back

Dissecting Broadcom Bluetooth

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
00:43:02
Language
English
Abstract
Broadcom's Bluetooth firmware on popular devices – such as Nexus 5, Nexus 6P, Raspberry Pi 3, and Raspberry Pi 3+ – shares the same firmware update mechanisms, which allows for local firmware modifications. With InternalBlue we published a framework to change lower Bluetooth layers. In this talk we go even further and demonstrate a remote exploit in the Broadcom firmware.

In the first part of this talk we present the InternalBlue framework, which allows to experiment with Broadcom-based Bluetooth chips. On Nexus 5 and 6P, it already supports monitoring and injection tools for the lower layers of the Bluetooth protocol stack.

The second part of this talk focuses on security. We show how behavior during pairing can be modified, e.g. by setting other device features or IO capabilities. We also demonstrate an implementation of the recent publicly known ECDH key exchange attack.

Last, we demonstrate a new attack (CVE-2018-19860) that can crash the Bluetooth stack and execute a limited set of functions – only requiring knowledge of the Bluetooth MAC address of the device under attack. This vulnerability has silently been patched in newer firmware versions, but it applies to Broadcom chips in popular devices such as Nexus 5, Raspberry Pi 3, iPhone 6, Xperia Z5, Samsung Galaxy Note 3, MacBook Pro 2016 and more.

Talk ID
9498
Event:
35c3
Day
4
Room
Adams
Start
2:30 p.m.
Duration
00:40:00
Track
Security
Type of
lecture
Speaker
jiska
mantz
Talk Slug & media link
35c3-9498-dissecting_broadcom_bluetooth

Talk & Speaker speed statistics

Very rough underestimation:
159.2 wpm
876.2 spm
While speaker(s) speak(s):
164.7 wpm
903.5 spm
154.0 wpm
832.2 spm
175.7 wpm
977.3 spm
100.0% Checking done100.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
0.0% Nothing done yet0.0%
  

Work on this video on Amara!

Talk & Speaker speed statistics with word clouds

Whole talk:
159.2 wpm
876.2 spm
bluetoothfirmwaredevicesdevicebroadcomlmpquestionnexusdennisjiskaaddresspacketschipframeworkapplausemactalktestphone5timevulnerablenumbermicrophonemodeexampleiphonehciinsidehandlerattackfindinterestingsidecheckthingstrafficfunctionscodeprotocoldemoworkbasicallywi-fiinternetthingstandardsendlayercase
While speakers speak:
164.7 wpm
903.5 spm
bluetoothfirmwarelmpdevicesdevicebroadcompacketsnexusphonemodetestframeworkhciinterestinghandlerprotocolsidefindapplausecontrollertimecodeexample5trafficfunctionsaddressdemobugreversestartprojectfeatureslayerinsidewiresharkcurrentlyfunctionproblemstandardbitsenddennisbasicallymodifypairingchipcrashhandconnection
jiska:
154.0 wpm
832.2 spm
bluetoothdeviceshandlertestmodebugstandardbitapplauseproblemdevicehandsidenexusfirmwarebroadcomfunctionoutputdemo5iphonefindfunctionsnamesleftcheckparameterschipmusicpacketspayloadmodulesdennissendphonethinginputpinenterpairingthingsbugsparametertimelaughterstartedgreatplayingcrashcall
mantz:
175.7 wpm
977.3 spm
bluetoothfirmwarelmpinterestingpacketsdevicesdevicephoneprotocolhcitrafficexampleframeworkcontrollerbroadcomnexusaddresslayerwiresharkinsidefeaturesprojectreversemacstarttimeconnectarbitrarycodeimplementedinterfaceandroidhostpatchestalkbasicallymodifywritefilessecuritysend6preadcurrentlyconnectionlinkmodesystemfind.