Overview
Syllabus
Intro
Agenda
Why Bluetooth Low Energy?
Why do APs support BLE?
BLE Attack surface
OTA solutions over BLE
BLE in Aruba Access Points
OAD in General
OAD in Aruba Access Points
Extracting BLE firmware
Analyzing custom OAD
OTA OAD OMG
What would a BLEEDINGBIT attack look like? black hat
BLE Discovery
BLE link layer
TI CC2640 Architecture
CC2640 Memory Corruption
Lets try and crash it
Packet Length: Main Core vs Radio Core black hat
Case Study
What is being overwritten?
Where will the overflow data come from? black hat
Inter-core communication
Overflow mechanics
Spray
Exploit strategy
Size limitation
Tasks at hand
Making our first success last forever black hat
Restoring execution - Take 1
Restoring execution - Take 2
Installing a backdoor
Shellcode
Taught by
Black Hat