Dissecting Broadcom Bluetooth

Explore the intricacies of Broadcom Bluetooth firmware in this 43-minute conference talk from the 35th Chaos Communication Congress (35C3). Dive into the InternalBlue framework, which enables experimentation with Broadcom-based Bluetooth chips, focusing on popular devices like Nexus 5, Nexus 6P, Raspberry Pi 3, and Raspberry Pi 3+. Learn about local firmware modification techniques and discover how to monitor and inject data into lower layers of the Bluetooth protocol stack. Examine security implications, including altered pairing behavior and an implementation of the ECDH key exchange attack. Uncover a new vulnerability (CVE-2018-19860) affecting various popular devices, which allows for Bluetooth stack crashes and limited function execution using only the target's Bluetooth MAC address. Gain insights into the silent patching of this vulnerability in newer firmware versions and its impact on a wide range of devices, from smartphones to laptops.

35C3 - Dissecting Broadcom Bluetooth