BLEEDINGBIT - Your APs Belong to Us

Explore BLEEDINGBIT, two zero-day vulnerabilities in Texas Instruments' BLE chips used in popular wireless access points, allowing unauthenticated over-the-air enterprise network penetration. Delve into Bluetooth Low Energy attack surfaces, OTA solutions, and BLE in Aruba Access Points. Examine OAD implementation, firmware extraction, and custom OAD analysis. Discover BLE link layer intricacies, TI CC2640 architecture, and memory corruption techniques. Investigate inter-core communication, overflow mechanics, and exploit strategies. Learn to overcome size limitations, restore execution, and install backdoors. Gain insights into shellcode development for successful network infiltration in this comprehensive Black Hat conference presentation.

Intro
Agenda
Why Bluetooth Low Energy?
Why do APs support BLE?
BLE Attack surface
OTA solutions over BLE
BLE in Aruba Access Points
OAD in General
OAD in Aruba Access Points
Extracting BLE firmware
Analyzing custom OAD
OTA OAD OMG
What would a BLEEDINGBIT attack look like? black hat
BLE Discovery
BLE link layer
TI CC2640 Architecture
CC2640 Memory Corruption
Lets try and crash it
Packet Length: Main Core vs Radio Core black hat
Case Study
What is being overwritten?
Where will the overflow data come from? black hat
Inter-core communication
Overflow mechanics
Spray
Exploit strategy
Size limitation
Tasks at hand
Making our first success last forever black hat
Restoring execution - Take 1
Restoring execution - Take 2
Installing a backdoor
Shellcode