronic device 100, after the car networking device 200 establishes bluetooth connection with the car networking device 300, the electronic device 100 may detect bluetooth communication between the car networking device 200 and the car networking device 300.
It should be noted that, in this embodiment of the present application, after the bluetooth function is turned on by the car networking device 200, a prompt message, a list of available devices, and the like that the car networking device 200 can be currently discovered by a nearby car networking device may be included on a user interface displayed on an operable display screen of the car networking device 200, where the list of available devices includes at least one device identifier, each device identifier is used to identify a car networking device that is turned on with the bluetooth function in the vicinity that is discovered by the car networking device 200 by scanning, so as to facilitate prompting of the user, the device identifier may include one or more of a device name, a device type, or a MAC address, and the like, and the device identifier may be presented to the user in the list of available devices in the form of graphics, text, or the like, and the device name may be a device model, or may be set by the user, and is not limited thereto. For example, the internet of vehicle device 200 scans for discovery of the internet of vehicle devices 300, 400, where the identification of the internet of vehicle device 300 is 300 and the identification of the internet of vehicle device 400 is 400, then the list of available devices in the user interface displayed by the internet of vehicle device 200 includes 300 and 400, and the list of available devices may be updated according to the electronic devices that the internet of vehicle device 200 scans for discovery. After the internet of vehicle device 200 scans and updates the available device list according to the scan result, the internet of vehicle device 200 may choose to establish a bluetooth connection with any of the internet of vehicle devices 300 and 400 in response to a user manipulation of the available device list.
It should be noted that, in the embodiment of the present application, the car networking device 200 may perform the device scanning process in the following manner:
in the first mode, after the bluetooth function is turned on, the car networking device 200 as a master device broadcasts a scanning request, and a car networking device (for example, the car networking device 300) with a nearby bluetooth function turned on as a slave device can send a scanning response to the car networking device 200 after receiving the scanning request, so that the car networking device 200 discovers a nearby electronic device with a bluetooth function turned on;
in a second mode, the car networking device 200 as a master device can receive the broadcast message of nearby car networking devices (slave devices) with bluetooth enabled after bluetooth enabled, without sending a scan request. The car networking equipment with the Bluetooth function nearby can periodically broadcast messages, and other electronic equipment with the Bluetooth function nearby can be scanned and found. For example, after the bluetooth function is turned on, the car networking device 200 receives a broadcast message from the car networking device 300, and scans for the car networking device 300.
S503, collecting and analyzing first communication data from a communication data sending device in the first Bluetooth device pair, collecting and analyzing second communication data from a communication data receiving device in the first Bluetooth device pair, judging whether the first communication data is the same as the second communication data, and if not, determining that the first Bluetooth device pair has man-in-the-middle attack.
In some embodiments, after determining the pair of bluetooth devices to be detected according to the pairing result of the car networking devices, the electronic device 100 may collect and analyze communication data from the communication data transmitting device and the communication data receiving device of any one of the pair of bluetooth devices to be detected, determine that the two bluetooth devices in the pair of bluetooth devices do not establish a bluetooth connection if the communication data is not collected and analyzed, determine whether the communication data is the same if the communication data is collected and analyzed, and determine whether there is man-in-the-middle attack on the pair of bluetooth devices according to the determination result, for example, collect and analyze first communication data from the communication data transmitting device in the first bluetooth device pair, collect and analyze second communication data from the communication data receiving device in the first bluetooth device pair, wherein the first communication data is communication data transmitted from the communication data transmitting device to the communication data receiving device, and the second communication data is the communication data which is received by the communication data receiving equipment and carries the identification information of the communication data sending equipment, whether the first communication data is the same as the second communication data is judged, and whether the first Bluetooth equipment attacks the man-in-the-middle exists is determined according to the judgment result.
It should be noted that, in this embodiment of the application, when any pair of bluetooth devices to be detected performs bluetooth vulnerability attack detection, identification information of two bluetooth devices in the pair of bluetooth devices may be determined first, and data to be compared may be obtained from the two bluetooth devices according to the identification information. For example, all the communication data transmitted from the communication data transmitting device in the first bluetooth device pair may be collected, all the communication data received by the communication data receiving device may be collected from the communication data receiving device in the first bluetooth device pair, the first communication data transmitted to the communication data receiving device may be determined from all the communication data transmitted by the communication data transmitting device according to the identification information of the communication data transmitting device and the communication data receiving device, and the second communication data carrying the identification information of the communication data transmitting device may be determined from all the communication data received by the communication data receiving device. If the first bluetooth device performs bluetooth vulnerability attack detection during encryption key negotiation, the communication data may be the encryption key length in the encryption key length negotiation request, and if the first bluetooth device performs bluetooth vulnerability attack detection during encryption transmission, the communication data may be encrypted session data.
Taking the first bluetooth device pair as the car networking device 200 and the car networking device 300 as an example, all communication data sent and received by the car networking device 200 are collected from the car networking device 200, all communication data sent and received by the car networking device 300 are collected from the car networking device 300, communication data sent and received by the car networking device 200 to the car networking device 300 and from the car networking device 300 are screened out from all communication data sent and received by the car networking device 200 according to the identification information of the car networking device 200 and the car networking device 300, and communication data sent and received by the car networking device 300 to the car networking device 200 and from the car networking device 200 are screened out from all communication data sent and received by the car networking device 300.
It should be noted that, in the embodiment of the present application, the first communication data and the second communication data are communication data in the same communication phase when the communication data transmitting apparatus and the communication data receiving apparatus in the first bluetooth apparatus pair perform bluetooth communication, for example, when the communication data transmitting apparatus and the communication data receiving apparatus perform bluetooth communication, in the encryption key agreement stage or the encryption transmission stage, if there is no man-in-the-middle attack between the communication data transmitting apparatus and the communication data receiving apparatus, the first communication data and the second communication data should be identical, if there is a man-in-the-middle attack between the communication data transmitting apparatus and the communication data receiving apparatus, the man-in-the-middle will tamper with the communication data in the same communication phase as the communication data transmitting device and the communication data receiving device at the time of bluetooth communication, resulting in the first communication data differing from the second communication data.
Taking the car networking device 200 and the car networking device 300 as a first bluetooth device pair as an example, the car networking device 200 is a communication data transmitting device in the first bluetooth device pair, the car networking device 300 is a communication data receiving device in the first bluetooth device pair, an empty port of a collecting device placed on the car networking device 200 collects and analyzes first communication data transmitted by the car networking device 200 to the car networking device 300 and transmits the first communication data to the electronic device 100 by wireless transmission (for example, WiFi), an empty port of a collecting device placed on the car networking device 300 collects and analyzes second communication data received by the car networking device 300 from the car networking device 200 and transmits the second communication data to the electronic device 100 by wireless transmission (for example, WiFi), wherein the first communication data and the second communication data are respectively communication data of the car networking device 200 and the car networking device 300 in the same communication phase when bluetooth communication is performed, if the man-in-the-middle attack does not exist between the vehicle networking device 200 and the vehicle networking device 300, the first communication data and the second communication data are the same, if the man-in-the-middle attack exists between the vehicle networking device 200 and the vehicle networking device 300, the man-in-the-middle will tamper with the communication data in the same communication phase of the vehicle networking device 200 and the vehicle networking device 300 during bluetooth communication, so that the first communication data and the second communication data are different, the electronic device 100 can judge whether the first communication data and the second communication data are the same, if the first communication data and the second communication data are the same, it is determined that the man-in-the-middle attack does not exist between the vehicle networking device 200 and the vehicle networking device 300, and if the first communication data and the second communication data are the same, it is determined that the man-in-middle attack exists between the vehicle networking device 200 and the vehicle networking device 300.
It should be noted that, in the embodiment of the present application, only the communication data in one communication stage of the communication data transmitting device and the communication data receiving device in the first bluetooth device pair during bluetooth communication may be collected and analyzed, or the communication data in multiple communication stages of the communication data transmitting device and the communication data receiving device in the first bluetooth device pair during bluetooth communication may be collected and analyzed, that is, different first communication data are collected and analyzed from the communication data transmitting device in the first bluetooth device pair in different communication stages, different second communication data are collected and analyzed from the communication data receiving device in the first bluetooth device pair, that is, different first communication data and different second communication data are combined according to the sequence of collection and analysis, and then, the multiple data are combined, so as to improve the reliability of determining whether there is man-in-the-middle attack for the first bluetooth device pair, this is not particularly limited in the embodiments of the present application.
It should be noted that, in this embodiment of the application, if the number of the pairs of bluetooth devices to be detected determined by the electronic device 100 is multiple, the electronic device 100 may perform bluetooth vulnerability attack detection on the pairs of bluetooth devices to be detected in series, or may perform bluetooth vulnerability attack detection on the pairs of bluetooth devices to be detected in parallel, for example, the electronic device 100 determines two pairs of bluetooth devices to be detected, may perform bluetooth vulnerability attack detection on a first pair of bluetooth devices, then perform bluetooth vulnerability attack detection on a second pair of bluetooth devices, or perform bluetooth attack detection on both the first pair of bluetooth devices and the second pair of bluetooth devices.
It should be noted that, in the embodiment of the present application, a man in the middle often attacks the encryption key negotiation stage and the encryption transmission stage in the bluetooth communication process, and falsifies the communication data in the two stages. For example, as shown in fig. 6a, for a schematic diagram of bluetooth communication provided in the embodiment of the present application, after the bluetooth connection is established between the car networking device 200 and the car networking device 300, the bluetooth communication between the car networking device 200 and the car networking device 300 will be divided into 4 phases: (1) the vehicle networking device 200 serving as a communication data sending device (namely a Bluetooth connection initiator) sends an encryption mode request to the communication data receiving device vehicle networking device 300 (namely a Bluetooth connection receiver), and the vehicle networking device 300 sends an encryption mode accepting request to the vehicle networking device 200; (2) the vehicle networking device 200 sends an encryption key length negotiation request to the vehicle networking device 300, and the vehicle networking device 300 sends an encryption key length negotiation accepting request to the vehicle networking device 200; (3) the vehicle networking device 200 sends a request for starting encryption transmission to the vehicle networking device 300, and the vehicle networking device 300 sends a request for accepting the start encryption transmission to the vehicle networking device 200; (4) the car networking device 200 and the car networking device 300 start encryption transmission, if an intermediary exists between the car networking device 200 and the car networking device 300, the intermediary may tamper with the car networking device 200 sending an encryption key length negotiation request to the car networking device 300 and the car networking device 300 sending an acceptance encryption key length negotiation request to the car networking device 200, or the intermediary may tamper with encryption session data when the car networking device 200 and the car networking device 300 perform encryption transmission.
For example, as shown in fig. 6b, for the schematic diagram of the bluetooth vulnerability attack in the encryption key negotiation stage provided in this embodiment of the present application, if there is a man-in-the-middle between the car networking device 200 and the car networking device 300, when the car networking device 200 sends an encryption key length negotiation request requesting an encryption key of 16 bytes to the car networking device 300, the encryption key length negotiation request will be intercepted by the man-in-the-middle, the man-in-the-middle will tamper the request information originally requesting the encryption key of 16 bytes into the request information requesting the encryption key of 1 byte and send to the car networking device 300, the car networking device 300 sends an accepted encryption key length negotiation request accepting the encryption key of 1 byte to the car networking device 200, the accepted encryption key length negotiation request will also be intercepted by the man-in-middle, but the man-in-middle does not tamper the accepted encryption key length negotiation request, the encrypted key length agreement request is directly transmitted to the in-vehicle network device 200. The result of the attack success by the middleman in the key length negotiation is that when the encryption transmission is started between the car networking device 200 and the car networking device 300, the encryption key length of session data between the car networking device 200 and the car networking device 300 is only 1 byte, the encryption key length can reach 16 bytes in normal bluetooth communication, and at the moment, the middleman only needs to sniff encrypted traffic, and can crack encrypted data by adopting key blasting to decrypt and obtain plaintext content by decryption.
For example, as shown in fig. 6c, for a schematic diagram of a bluetooth vulnerability attack in an encryption transmission phase provided in the embodiment of the present application, if there is an intermediary between the car networking device 200 and the car networking device 300, encrypted session data sent by the car networking device 200 to the car networking device 300 and encrypted session data sent by the car networking device 300 to the car networking device 200 will be intercepted by the intermediary, and the intermediary will tamper with the encrypted session data between the car networking device 200 and the car networking device 300, affecting normal bluetooth communication between the car networking device 200 and the car networking device 300.
Therefore, when a man-in-the-middle attacks different stages (an encryption key negotiation stage and an encryption transmission stage) in the bluetooth communication process, the communication data that the electronic device 100 needs to collect and analyze from the communication data sending device and the communication data receiving device of the bluetooth device pair to be detected is different, and the following detailed description is respectively performed on the specific implementation of the two stages in combination with specific examples:
(1) detecting bluetooth vulnerability attacks in an encryption key negotiation stage
In some embodiments, the electronic device 100, upon the first bluetooth device pair performing encryption key negotiation, a first encryption key length negotiation request which is acquired by an air interface of an acquisition device arranged on the communication data sending device and is sent to a communication data receiving device can be acquired from the communication data sending device, a second encryption key length negotiation request which is acquired by an air interface of an acquisition device arranged on the communication data receiving device and is received and carries identification information of the communication data sending device can be acquired from the communication data receiving device, after determining that both the encryption key length agreement request and the encryption key length agreement request are acquired from the communication data transmission apparatus and the communication data reception apparatus, and determining the first encryption key length and the second encryption key length as first communication data and second communication data respectively according to the first encryption key length negotiation request and the second encryption key length negotiation request. And judging whether the length of the first encryption key is the same as that of the second encryption key, if so, determining that the first Bluetooth device attacks the middle man, and if not, determining that the first Bluetooth device attacks the middle man.
Taking the car networking device 200 and the car networking device 300 as a first bluetooth device pair as an example, the electronic device 100 may obtain, from the car networking device 200, a first encryption key length agreement request sent by the car networking device 200 collected by a collection device air interface placed on the car networking device 200 to the car networking device 300 through wireless transmission (for example, WiFi) when the car networking device 200 and the car networking device 300 perform encryption key agreement, obtain, from the car networking device 300, a second encryption key length agreement request received by the car networking device 300 collected by the collection device air interface placed on the car networking device 300 from the car networking device 200, if an intermediary exists between the car networking device 200 and the car networking device 300, the intermediary will intercept the falsified first encryption key length agreement request, resulting in that the encryption key length of the first encryption key length agreement request is different from the encryption key length of the second encryption key length agreement request, then, after determining that the encryption key length agreement requests are both obtained from the car networking device 200 and the car networking device 300, the electronic device 100 may determine a first encryption key length and a second encryption key length according to the first encryption key length agreement request and the second encryption key length agreement request, determine whether a man-in-the-middle exists between the car networking device 200 and the car networking device 300 by determining whether the first encryption key length and the second encryption key length are the same, determine that a man-in-the-middle attack does not exist between the car networking device 200 and the car networking device 300 if the first encryption key length and the second encryption key length are the same, and determine that a man-in-the-middle attack exists between the car networking device 200 and the car networking device 300 if the first encryption key length and the second encryption key length are different.
It should be noted that, in this embodiment of the application, after determining that the first bluetooth device has a man-in-the-middle attack, the electronic device 100 may further determine whether the man-in-the-middle attack is successful by determining whether the first bluetooth device has encrypted session data, if so, it determines that the first bluetooth device has the man-in-the-middle attack and the attack is successful, and if not, it determines that the first bluetooth device has the man-in-the-middle attack and the attack is not successful, specifically, if the electronic device 100 acquires a request for starting encrypted transmission sent to the communication data receiving device from the communication data sending device, acquires a request for starting encrypted transmission received from the communication data receiving device and carrying identification information of the communication data sending device, it determines that the encrypted session data exists, or, after acquiring communication data between the communication data sending device and the communication data receiving device, whether the communication data is encrypted session data may be determined based on statistical characteristics of the communication data.
(2) Detecting bluetooth vulnerability attacks during encrypted transmission phases
In some embodiments, the electronic apparatus 100 acquires, from the communication data transmitting apparatus, first bidirectional communication data between the communication data transmitting apparatus and the communication data receiving apparatus acquired through the acquisition apparatus air port provided in the communication data transmitting apparatus, when the first bluetooth device pair performs encrypted transmission, acquires, from the communication data receiving apparatus, second bidirectional communication data between the communication data receiving apparatus and the communication data transmitting apparatus acquired through the acquisition apparatus air port provided in the communication data receiving apparatus, and determines, based on the first bidirectional communication data and the second bidirectional communication data, the first encrypted session data and the second encrypted session data as the first communication data and the second communication data, respectively, after determining that both the bidirectional communication data are acquired from the communication data transmitting apparatus and the communication data receiving apparatus. And judging whether the first encrypted session data is the same as the second encrypted session data, if so, determining that the first Bluetooth device attacks the middle man, and if not, determining that the first Bluetooth device attacks the middle man.
Taking the car networking device 200 and the car networking device 300 as the first bluetooth device pair as an example, the electronic device 100 may acquire, by wireless transmission (for example, WiFi), first bidirectional communication data sent to the car networking device 300 by the car networking device 200 collected by the collection device empty opening placed on the car networking device 200 from the car networking device 200 and second bidirectional communication data received from the car networking device 200 by the collection device empty opening placed on the car networking device 300 from the car networking device 300 when the car networking device 200 and the car networking device 300 perform encryption transmission, and if an intermediary exists between the car networking device 200 and the car networking device 300, the intermediary will intercept the bidirectional communication data, resulting in that the encrypted session data at the car networking device 200 is different from the encrypted session data at the car networking device 300, the electronic device 100 may determine that the two-way communication data collected at both the car networking device 200 and the car networking device 300 are bidirectional communication data Then, according to the first bidirectional communication data and the second bidirectional communication data, determining first encrypted session data and second encrypted session data, determining whether a man-in-the-middle exists between the vehicle networking device 200 and the vehicle networking device 300 by judging whether the first encrypted session data and the second encrypted session data are the same, if the first encrypted session data and the second encrypted session data are the same, determining that no man-in-the-middle attack exists between the vehicle networking device 200 and the vehicle networking device 300, and if the first encrypted session data and the second encrypted session data are not the same, determining that a man-in-the-middle attack exists between the vehicle networking device 200 and the vehicle networking device 300.
The above embodiments can be used alone or in combination with each other to achieve different technical effects.
In the embodiments provided in the present application, the method provided in the embodiments of the present application is described from the perspective of an electronic device as an execution subject. In order to implement the functions in the method provided by the embodiments of the present application, the electronic device may include a hardware structure and/or a software module, and the functions are implemented in the form of a hardware structure, a software module, or a hardware structure and a software module. Whether any of the above-described functions is implemented as a hardware structure, a software module, or a hardware structure plus a software module depends upon the particular application and design constraints imposed on the technical solution.
Based on the same technical concept, the embodiment of the present application further provides an apparatus 700 for detecting a bluetooth vulnerability attack, where the apparatus 700 may be an electronic device or an apparatus 700 in an electronic device, and the apparatus 700 includes modules for executing the methods shown in fig. 5 to 6 c. For example, referring to fig. 7, the apparatus 700 may include:
the first determining module 701 is configured to identify a to-be-detected bluetooth device within a preset range, and determine a to-be-detected bluetooth device pair according to a result of pairing the to-be-detected bluetooth device;
an acquisition and analysis module 702, configured to acquire and analyze first communication data from a communication data sending device in a first bluetooth device pair, and acquire and analyze second communication data from a communication data receiving device in the first bluetooth device pair; the first Bluetooth device pair is any Bluetooth device pair to be detected, the first communication data is communication data sent by the communication data sending device to the communication data receiving device through Bluetooth connection, and the second communication data is communication data which is received by the communication data receiving device through Bluetooth connection and carries identification information of the communication data sending device;
a second determining module 703 is configured to determine whether the first communication data is the same as the second communication data, and if not, determine that the first bluetooth device attacks a man-in-the-middle.
In one possible design, the collection analysis module 702 is specifically configured to:
when the first Bluetooth device pair carries out encryption key negotiation, acquiring all encryption key length negotiation requests sent by the communication data sending device through Bluetooth connection from the communication data sending device, and acquiring all encryption key length negotiation requests received by the communication data receiving device through Bluetooth connection from the communication data receiving device;
according to the identification information of the communication data sending equipment and the communication data receiving equipment, determining a first encryption key length negotiation request sent to the communication data receiving equipment from all encryption key length negotiation requests sent by the communication data sending equipment through Bluetooth connection, and determining a second encryption key length negotiation request carrying the identification information of the communication data sending equipment from all encryption key length negotiation requests received by the communication data receiving equipment through Bluetooth connection;
determining a first encryption key length in the first encryption key length negotiation request as the first communication data, and determining a second encryption key length in the second encryption key length negotiation request as the second communication data.
In a possible design, the second determining module 703 is specifically configured to:
judging whether the length of the first encryption key is the same as that of the second encryption key;
and if the length of the first encryption key is different from that of the second encryption key, determining that the first Bluetooth device attacks the man-in-the-middle.
In one possible design, the collection analysis module 702 is specifically configured to:
collecting all communication data sent by a communication data sending device through a Bluetooth connection from a communication data sending device in a first Bluetooth device pair, and collecting all communication data received by a communication data receiving device through the Bluetooth connection from a communication data receiving device in the first Bluetooth device pair;
according to the identification information of the communication data sending device and the communication data receiving device, the first communication data is determined from all communication data sent by the communication data sending device through Bluetooth connection, and the second communication data is determined from all communication data received by the communication data receiving device through Bluetooth connection.
In one possible design, the first determining module 701 is specifically configured to:
acquiring a Bluetooth broadcast message of a to-be-detected Bluetooth device within a preset range; the Bluetooth broadcast message carries identification information of the Bluetooth equipment;
and determining the Bluetooth equipment to be detected within a preset range according to the Bluetooth broadcast message.
In one possible design, after the second determining module 703 determines that the first bluetooth device has a man-in-the-middle attack, it is further configured to:
judging whether the first Bluetooth device pair has encrypted session data or not;
if the encrypted session data exist, determining that the first Bluetooth equipment attacks the man-in-the-middle and the attack is successful;
and if the encrypted session data does not exist, determining that the first Bluetooth device attacks the man-in-the-middle but the attack is not successful.
In one possible design, after the second determining module 703 determines that the first bluetooth device has a man-in-the-middle attack, it is specifically configured to:
if an encryption transmission starting request sent by the communication data sending device to the communication data receiving device through a Bluetooth connection is acquired from the communication data sending device, or an encryption transmission starting request carrying identification information of the communication data sending device and received by the communication data receiving device through the Bluetooth connection is acquired from the communication data receiving device, determining that encrypted session data exists; alternatively, the first and second electrodes may be,
and acquiring and analyzing communication data between the communication data sending equipment and the communication data receiving equipment, and determining whether encrypted session data exists according to the statistical characteristics of the communication data.
In one possible design, the collection analysis module 702 is specifically configured to:
when the first Bluetooth device pair carries out encryption transmission, acquiring first bidirectional communication data between the communication data sending device and the communication data receiving device from the communication data sending device, and acquiring second bidirectional communication data between the communication data receiving device and the communication data sending device from the communication data receiving device;
determining, from the first bidirectional communication data and the second bidirectional communication data, first encrypted session data and second encrypted session data as the first communication data and the second communication data, respectively.
In a possible design, the second determining module 703 is specifically configured to:
judging whether the first encrypted session data is the same as the second encrypted session data;
if the first encrypted session data is the same as the second encrypted session data, determining that the first Bluetooth device does not have man-in-the-middle attack on the first Bluetooth device;
and if the first encrypted session data is different from the second encrypted session data, determining that the first Bluetooth device attacks the man-in-the-middle.
Based on the same technical concept, referring to fig. 8, an embodiment of the present application further provides an apparatus 800 for detecting a bluetooth vulnerability attack, including:
at least one processor 801; and a communication interface 803 communicatively coupled to the at least one processor 801;
wherein the at least one processor 801 causes the apparatus 800 to perform the methods illustrated in fig. 5-6 c by executing instructions stored by the memory 802.
Optionally, the memory 802 is located external to the apparatus 800.
Optionally, the apparatus 800 includes the memory 802, the memory 802 is connected to the at least one processor 801, and the memory 802 stores instructions executable by the at least one processor 801. Fig. 8 shows in dashed lines that the memory 802 is optional for the device 800.
The processor 801 and the memory 802 may be coupled by an interface circuit, or may be integrated together, which is not limited herein.
The specific connection medium between the processor 801, the memory 802 and the communication interface 803 is not limited in the embodiment of the present application. In the embodiment of the present application, the processor 801, the memory 802, and the communication interface 803 are connected by a bus 804 in fig. 8, the bus is represented by a thick line in fig. 8, and the connection manner between other components is merely illustrative and not limited. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 8, but this is not intended to represent only one bus or type of bus.
It should be understood that the processors mentioned in the embodiments of the present application may be implemented by hardware or may be implemented by software. When implemented in hardware, the processor may be a logic circuit, an integrated circuit, or the like. When implemented in software, the processor may be a general-purpose processor implemented by reading software code stored in a memory.
The processor may be, for example, a Central Processing Unit (CPU), other general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
It will be appreciated that the memory referred to in the embodiments of the application may be either volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The non-volatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an Electrically Erasable PROM (EEPROM), or a flash memory. Volatile memory can be Random Access Memory (RAM), which acts as external cache memory. By way of example, but not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), double data rate SDRAM, enhanced SDRAM, SLDRAM, Synchronous Link DRAM (SLDRAM), and direct rambus RAM (DR RAM).
It should be noted that when the processor is a general-purpose processor, a DSP, an ASIC, an FPGA or other programmable logic device, a discrete gate or transistor logic device, or a discrete hardware component, the memory (memory module) may be integrated into the processor.
It should be noted that the memory described herein is intended to comprise, without being limited to, these and any other suitable types of memory.
Based on the same technical concept, the embodiments of the present application also provide a computer-readable storage medium, which includes a program or instructions, when the program or instructions are run on a computer, the method as shown in fig. 5-6 c is executed.
Based on the same technical concept, embodiments of the present application further provide a chip, which is coupled to the memory and configured to read and execute the program instructions stored in the memory, so that the methods shown in fig. 5 to 6c are performed.
Based on the same technical concept, the embodiments of the present application also provide a computer program product, which includes instructions that, when run on a computer, cause the methods shown in fig. 5-6 c to be performed.
It should be understood that all relevant contents of the steps related to the above method embodiments may be referred to the functional description of the corresponding functional module, and are not described herein again.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims (20)

1. A method for detecting Bluetooth vulnerability attacks, comprising:
identifying the Bluetooth equipment to be detected within a preset range;
determining a first Bluetooth device pair according to the pairing result of the to-be-detected Bluetooth device, wherein the first Bluetooth device pair comprises a communication data sending device and a communication data receiving device which belong to the to-be-detected Bluetooth device;
acquiring first communication data by analyzing data acquired from the communication data transmitting equipment, and acquiring second communication data by analyzing data acquired from the communication data receiving equipment, wherein the first communication data is communication data transmitted to the communication data receiving equipment by the communication data transmitting equipment through a Bluetooth connection, and the second communication data is communication data which is received by the communication data receiving equipment through the Bluetooth connection and carries identification information of the communication data transmitting equipment;
and determining that man-in-the-middle attack on the first Bluetooth device pair exists based on the first communication data being different from the second communication data.
2. The method of claim 1, wherein obtaining first communication data by parsing data collected from the communication data sending device and obtaining second communication data by parsing data collected from the communication data receiving device comprises:
when the first Bluetooth device pair carries out encryption key negotiation, acquiring all encryption key length negotiation requests sent by the communication data sending device through Bluetooth connection from the communication data sending device, and acquiring all encryption key length negotiation requests received by the communication data receiving device through Bluetooth connection from the communication data receiving device;
according to the identification information of the communication data sending equipment and the communication data receiving equipment, determining a first encryption key length negotiation request sent to the communication data receiving equipment from all encryption key length negotiation requests sent by the communication data sending equipment through Bluetooth connection, and determining a second encryption key length negotiation request carrying the identification information of the communication data sending equipment from all encryption key length negotiation requests received by the communication data receiving equipment through Bluetooth connection;
determining a first encryption key length in the first encryption key length negotiation request as the first communication data, and determining a second encryption key length in the second encryption key length negotiation request as the second communication data.
3. The method of claim 2, wherein said determining that a man-in-the-middle attack on the first bluetooth device pair exists based on the first communication data not being the same as the second communication data comprises:
determining that the first encryption key length is not the same as the second encryption key length;
determining that the man-in-the-middle attack exists.
4. The method of claim 1, wherein obtaining first communication data by parsing data collected from the communication data sending device and obtaining second communication data by parsing data collected from the communication data receiving device comprises:
when the first Bluetooth device pair carries out encryption transmission, acquiring first bidirectional communication data between the communication data sending device and the communication data receiving device from the communication data sending device, and acquiring second bidirectional communication data between the communication data receiving device and the communication data sending device from the communication data receiving device;
determining first encrypted session data as the first communication data from the first bidirectional communication data, and determining second encrypted session data as the second communication data from the second bidirectional communication data.
5. The method of claim 4, wherein said determining that a man-in-the-middle attack on the first Bluetooth device pair exists based on the first communication data not being the same as the second communication data comprises:
determining that the man-in-the-middle attack exists based on the first encrypted session data being different from the second encrypted session data.
6. The method of claim 1, wherein obtaining first communication data by parsing data collected from the communication data sending device and obtaining second communication data by parsing data collected from the communication data receiving device comprises:
collecting all communication data sent by the communication data sending device through a Bluetooth connection from the communication data sending device, and collecting all communication data received by the communication data receiving device through the Bluetooth connection from the communication data receiving device;
according to the identification information of the communication data sending device and the communication data receiving device, the first communication data is determined from all communication data sent by the communication data sending device through Bluetooth connection, and the second communication data is determined from all communication data received by the communication data receiving device through Bluetooth connection.
7. The method according to any one of claims 1 to 6, wherein the identifying the Bluetooth devices to be detected within a preset range comprises:
acquiring a Bluetooth broadcast message of the Bluetooth equipment within the preset range; the Bluetooth broadcast message carries identification information of the Bluetooth equipment;
and determining the Bluetooth equipment to be detected in the preset range according to the Bluetooth broadcast message.
8. The method of any of claims 1 to 6, wherein after determining that there is a man-in-the-middle attack on the first Bluetooth device pair, the method further comprises:
judging whether the first Bluetooth device pair has encrypted session data or not;
if the encrypted session data exists, determining that the man-in-the-middle attack exists and the attack is successful;
and if the encrypted session data does not exist, determining that the man-in-the-middle attack exists but the attack is not successful.
9. The method of claim 8, wherein the determining whether encrypted session data is present comprises:
if an encryption transmission starting request sent by the communication data sending device to the communication data receiving device through a Bluetooth connection is acquired from the communication data sending device, or an encryption transmission starting request carrying identification information of the communication data sending device and received by the communication data receiving device through the Bluetooth connection is acquired from the communication data receiving device, determining that encrypted session data exists; alternatively, the first and second electrodes may be,
and collecting and analyzing communication data between the communication data sending equipment and the communication data receiving equipment, and determining whether encrypted session data exist or not according to the statistical characteristics of the communication data.
10. An apparatus for detecting bluetooth vulnerability attacks, comprising:
the first determining module is used for identifying the Bluetooth device to be detected in a preset range and determining a first Bluetooth device pair according to the pairing result of the Bluetooth device to be detected, wherein the first Bluetooth device pair comprises a communication data transmitting device and a communication data receiving device which belong to the Bluetooth device to be detected;
a collection and analysis module for obtaining first communication data by analyzing data collected from the communication data transmission device and for obtaining second communication data by analyzing data collected from the communication data reception device; the first communication data is communication data sent by the communication data sending equipment to the communication data receiving equipment through Bluetooth connection, and the second communication data is communication data which is received by the communication data receiving equipment through Bluetooth connection and carries identification information of the communication data sending equipment;
and the second determining module is used for determining that man-in-the-middle attack on the first Bluetooth device pair exists based on the fact that the first communication data is different from the second communication data.
11. The apparatus of claim 10, wherein the acquisition analysis module is specifically configured to:
when the first Bluetooth device pair carries out encryption key negotiation, acquiring all encryption key length negotiation requests sent by the communication data sending device through Bluetooth connection from the communication data sending device, and acquiring all encryption key length negotiation requests received by the communication data receiving device through Bluetooth connection from the communication data receiving device;
according to the identification information of the communication data sending equipment and the communication data receiving equipment, determining a first encryption key length negotiation request sent to the communication data receiving equipment from all encryption key length negotiation requests sent by the communication data sending equipment through Bluetooth connection, and determining a second encryption key length negotiation request carrying the identification information of the communication data sending equipment from all encryption key length negotiation requests received by the communication data receiving equipment through Bluetooth connection;
determining a first encryption key length in the first encryption key length negotiation request as the first communication data, and determining a second encryption key length in the second encryption key length negotiation request as the second communication data.
12. The apparatus of claim 11, wherein the second determining module is specifically configured to:
determining that the first encryption key length is not the same as the second encryption key length;
determining that the man-in-the-middle attack exists.
13. The apparatus of claim 10, wherein the acquisition analysis module is specifically configured to:
when the first Bluetooth device pair carries out encryption transmission, acquiring first bidirectional communication data between the communication data sending device and the communication data receiving device from the communication data sending device, and acquiring second bidirectional communication data between the communication data receiving device and the communication data sending device from the communication data receiving device;
determining first encrypted session data as the first communication data from the first bidirectional communication data, and determining second encrypted session data as the second communication data from the second bidirectional communication data.
14. The apparatus of claim 13, wherein the second determining module is specifically configured to:
determining that the man-in-the-middle attack exists based on the first encrypted session data being different from the second encrypted session data.
15. The apparatus of claim 10, wherein the acquisition analysis module is specifically configured to:
collecting all communication data sent by the communication data sending device through a Bluetooth connection from the communication data sending device, and collecting all communication data received by the communication data receiving device through the Bluetooth connection from the communication data receiving device;
according to the identification information of the communication data sending device and the communication data receiving device, the first communication data is determined from all communication data sent by the communication data sending device through Bluetooth connection, and the second communication data is determined from all communication data received by the communication data receiving device through Bluetooth connection.
16. The apparatus of any one of claims 10 to 15, wherein the first determining module is specifically configured to:
acquiring a Bluetooth broadcast message of the Bluetooth equipment within the preset range; the Bluetooth broadcast message carries identification information of the Bluetooth equipment;
and determining the Bluetooth equipment to be detected in the preset range according to the Bluetooth broadcast message.
17. The apparatus of any of claims 10 to 15, wherein the second determining module, after determining that the first bluetooth device has a man-in-the-middle attack, is further configured to:
judging whether the first Bluetooth device pair has encrypted session data or not;
if the encrypted session data exists, determining that the man-in-the-middle attack exists and the attack is successful;
and if the encrypted session data does not exist, determining that the man-in-the-middle attack exists but the attack is not successful.
18. The apparatus of claim 17, wherein the second determining module, after determining that the first bluetooth device has a man-in-the-middle attack, is specifically configured to:
if an encryption transmission starting request sent by the communication data sending device to the communication data receiving device through a Bluetooth connection is acquired from the communication data sending device, or an encryption transmission starting request carrying identification information of the communication data sending device and received by the communication data receiving device through the Bluetooth connection is acquired from the communication data receiving device, determining that encrypted session data exists; alternatively, the first and second electrodes may be,
and collecting and analyzing communication data between the communication data sending equipment and the communication data receiving equipment, and determining whether encrypted session data exist or not according to the statistical characteristics of the communication data.
19. An apparatus for detecting a bluetooth vulnerability attack, the apparatus comprising a memory and a processor; the memory to store computer instructions; the processor to invoke the memory-stored computer instructions to perform the method of detecting a bluetooth vulnerability attack as recited in any of claims 1-9.
20. A computer storage medium comprising computer instructions that, when executed on an electronic device, cause the electronic device to perform the method of detecting a bluetooth vulnerability attack according to any of claims 1-9.
CN202080004433.8A 2020-12-04 2020-12-04 Method and device for detecting Bluetooth vulnerability attack Active CN112640513B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/133884 WO2022116147A1 (en) 2020-12-04 2020-12-04 Method and apparatus for detecting bluetooth vulnerability attack

Publications (2)

Publication Number Publication Date
CN112640513A CN112640513A (en) 2021-04-09
CN112640513B true CN112640513B (en) 2022-05-13

Family

ID=75291150

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202080004433.8A Active CN112640513B (en) 2020-12-04 2020-12-04 Method and device for detecting Bluetooth vulnerability attack

Country Status (2)

Country Link
CN (1) CN112640513B (en)
WO (1) WO2022116147A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115001863B (en) * 2022-07-26 2022-11-22 浙江涂鸦智能电子有限公司 Network security vulnerability detection method, device, medium and electronic equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107154940A (en) * 2017-05-11 2017-09-12 济南大学 A kind of Internet of Things vulnerability scanning system and scan method
CN107967427A (en) * 2017-12-11 2018-04-27 北京奇虎科技有限公司 Monitor the method, apparatus and terminal device of loophole attack
US10427643B1 (en) * 2018-07-13 2019-10-01 Nxp B.V. Defense against relay attack in passive keyless entry systems

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102957704B (en) * 2012-11-09 2016-02-24 北京神州绿盟信息安全科技股份有限公司 A kind ofly determine method, Apparatus and system that MITM attacks
US9602531B1 (en) * 2016-02-16 2017-03-21 Cylance, Inc. Endpoint-based man in the middle attack detection
CN110557355B (en) * 2018-05-31 2021-07-27 上海连尚网络科技有限公司 Method and equipment for detecting man-in-the-middle attack through user equipment
CN109040137B (en) * 2018-10-10 2021-04-09 杭州安恒信息技术股份有限公司 Method and device for detecting man-in-the-middle attack and electronic equipment
CN110138734A (en) * 2019-04-10 2019-08-16 天津大学 The safety enhancing system and method for confrontation man-in-the-middle attack based on tls protocol

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107154940A (en) * 2017-05-11 2017-09-12 济南大学 A kind of Internet of Things vulnerability scanning system and scan method
CN107967427A (en) * 2017-12-11 2018-04-27 北京奇虎科技有限公司 Monitor the method, apparatus and terminal device of loophole attack
US10427643B1 (en) * 2018-07-13 2019-10-01 Nxp B.V. Defense against relay attack in passive keyless entry systems

Also Published As

Publication number Publication date
CN112640513A (en) 2021-04-09
WO2022116147A1 (en) 2022-06-09

Similar Documents

Publication Publication Date Title
Hassan et al. Security threats in Bluetooth technology
EP2405622B1 (en) Device communication
EP2575318B1 (en) Portable security device and methods for providing network security
EP2732652B1 (en) Data integrity for proximity-based communication
US10009359B2 (en) System, apparatus and method for transferring ownership of a device from manufacturer to user using an embedded resource
US9615257B2 (en) Data integrity for proximity-based communication
US20140289831A1 (en) Web authentication using client platform root of trust
JP2014527762A (en) Suspicious wireless access point detection
EP3603121A1 (en) Low energy sensor data collection
EP3844930B1 (en) Non-3gpp device access to core network
US11917416B2 (en) Non-3GPP device access to core network
CN108513716B (en) Method, device and terminal for establishing connection
KR101528851B1 (en) Apc(access point controller), control method thereof, and recording medium for recording program for executing the control method
Jain et al. ETGuard: Detecting D2D attacks using wireless evil twins
CN112640513B (en) Method and device for detecting Bluetooth vulnerability attack
WO2019112923A1 (en) Improving security via automated sideband communication for m2m/iot
US10193899B1 (en) Electronic communication impersonation detection
US8990349B2 (en) Identifying a location of a server
CN115623013A (en) Strategy information synchronization method, system and related product
CN115379425A (en) Bluetooth attack detection method and device, storage medium and mobile terminal
CN110061833B (en) Binding update method and device for identity position

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant