Explore the intricacies of Broadcom Bluetooth firmware in this 43-minute conference talk from the 35th Chaos Communication Congress (35C3). Dive into the InternalBlue framework, which enables experimentation with Broadcom-based Bluetooth chips, focusing on popular devices like Nexus 5, Nexus 6P, Raspberry Pi 3, and Raspberry Pi 3+. Learn about local firmware modification techniques and discover how to monitor and inject data into lower layers of the Bluetooth protocol stack. Examine security implications, including altered pairing behavior and an implementation of the ECDH key exchange attack. Uncover a new vulnerability (CVE-2018-19860) affecting various popular devices, which allows for Bluetooth stack crashes and limited function execution using only the target's Bluetooth MAC address. Gain insights into the silent patching of this vulnerability in newer firmware versions and its impact on a wide range of devices, from smartphones to laptops.
Overview
Syllabus
35C3 - Dissecting Broadcom Bluetooth
Taught by
media.ccc.de
Related Courses
-
Reversing and Exploiting Broadcom Bluetooth
-
Bluetooth - Does It Spark Joy?
-
BLUFFS: Bluetooth Forward and Future Secrecy Attacks and Defenses
-
BlueMirror - Reflections on Bluetooth Pairing and Provisioning Protocols
-
Attacking IOBluetoothFamily HCI and Vendor-Specific Commands
-
Finding New Bluetooth Low Energy Exploits via Reverse Engineering Multiple Vendors' Firmwares
