Finding New Bluetooth Low Energy Exploits via Reverse Engineering Multiple Vendors' Firmwares

Explore the process of discovering new Bluetooth Low Energy exploits through reverse engineering firmware from multiple vendors in this Black Hat conference talk. Delve into the journey from Bluetooth novice to uncovering remote code execution vulnerabilities at the lowest levels of the BLE protocol stack. Learn about exploits that require only proximity, bypassing the need for pairing or authentication. Gain insights into the dual and single chip BLE stack configurations, lab setup for hardware debugging, fuzzing, and packet sending. Examine case studies on Texas Instruments WL1835 MOD and another target, covering static and dynamic analysis techniques, stack and heap buffer overflow vulnerabilities, and their corresponding CVEs. Understand the impact of these discoveries and the potential for "Quiet Place" attacks in Bluetooth Low Energy devices.

Intro
Learning mode
BLE stack in dual chip configuration Host
BLE stack in single chip configuration Controller
New BLE low layer vulnerabilities!
Lab setup: targets
Lab setup: for basic HW debug 1
Lab setup: for fuzzer and convenience
Lab setup: sniffers
Lab setup: packet sending HW
Lab setup: JackBNimBLE, packet sending SW
Target #1: Texas Instruments WL1835 MOD
Static analysis
Dynamic analysis
Remote code execution bugs
Stack buffer overflow 1 CVE-2019-15948
Attack packet example 1
"Quiet Place" attack
Stack buffer overflow 2 CVE-2019-15948
Attack packet example 2
Target #2
Fuzzing extended advertisements
Difference from the target #1's RCE bug
RCE: heap buffer overflow CVE-2020-15531
Impact assessment