Finding New Bluetooth Low Energy Exploits via Reverse Engineering Multiple Vendors' Firmwares

Abstract

Bluetooth Low Energy (BLE) has seen widespread product adoption and a renewed interest from a security community whose interest in Classic Bluetooth (BT) had waned. Protocols that run “above” the Host Controller Interface (HCI) on the BLE stack are typically handled in full OSes or applications. Vulnerabilities at these layers are plentiful (~70 in Android in 2019) and comparatively well-understood. But for performance and abstraction reasons, protocols below the HCI layer are always handled in firmware running on microprocessors designed for BLE support. Until now, there had been only a single publicly disclosed remote code execution vulnerability in BLE below the HCI layer: CVE-2018-16986, Armis’ BleedingBit. This talk describes my process of going from knowing nothing about Bluetooth, to reverse engineering multiple vendors’ firmwares, and finding remote code execution exploits for multiple new vulnerabilities at the lowest levels of the BLE protocol stack which I will demonstrate. Exploits at this layer are of particular interest because they require neither pairing nor authentication, merely proximity, to exploit.

Publication
Veronica Kovah
Veronica Kovah
Founder & CEO

Hacking Bluetooth like it’s no big deal.