back

All wireless communication stacks are equally broken

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
00:38:07
Language
English
Abstract
Wireless connectivity is an integral part of almost any modern device. These technologies include LTE, Wi-Fi, Bluetooth, and NFC. Attackers in wireless range can send arbitrary signals, which are then processed by the chips and operating systems of these devices. Wireless specifications and standards for those technologies are thousands of pages long, and thus pose a large attack surface.

Wireless exploitation is enabled by the technologies any smartphone user uses everyday. Without wireless connectivity our devices are bricked. While we can be more careful to which devices and networks we establish connections to protect ourselves, we cannot disable all wireless chips all the time. Thus, security issues in wireless implementations affect all of us.

Wireless chips run a firmware that decodes wireless signals and interprets frames. Any parsing error can lead to code execution within the chip. This is already sufficient to read data passing the chip in plaintext, even if it would be encrypted while transmitted over the air. We will provide a preview into a new tool that enables full-stack Bluetooth fuzzing by real-time firmware emulation, which helps to efficiently identify parsing errors in wireless firmware.

Since this kind of bug is within the wireless chips' proprietary firmware, patching requires assistance of the manufacturer. Often, fixing this type of security issue takes multiple months, if done at all. We will tell about our own responsible disclosure experiences, which are both sad and funny.

Another risk are drivers in the operating system, which perform a lot of operations on the data they receive from the wireless chip. Most drivers trust the input they get from a wireless chip too much, meaning that wireless exploitation within the chip can easily escalate into the driver.

While escalating directly into the operating system is the commonly known option, it is also possible to escalate into other chips. This is a new attack type, which cannot be filtered by the operating system.

For everyone who is also concerned during our talk, there will be fancy tin foil hats.

Talk ID
10531
Event:
36c3
Day
2
Room
Ada
Start
5:10 p.m.
Duration
00:40:00
Track
Security
Type of
lecture
Speaker
jiska
Talk Slug & media link
36c3-10531-all_wireless_communication_stacks_are_equally_broken

Talk & Speaker speed statistics

Very rough underestimation:
165.1 wpm
886.0 spm
170.1 wpm
909.8 spm
100.0% Checking done100.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
0.0% Nothing done yet0.0%
  

Work on this video on Amara!

Talk & Speaker speed statistics with word clouds

Whole talk:
165.1 wpm
886.0 spm
bluetoothstuffchipthingjiskabroadcomstacktalkwirelessmicrophone.questioncodewi-firunningfixedsmartphoneexploitexploitationdeviceandroidltelinuxbitfindopenfuzzingsecuritystudentshostdevicestimeexamplesamsung1superlongthreeexecutioncarcoolphoneappleevaluationchipsnicetonscommunicationsignalsystem
jiska:
170.1 wpm
909.8 spm
bluetoothstuffchipthingbroadcomwirelesswi-fiexploitationstacksmartphonecodeexploitrunningbittalkltestudentsandroidsuperlinuxsecurityfuzzingthreecoolhostdevicenfcpeopleprojectappleexecutionlongresettonscommunicationspecificationsystemencryptionfindqualcommtimeissueconnectionnicesecurechipsjanrealairevaluation