From fault injection to RCE: Analyzing a Bluetooth tracker

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
Not yet available
Language
English
Abstract
The Chipolo ONE is a Bluetooth tracker built around the Dialog (now Renesas)
DA14580 chip. This talk will present the research made on this device, from
extracting the firmware from the locked down chip using fault injection up to
getting remote code execution over Bluetooth.
The talk will also present the disclosure process and how the vendor reacted to
an unpatchable vulnerability on their product.

This talk will present the journey through the analysis of the Chipolo ONE
Bluetooth tracker. As for lots of IoT devices, this analysis mixes both hardware
and software attacks so this talk will be packed with lots of techniques that
can be applied to other devices as well:

- Using fault injection to bypass the debug locking mechanism on a chip that has
apparently never been broken before.
- Reverse engineering an unknown firmware with Ghidra, a PDF and parts of a SDK
- Analyzing weak cryptographic algorithms to be able to authenticate to any
device
- Finding a buffer overflow and achieve code execution over Bluetooth
- Disclosing an unpatchable vulnerability to the vendor

Talk ID
38c3-178
Event:
38c3
Day
1
Room
Saal ZIGZAG
Start
5:15 p.m.
Duration
00:40:00
Track
Security
Type of
Talk
Speaker
Nicolas Oberli
Nicolas Oberli
Talk Slug & media link
38c3-178-from-fault-injection-to-rce-analyzing-a-bluetooth-tracker

The video is not yet available