No PoC? No Fix! - A sad Story about Bluetooth Security

It is just a broken memcpy in the Bluetooth stack. Do we really need to fix that?
Feinler
Jan Ruge
It is just a broken memcpy in the Bluetooth stack. Do we really need to fix that? Bluetooth is one of the core technologies these days used by billions of devices. Due to the nature of wireless technologies, it is an interesting target for attackers. Recently there was put a lot of effort in reverse engineering Broadcom and Cypress Bluetooth Controllers. Most famous, the InternalBlue tool developed by Dennis Mantz for firmware debugging. In this talk, I want to take you on a journey that started over a year ago. During my time at SEEMOO, we started emulating the firmware to further understand the internals and interaction with the host system. The emulated firmware can even be attached to a Linux based operating system and fed with random packets. During development, we found two memory corruptions within the Firmware, whereas one was exploited for Remote Code Execution on the Controller (CVE-2019-11516). This bug was in the wild for over 9 years. During the disclosure process, we found that it was fixed internally by the vendor over a year ago. But no patches reached the customers. Only after contacting Google and Apple directly, patches were distributed. By further fuzzing the firmware, we stumbled across a crash in Android by accident (CVE-2020-0022). After building a full Zero-Click-Exploit we prepared our writeup for responsible disclosure. After some digging, guess what we found hiding in the master branch…

Additional information

Type Talk
Language English

More sessions

4/11/20
piko
Feinler
Die offizielle Eröffnung des Chaos.
4/11/20
Julia
Feinler
Offene Daten können helfen, das Klima zu schützen.
4/11/20
qbit
Feinler
Auf unserer Onlineplattform können Studierende Lehrveranstaltungen evaluieren. Dabei sollen Sie anonym Textkommentare abgeben können, doch - welch Überraschung - es ist gar nicht so einfach, dabei alles richtig zu machen.
4/11/20
piko
Feinler
Einige Gedanken über Stimme und wie wir sagen können, was wir sagen wollen.
4/11/20
Florian Hars
Feinler
Ich gebe einen Überblick über die Ideen hinter git und die grundlegenden Datenstrukturen, die es benutzt.
4/11/20
jiska
Feinler
Does your Bluetooth chip's RNG produce random numbers? Maybe. Sometimes. It's random.
4/11/20
semitone
Feinler
Dieser Talk gibt einen Überblick über die Möglichkeiten von SuperCollider, einem freien Werkzeug für Audiosynthese und algorithmische Komposition.