back

From fault injection to RCE: Analyzing a Bluetooth tracker

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
00:31:38
Language
English
Abstract
The Chipolo ONE is a Bluetooth tracker built around the Dialog (now Renesas)

DA14580 chip. This talk will present the research made on this device, from

extracting the firmware from the locked down chip using fault injection up to

getting remote code execution over Bluetooth.

The talk will also present the disclosure process and how the vendor reacted to

an unpatchable vulnerability on their product.

This talk will present the journey through the analysis of the Chipolo ONE

Bluetooth tracker. As for lots of IoT devices, this analysis mixes both hardware

and software attacks so this talk will be packed with lots of techniques that

can be applied to other devices as well:



- Using fault injection to bypass the debug locking mechanism on a chip that has

apparently never been broken before.

- Reverse engineering an unknown firmware with Ghidra, a PDF and parts of a SDK

- Analyzing weak cryptographic algorithms to be able to authenticate to any

device

- Finding a buffer overflow and achieve code execution over Bluetooth

- Disclosing an unpatchable vulnerability to the vendor

Talk ID
38c3-178
Event:
38c3
Day
1
Room
Saal ZIGZAG
Start
5:15 p.m.
Duration
00:40:00
Track
Security
Type of
other
Speaker
Nicolas Oberli
Talk Slug & media link
38c3-from-fault-injection-to-rce-analyzing-a-bluetooth-tracker
English
0.0% Checking done0.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
100.0% Nothing done yet100.0%

Work on this video on Amara!

English: Transcribed until

Last revision: 3 months, 1 week ago