back

No PoC? No Fix! - A sad Story about Bluetooth Security

It is just a broken memcpy in the Bluetooth stack. Do we really need to fix that?

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
00:43:18
Language
English
Abstract
-

It is just a broken memcpy in the Bluetooth stack. Do we really need to fix that?

Bluetooth is one of the core technologies these days used by billions of devices. Due to the nature of wireless technologies, it is an interesting target for attackers. Recently there was put a lot of effort in reverse engineering Broadcom and Cypress Bluetooth Controllers. Most famous, the InternalBlue tool developed by Dennis Mantz for firmware debugging.

In this talk, I want to take you on a journey that started over a year ago. During my time at SEEMOO, we started emulating the firmware to further understand the internals and interaction with the host system. The emulated firmware can even be attached to a Linux based operating system and fed with random packets. During development, we found two memory corruptions within the Firmware, whereas one was exploited for Remote Code Execution on the Controller (CVE-2019-11516). This bug was in the wild for over 9 years. During the disclosure process, we found that it was fixed internally by the vendor over a year ago. But no patches reached the customers. Only after contacting Google and Apple directly, patches were distributed.

By further fuzzing the firmware, we stumbled across a crash in Android by accident (CVE-2020-0022). After building a full Zero-Click-Exploit we prepared our writeup for responsible disclosure. After some digging, guess what we found hiding in the master branch…

Talk ID
divoc20-7
Event:
Hidden_Service
Day
1
Room
Feinler
Start
10 p.m.
Duration
00:45:00
Track
None
Type of
Talk
Speaker
Jan Ruge
Talk Slug & media link
DiVOC-7-no_poc_no_fix_a_sad_story_about_bluetooth_security
English
0.0% Checking done0.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
100.0% Nothing done yet100.0%
  

Work on this video on Amara!

English: Transcribed until

Last revision: 4 weeks, 1 day ago