[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.00,0:00:19.91,Default,,0000,0000,0000,,{\i1}36C3 preroll music{\i0}
Dialogue: 0,0:00:19.91,0:00:26.72,Default,,0000,0000,0000,,Herald Angel: Our next speaker is jiska.\Njiska is attending this conference since
Dialogue: 0,0:00:26.72,0:00:32.21,Default,,0000,0000,0000,,ages like a decade? even more?\Njiska: 20, 22 C3
Dialogue: 0,0:00:32.21,0:00:36.94,Default,,0000,0000,0000,,Herald Angel: Long, long time. Sometimes\Nshe is also doing some talks here. The
Dialogue: 0,0:00:36.94,0:00:42.01,Default,,0000,0000,0000,,last one last year was about Bluetooth.\NThere she was in depth. This time it will
Dialogue: 0,0:00:42.01,0:00:49.51,Default,,0000,0000,0000,,be a more general talk about wireless\Nprotocols NFC, LTE, Wi-Fi, and, of course,
Dialogue: 0,0:00:49.51,0:00:56.46,Default,,0000,0000,0000,,Bluetooth. So she will tell us what is\Nbroken in all those protocols. So have fun
Dialogue: 0,0:00:56.46,0:01:00.59,Default,,0000,0000,0000,,and enjoy the talk "All wireless\Ncommunications stacks are equally broken"
Dialogue: 0,0:01:00.59,0:01:02.82,Default,,0000,0000,0000,,by jiska.
Dialogue: 0,0:01:02.82,0:01:09.23,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:01:09.23,0:01:14.25,Default,,0000,0000,0000,,jiska: So welcome to my talk. I thought it\Nfirst to be a foundation talk, but it will
Dialogue: 0,0:01:14.25,0:01:18.57,Default,,0000,0000,0000,,also have new topics about everything that\Nis kind of fundamentally broken in
Dialogue: 0,0:01:18.57,0:01:23.100,Default,,0000,0000,0000,,wireless communication and it will cover\Nanything in your smartphone soul like NFC,
Dialogue: 0,0:01:23.100,0:01:30.45,Default,,0000,0000,0000,,Bluetooth, Wi-Fi, LTE. You could order\Nthem like by communication range or by
Dialogue: 0,0:01:30.45,0:01:36.88,Default,,0000,0000,0000,,specification length or lines of code. But\Nthe thing is, so the specification length
Dialogue: 0,0:01:36.88,0:01:41.20,Default,,0000,0000,0000,,and line of code also mean increased\Ncomplexity. And if there is increased
Dialogue: 0,0:01:41.20,0:01:47.55,Default,,0000,0000,0000,,complexity, you might have issues with\Nsecurity in it, in the very end. And then
Dialogue: 0,0:01:47.55,0:01:52.57,Default,,0000,0000,0000,,there is something that is even worse than\NLTE, which is vendor specific additions
Dialogue: 0,0:01:52.57,0:01:56.84,Default,,0000,0000,0000,,that would be when you open like five\Ninstances of IDA and like tried to
Dialogue: 0,0:01:56.84,0:02:04.21,Default,,0000,0000,0000,,analyze where the wireless message is\Ngoing and what it is doing. So most of
Dialogue: 0,0:02:04.21,0:02:08.81,Default,,0000,0000,0000,,this in this talk will be about wireless\Nexploitation and the new stuff will be
Dialogue: 0,0:02:08.81,0:02:14.70,Default,,0000,0000,0000,,fuzzing techniques and a new escalation\Ntarget. But everything else is more like a
Dialogue: 0,0:02:14.70,0:02:21.32,Default,,0000,0000,0000,,general view on wireless exploitation. So\Nfirst, to understand what the wireless
Dialogue: 0,0:02:21.32,0:02:27.38,Default,,0000,0000,0000,,exploit does is to separate it in\Ndifferent layers. So there is the lowest
Dialogue: 0,0:02:27.38,0:02:31.46,Default,,0000,0000,0000,,layer, which is some hybrid chip which\Nruns a firmware, let's say bluetooth
Dialogue: 0,0:02:31.46,0:02:35.89,Default,,0000,0000,0000,,firmware, which is then attached to a\Ndriver. Then there's some privileged
Dialogue: 0,0:02:35.89,0:02:40.43,Default,,0000,0000,0000,,stuff, it depends a bit on what kind of\Nsystem you're on. And in the end, there
Dialogue: 0,0:02:40.43,0:02:45.04,Default,,0000,0000,0000,,will be applications and no matter where\Nyou exploit is on that layer that you're
Dialogue: 0,0:02:45.04,0:02:50.06,Default,,0000,0000,0000,,exploiting, some security measures become\Nineffective. So, for example, if there is
Dialogue: 0,0:02:50.06,0:02:56.59,Default,,0000,0000,0000,,encryption and you have an exploit for\Nthat layer, it would become ineffective.
Dialogue: 0,0:02:56.59,0:03:02.84,Default,,0000,0000,0000,,And it depends, so the higher you are, the\Nhigher also the exploit prices get. So for
Dialogue: 0,0:03:02.84,0:03:08.16,Default,,0000,0000,0000,,the Wi-Fi RCE, you would be at 100K, for\Nbaseband RCE with local privilege
Dialogue: 0,0:03:08.16,0:03:12.86,Default,,0000,0000,0000,,escalation, it gets already 200 K, and if\Nit's just a messenger or something, then
Dialogue: 0,0:03:12.86,0:03:17.74,Default,,0000,0000,0000,,it's like really, really high in the\Nprice. So the question is like, why is
Dialogue: 0,0:03:17.74,0:03:27.50,Default,,0000,0000,0000,,this wireless stuff a bit cheaper? So\Nwell, you need a certain distance. And so
Dialogue: 0,0:03:27.50,0:03:31.98,Default,,0000,0000,0000,,that's probably a thing. And then also,\Nmaybe they are just too easy to find. I
Dialogue: 0,0:03:31.98,0:03:37.71,Default,,0000,0000,0000,,don't know. Like at least, maybe for me, I\Ndon't know for normal people. Or maybe the
Dialogue: 0,0:03:37.71,0:03:42.63,Default,,0000,0000,0000,,market demand is not that high for them.\NOr they are not privileged enough. I don't
Dialogue: 0,0:03:42.63,0:03:49.55,Default,,0000,0000,0000,,know. But actually they'd need like only\Nlike non or less interaction. So. Yeah.
Dialogue: 0,0:03:49.55,0:03:55.96,Default,,0000,0000,0000,,Still a thing I would say. So within the\Ngroup I am working at we had a lot of
Dialogue: 0,0:03:55.96,0:04:00.95,Default,,0000,0000,0000,,wireless research and also tools that we\Nreleased. And the first one I think that
Dialogue: 0,0:04:00.95,0:04:07.01,Default,,0000,0000,0000,,was running on a mobile phone is NFCGate,\Nwhich is currently managed by Max. Then
Dialogue: 0,0:04:07.01,0:04:11.87,Default,,0000,0000,0000,,there is nexmon, which is our largest\Nproject, which is patching of Broadcom
Dialogue: 0,0:04:11.87,0:04:17.03,Default,,0000,0000,0000,,Wi-Fi. And Matthias, who did that, reached\Nhis goal by just saying, like, I now have
Dialogue: 0,0:04:17.03,0:04:24.90,Default,,0000,0000,0000,,kind of a software defined radio in a\Ncommodity like Broadcom Wi-Fi chip. And so
Dialogue: 0,0:04:24.90,0:04:29.14,Default,,0000,0000,0000,,he was a bit bored and kicked off two new\Nprojects before he left, which he then
Dialogue: 0,0:04:29.14,0:04:33.89,Default,,0000,0000,0000,,handed over. The first one is Qualcomm LTE\Nand the second one was Broadcom Bluetooth,
Dialogue: 0,0:04:33.89,0:04:39.54,Default,,0000,0000,0000,,which I ended up with. And then we have\Nsomeone else who is Milan and he is doing
Dialogue: 0,0:04:39.54,0:04:44.60,Default,,0000,0000,0000,,stuff that comes more like from the\Napplication layer. So he implemented an
Dialogue: 0,0:04:44.60,0:04:51.88,Default,,0000,0000,0000,,open source solution for Apple Airdrop\Nthat you can run on your Raspberry Pi. And
Dialogue: 0,0:04:51.88,0:04:57.68,Default,,0000,0000,0000,,well hackers gonna hack, so this stuff has\Nbeen used a lot for exploitation, not by
Dialogue: 0,0:04:57.68,0:05:01.76,Default,,0000,0000,0000,,us, but by others. So there were three\Ngroups using nexmon for Wi-Fi
Dialogue: 0,0:05:01.76,0:05:06.42,Default,,0000,0000,0000,,exploitation, at least like what is\Npublicly known and like the bigger ones,
Dialogue: 0,0:05:06.42,0:05:10.98,Default,,0000,0000,0000,,maybe I forget someone, but so there is a\Nlot of exploitation going on there. Then
Dialogue: 0,0:05:10.98,0:05:15.51,Default,,0000,0000,0000,,internal blue has been used to demonstrate\Nan attack against a key negotiation of
Dialogue: 0,0:05:15.51,0:05:22.47,Default,,0000,0000,0000,,Bluetooth just this august. And the open\NAirdrop implementation was used for some
Dialogue: 0,0:05:22.47,0:05:28.15,Default,,0000,0000,0000,,honeypots at Black Hat and AirDos. And\Nlike a lot of stuff is going on there. And
Dialogue: 0,0:05:28.15,0:05:31.94,Default,,0000,0000,0000,,then you might ask yourself, like, yeah,\Nso, if everybody is using it for
Dialogue: 0,0:05:31.94,0:05:39.06,Default,,0000,0000,0000,,exploitation why don't we just do it\Nourselves. And we actually did that and we
Dialogue: 0,0:05:39.06,0:05:44.80,Default,,0000,0000,0000,,even did that for this very first project,\Nthis NFC project. And the most important
Dialogue: 0,0:05:44.80,0:05:49.93,Default,,0000,0000,0000,,thing you need to know about NFC is that\Nthe near field is not really a near field.
Dialogue: 0,0:05:49.93,0:05:54.30,Default,,0000,0000,0000,,So there's -- it's just communication, but\Nit's not near field communication, which
Dialogue: 0,0:05:54.30,0:06:00.11,Default,,0000,0000,0000,,means so if you are able to forward the\Ncommunication, so for example, you have
Dialogue: 0,0:06:00.11,0:06:03.80,Default,,0000,0000,0000,,like your credit card and then a\Nsmartphone with NFC, you could forward it
Dialogue: 0,0:06:03.80,0:06:10.09,Default,,0000,0000,0000,,over the cloud or some server and then to\Nanother smartphone and then to the payment
Dialogue: 0,0:06:10.09,0:06:15.30,Default,,0000,0000,0000,,terminal. And usually there's no time\Nconstraint or distance pounding that would
Dialogue: 0,0:06:15.30,0:06:19.40,Default,,0000,0000,0000,,prevent this. So you can at least forward\Nand relay messages and you might even be
Dialogue: 0,0:06:19.40,0:06:26.06,Default,,0000,0000,0000,,able to modify them on the way. And some\Nstudents of us did like some testing in
Dialogue: 0,0:06:26.06,0:06:32.92,Default,,0000,0000,0000,,some systems of some third parties who\Nthen politely asked them to please stop
Dialogue: 0,0:06:32.92,0:06:40.70,Default,,0000,0000,0000,,the testing. So it was not really a cool\Nthing overall. Like, not not good to
Dialogue: 0,0:06:40.70,0:06:45.51,Default,,0000,0000,0000,,publish and so on. And the more happy I am\Nabout that there's other researchers who
Dialogue: 0,0:06:45.51,0:06:52.83,Default,,0000,0000,0000,,actually used some other tooling to look\Ninto NFC. So just this month there has
Dialogue: 0,0:06:52.83,0:06:57.53,Default,,0000,0000,0000,,been a talk at Black Hat, so not by us,\Nbut by others about the visa credit cards.
Dialogue: 0,0:06:57.53,0:07:05.78,Default,,0000,0000,0000,,And it's just all broken and it's cool\Nthat some people like just did it anyway.
Dialogue: 0,0:07:05.78,0:07:10.18,Default,,0000,0000,0000,,Yeah. So this is more about -- the NFC\Nstuff is more about forwarding and the
Dialogue: 0,0:07:10.18,0:07:16.16,Default,,0000,0000,0000,,actual specification, but something that\Nis also cool is -- If you get code
Dialogue: 0,0:07:16.16,0:07:21.83,Default,,0000,0000,0000,,execution within a chip and this is very\Ndifferent attack scenario. And for
Dialogue: 0,0:07:21.83,0:07:27.18,Default,,0000,0000,0000,,Bluetooth, I think it's especially bad\Nbecause of how everything is designed. And
Dialogue: 0,0:07:27.18,0:07:34.25,Default,,0000,0000,0000,,the first design issue in Bluetooth is\Nthat the encryption key is stored in a way
Dialogue: 0,0:07:34.25,0:07:38.17,Default,,0000,0000,0000,,that the chip can always ask for\Nencryption keys here at the host, or it's
Dialogue: 0,0:07:38.17,0:07:43.86,Default,,0000,0000,0000,,even already on the chip. And there is no\Nkind of security there. So whenever you
Dialogue: 0,0:07:43.86,0:07:47.80,Default,,0000,0000,0000,,have code execution on the chip, it means\Nyou can get all the encryption keys, not
Dialogue: 0,0:07:47.80,0:07:52.28,Default,,0000,0000,0000,,of just the active connection, and then\Nbreak everything that is kind of a trusted
Dialogue: 0,0:07:52.28,0:07:56.63,Default,,0000,0000,0000,,connection by this key. And that even\Nbreaks features like the Android Smart
Dialogue: 0,0:07:56.63,0:08:02.23,Default,,0000,0000,0000,,Lock. And Android Smart Lock is a thing\Nyou can unlock your Android smartphone, if
Dialogue: 0,0:08:02.23,0:08:06.30,Default,,0000,0000,0000,,you have a trusted device and if you'd\Nlike add this, you might do this for your
Dialogue: 0,0:08:06.30,0:08:12.79,Default,,0000,0000,0000,,car because it's nice in your car when you\Nhave like your audio and your navigation
Dialogue: 0,0:08:12.79,0:08:16.94,Default,,0000,0000,0000,,and everything without a locked\Nsmartphone. But the question is like, how
Dialogue: 0,0:08:16.94,0:08:21.48,Default,,0000,0000,0000,,secure is the Bluetooth of your car? Would\Nyou trust that one to unlock your
Dialogue: 0,0:08:21.48,0:08:28.62,Default,,0000,0000,0000,,smartphone? I don't know. And the next\Nthing is, so if you have code execution on
Dialogue: 0,0:08:28.62,0:08:33.90,Default,,0000,0000,0000,,a Bluetooth chip, it also means that you\Nmight be able to escalate into some other
Dialogue: 0,0:08:33.90,0:08:42.05,Default,,0000,0000,0000,,components so that you go up all the\Nlayers. The next question, is the exploit
Dialogue: 0,0:08:42.05,0:08:46.59,Default,,0000,0000,0000,,persistent? So let's say I have something\Nthat is running on the chip and I don't
Dialogue: 0,0:08:46.59,0:08:52.70,Default,,0000,0000,0000,,know, extracting encryption keys or doing\Nwhatever. You might ask yourself, so how
Dialogue: 0,0:08:52.70,0:08:56.32,Default,,0000,0000,0000,,long will it be on the chip? I mean, it's\Njust a Bluetooth chip you switch Bluetooth
Dialogue: 0,0:08:56.32,0:09:02.38,Default,,0000,0000,0000,,off sometimes and then the specifications.\NSo it's just a page like almost 1000. So
Dialogue: 0,0:09:02.38,0:09:06.82,Default,,0000,0000,0000,,just like the first third of the\Nspecification it says not the HCI_Reset
Dialogue: 0,0:09:06.82,0:09:12.50,Default,,0000,0000,0000,,command will not necessarily perform a\Nhardware reset. This is implementation
Dialogue: 0,0:09:12.50,0:09:17.34,Default,,0000,0000,0000,,defined. Then I looked into the Cypress\Nand Broadcom chips and saw, yeah, so if
Dialogue: 0,0:09:17.34,0:09:21.88,Default,,0000,0000,0000,,you do each day reset, it's obviously not\Na full hardware reset, it's just flashing
Dialogue: 0,0:09:21.88,0:09:26.60,Default,,0000,0000,0000,,some queues connection stuff here and\Nthere. So there is definitely a memory
Dialogue: 0,0:09:26.60,0:09:33.69,Default,,0000,0000,0000,,area where you could put your exploit and\Nit would be persistent. So then you might
Dialogue: 0,0:09:33.69,0:09:39.33,Default,,0000,0000,0000,,say, yeah, OK, so what do I do? I don't\Nknow. I put my smartphone into flight mode
Dialogue: 0,0:09:39.33,0:09:46.01,Default,,0000,0000,0000,,for a hard reset. That usually doesn't\Nwork. You might also like reboot your
Dialogue: 0,0:09:46.01,0:09:50.11,Default,,0000,0000,0000,,phone. In most cases, this works. For some\Nother coexistence stuff, I had the
Dialogue: 0,0:09:50.11,0:09:54.41,Default,,0000,0000,0000,,impression that sometimes so it's a bit\Nstrange, it might not necessarily like,
Dialogue: 0,0:09:54.41,0:10:02.89,Default,,0000,0000,0000,,reset. Turning off for a while might hard-\Nreset the chip I think. Or you just put
Dialogue: 0,0:10:02.89,0:10:08.24,Default,,0000,0000,0000,,your smartphone in a blender and then.\NYeah. So that might turn off the Bluetooth
Dialogue: 0,0:10:08.24,0:10:16.02,Default,,0000,0000,0000,,chip finally. Yeah. So the next issue is\Nso let's say we have an exploit running
Dialogue: 0,0:10:16.02,0:10:20.89,Default,,0000,0000,0000,,there, but we first need an exploit. So\Nthe very first step is still missing as a
Dialogue: 0,0:10:20.89,0:10:26.48,Default,,0000,0000,0000,,building block. And after the talk last\Nyear, I did some stuff with the unicorn
Dialogue: 0,0:10:26.48,0:10:31.52,Default,,0000,0000,0000,,and fuzzing on the chip and it was super\Nslow. And then suddenly Jan showed up and
Dialogue: 0,0:10:31.52,0:10:38.81,Default,,0000,0000,0000,,Jan said, Hey, I want to build a fully\Nemulated chip for superfast fuzzing and
Dialogue: 0,0:10:38.81,0:10:42.89,Default,,0000,0000,0000,,attach it to Linux and everything should\Nlike run on the real -- like as on a real
Dialogue: 0,0:10:42.89,0:10:47.43,Default,,0000,0000,0000,,system, just the over the air input will\Nbe fast. And I was like, you cannot do
Dialogue: 0,0:10:47.43,0:10:51.48,Default,,0000,0000,0000,,this for a master thesis. And then he was\Nbuilding that thing within three months
Dialogue: 0,0:10:51.48,0:10:57.35,Default,,0000,0000,0000,,and the remaining three months he was\Nwriting a thesis and e-mails to vendors.
Dialogue: 0,0:10:57.35,0:11:02.82,Default,,0000,0000,0000,,So here we go. What does Frankenstein do?\NSo it's running on an evaluation board of
Dialogue: 0,0:11:02.82,0:11:07.66,Default,,0000,0000,0000,,that, yeah, it's just a normal Bluetooth\NBord that's connected to a Linux host over
Dialogue: 0,0:11:07.66,0:11:14.100,Default,,0000,0000,0000,,UART and a modem over the air and then you\Nwould snapshot that thing and emulate it
Dialogue: 0,0:11:14.100,0:11:20.54,Default,,0000,0000,0000,,and give it fast input attached to the\Nreal host. And that means that if you find
Dialogue: 0,0:11:20.54,0:11:24.84,Default,,0000,0000,0000,,some vulnerability, it might be within all\Nthe components or it might also be under
Dialogue: 0,0:11:24.84,0:11:30.21,Default,,0000,0000,0000,,Linux host or it might be something that\Nis full stack. So you have something that
Dialogue: 0,0:11:30.21,0:11:34.63,Default,,0000,0000,0000,,starts on the chip, gets to the host, the\Nhost requests further things and then it
Dialogue: 0,0:11:34.63,0:11:38.69,Default,,0000,0000,0000,,goes back to the chip. So you could build\Nlike quite complex stuff. And for this I
Dialogue: 0,0:11:38.69,0:11:45.42,Default,,0000,0000,0000,,have a short demo video. So the reason why\NI do this as a video is that it might
Dialogue: 0,0:11:45.42,0:11:49.64,Default,,0000,0000,0000,,happen that it finds heap overflows\Notherwise. And then also it's not super
Dialogue: 0,0:11:49.64,0:11:54.55,Default,,0000,0000,0000,,stable at the moment. So you can see it's\Nscanning for LE devices and then Wireshark
Dialogue: 0,0:11:54.55,0:11:58.37,Default,,0000,0000,0000,,most of the time would get malformed\Npackets, but sometimes it could also get
Dialogue: 0,0:11:58.37,0:12:08.69,Default,,0000,0000,0000,,normal packets and like some mesh stuff,\Nwhatever. So this is Frankenstein running.
Dialogue: 0,0:12:08.69,0:12:16.14,Default,,0000,0000,0000,,Ja, so what Jan focused on is early\Nconnection states. That means stuff
Dialogue: 0,0:12:16.14,0:12:21.98,Default,,0000,0000,0000,,where you don't need a pairing. And then\Nhe found like heap overflows there in very
Dialogue: 0,0:12:21.98,0:12:28.74,Default,,0000,0000,0000,,basic package types. So quite interesting.\NAnd then the stuff was fixed, I think, or
Dialogue: 0,0:12:28.74,0:12:33.22,Default,,0000,0000,0000,,hope, whatever. So at least like in very\Nrecent devices and then the iPhone 11 came
Dialogue: 0,0:12:33.22,0:12:37.87,Default,,0000,0000,0000,,out and in contrast to the specification,\Nover the air, the iPhone 11 says, hey, I'm
Dialogue: 0,0:12:37.87,0:12:42.90,Default,,0000,0000,0000,,Bluetooth 5.1. I was like, wow, first\Nconsumer device, Blueotooth 5.1. And I was
Dialogue: 0,0:12:42.90,0:12:48.02,Default,,0000,0000,0000,,like, I don't really mind my way of the\Nexploitation as long as I can get code
Dialogue: 0,0:12:48.02,0:12:53.14,Default,,0000,0000,0000,,execution on chip. So if it is with user\Ninteraction and a pairing and whatever, I
Dialogue: 0,0:12:53.14,0:12:57.99,Default,,0000,0000,0000,,don't care as long as I get code execution\Non it. And then I was like, okay, let's
Dialogue: 0,0:12:57.99,0:13:02.87,Default,,0000,0000,0000,,add some fuzz cases to Frankenstein,\Ncontinue fuzzing. And then I found that
Dialogue: 0,0:13:02.87,0:13:08.26,Default,,0000,0000,0000,,specific evaluation board that Jan was\Nbuilding this for has a problem with the
Dialogue: 0,0:13:08.26,0:13:14.85,Default,,0000,0000,0000,,heap configuration for certain packet\Ntypes. And so if you change that, you
Dialogue: 0,0:13:14.85,0:13:19.49,Default,,0000,0000,0000,,would hard-brick the device. I mean, I\Nbricked two evaluation boards trying to
Dialogue: 0,0:13:19.49,0:13:25.14,Default,,0000,0000,0000,,fix stuff. So, yeah, it's just\Nbricked. And so that means for me to
Dialogue: 0,0:13:25.14,0:13:30.42,Default,,0000,0000,0000,,continue fuzzing to write like to port\Nsomething like 200 handwritten hooks to
Dialogue: 0,0:13:30.42,0:13:35.77,Default,,0000,0000,0000,,another evaluation board. It's almost\Nrunning. So there's just some stuff with
Dialogue: 0,0:13:35.77,0:13:40.31,Default,,0000,0000,0000,,thread switching that's not super smooth\Nyet, but like it's almost on the next
Dialogue: 0,0:13:40.31,0:13:46.07,Default,,0000,0000,0000,,board. And further plans are to add more\Nhardware. So we're also working on the
Dialogue: 0,0:13:46.07,0:13:52.84,Default,,0000,0000,0000,,Samsung Galaxy S 10 and probably a MacBook\Nto get it in there. So then it would not
Dialogue: 0,0:13:52.84,0:13:57.46,Default,,0000,0000,0000,,just be Linux, but at least macOS, maybe\NAndroid. I don't know yet. And another
Dialogue: 0,0:13:57.46,0:14:01.07,Default,,0000,0000,0000,,thing that would be cool and also we\Ndidn't build yet, but it might be feasible
Dialogue: 0,0:14:01.07,0:14:07.100,Default,,0000,0000,0000,,with some USRP X310 over PCI Express and\Nwith FPGA and all the fancy stuff to get
Dialogue: 0,0:14:07.100,0:14:12.79,Default,,0000,0000,0000,,real over the air input, which then would\Nmean that you would have a full queue like
Dialogue: 0,0:14:12.79,0:14:19.88,Default,,0000,0000,0000,,from over the air real Bluetooth packets\Ngoing all the way up and then to a host
Dialogue: 0,0:14:19.88,0:14:23.84,Default,,0000,0000,0000,,and the way back. And you could also use\Nthat just to test your new emulation
Dialogue: 0,0:14:23.84,0:14:31.20,Default,,0000,0000,0000,,scheme or whatever you want to change. So\Nnot just security. Ja, so the next thing
Dialogue: 0,0:14:31.20,0:14:36.68,Default,,0000,0000,0000,,is, so if you have code execution, what do\Nyou do with it? And the normal approach is
Dialogue: 0,0:14:36.68,0:14:43.36,Default,,0000,0000,0000,,to try to go all the layers up. But there\Nmight also be some chip level escalation
Dialogue: 0,0:14:43.36,0:14:50.27,Default,,0000,0000,0000,,and you might immediately see it on the\Nnext picture. So this is from a Broadcom
Dialogue: 0,0:14:50.27,0:14:55.52,Default,,0000,0000,0000,,chip, but that's something that you would\Nalso see in many other chips, which is
Dialogue: 0,0:14:55.52,0:14:59.96,Default,,0000,0000,0000,,that you have a shared antenna. And you\Ncould also have two antennas, but they are
Dialogue: 0,0:14:59.96,0:15:04.18,Default,,0000,0000,0000,,both on 2.5GHz and it's in the very same\Nsmartphone super close next to each other
Dialogue: 0,0:15:04.18,0:15:07.97,Default,,0000,0000,0000,,and you would get interference. So usually\Nyou just have the same antenna and do some
Dialogue: 0,0:15:07.97,0:15:12.90,Default,,0000,0000,0000,,coordination like when it's Bluetooth\Nsending, when it's Wi-Fi sending so that
Dialogue: 0,0:15:12.90,0:15:19.23,Default,,0000,0000,0000,,they don't interfere. And this feature is\Ncalled coexistence and there is tons of
Dialogue: 0,0:15:19.23,0:15:24.02,Default,,0000,0000,0000,,coexistence interfaces. So this is just\Nthe one from Broadcom. And when I saw it,
Dialogue: 0,0:15:24.02,0:15:29.29,Default,,0000,0000,0000,,I was like, oh, Francesco, let's look into\Nthis. You know, all the Wi-Fi stuff, I
Dialogue: 0,0:15:29.29,0:15:32.92,Default,,0000,0000,0000,,know all the Bluetooth stuff let's do\Nsomething. And he was like, no, it's just
Dialogue: 0,0:15:32.92,0:15:37.50,Default,,0000,0000,0000,,it's just a marketing feature so that it\Ncan like sell one chip for the price of
Dialogue: 0,0:15:37.50,0:15:41.62,Default,,0000,0000,0000,,two chips or something. And I was like,\Nno, no, no, it must be an exploitation
Dialogue: 0,0:15:41.62,0:15:47.100,Default,,0000,0000,0000,,feature. So, and then to end this\Ndiscussion, I went to Italy for eating
Dialogue: 0,0:15:47.100,0:15:53.26,Default,,0000,0000,0000,,some ice cream and saw reality somewhere\Nin between. It's more like it's hardcoded
Dialogue: 0,0:15:53.26,0:15:58.43,Default,,0000,0000,0000,,blacklisting for wireless channels and\Nstuff. It's traffic classes for different
Dialogue: 0,0:15:58.43,0:16:02.89,Default,,0000,0000,0000,,types of traffic for Bluetooth and Wi-Fi.\NAnd you can look it up in tons of patents
Dialogue: 0,0:16:02.89,0:16:08.95,Default,,0000,0000,0000,,and it's like super, super proprietary.\NAnd so we let's say we played a game which
Dialogue: 0,0:16:08.95,0:16:14.31,Default,,0000,0000,0000,,was like I tried to steal his antenna and\Nhe tried to steal my antenna. And so it
Dialogue: 0,0:16:14.31,0:16:18.78,Default,,0000,0000,0000,,turned out, if you do that, yeah, you can\Nturn off Wi-Fi via Bluetooth, Bluetooth
Dialogue: 0,0:16:18.78,0:16:24.71,Default,,0000,0000,0000,,via Wi-Fi. And then also like on most\Nphones, you need to reboot them and some
Dialogue: 0,0:16:24.71,0:16:28.01,Default,,0000,0000,0000,,of them even reboot them themselves. So\Nthis is just like a speed accelerated
Dialogue: 0,0:16:28.01,0:16:33.88,Default,,0000,0000,0000,,thing with an Samsung Galaxy S 8 that is\Nnot up to date. For iPhones, you would
Dialogue: 0,0:16:33.88,0:16:38.100,Default,,0000,0000,0000,,just immediately see a reboot without any\Ninteraction of things going off and on. So
Dialogue: 0,0:16:38.100,0:16:42.69,Default,,0000,0000,0000,,Broadcom is still in the process of fixing\Nit. I don't know if they can fix it, but
Dialogue: 0,0:16:42.69,0:16:46.90,Default,,0000,0000,0000,,they said they could fix it. But something\Nyou should definitely fix is like the
Dialogue: 0,0:16:46.90,0:16:50.34,Default,,0000,0000,0000,,driver itself so that the smartphone\Nreboots and so on. So I don't know. I
Dialogue: 0,0:16:50.34,0:16:55.56,Default,,0000,0000,0000,,thought it would be fixed, actually, in \NiOS 13 because it mentions Francesco and
Dialogue: 0,0:16:55.56,0:17:00.69,Default,,0000,0000,0000,,me, but still on 13.3 I don't know, it, \Nit's still - um - you can
Dialogue: 0,0:17:00.69,0:17:04.06,Default,,0000,0000,0000,,still crash the iPhone that way. But
Dialogue: 0,0:17:04.06,0:17:08.43,Default,,0000,0000,0000,,it's just some resource blocking so it's\Nlike not super dangerous thing, I would
Dialogue: 0,0:17:08.43,0:17:13.85,Default,,0000,0000,0000,,say. And you still need a Bluetooth RCE\Nbefore you could do it and so on. But
Dialogue: 0,0:17:13.85,0:17:21.37,Default,,0000,0000,0000,,still not cool that it's still not fixed.\NYeah, so what about the other stacks and
Dialogue: 0,0:17:21.37,0:17:26.82,Default,,0000,0000,0000,,the escalations? So there is tons of\Ndifferent Bluetooth stacks, so it's really
Dialogue: 0,0:17:26.82,0:17:32.91,Default,,0000,0000,0000,,a mess. And obviously because of\NFrankenstein, we had this first Linux
Dialogue: 0,0:17:32.91,0:17:39.48,Default,,0000,0000,0000,,Bluetooth stack attached and so on. But,\Nyeah. So what has been there for a
Dialogue: 0,0:17:39.48,0:17:43.78,Default,,0000,0000,0000,,wireless 2017, these BlueBorne attacks,\Nyou might have heard of them. And they
Dialogue: 0,0:17:43.78,0:17:47.49,Default,,0000,0000,0000,,found escalations like on Android,\NWindows, Linux, iOS, whatever. And then
Dialogue: 0,0:17:47.49,0:17:52.53,Default,,0000,0000,0000,,you might say, like in security, you often\Nsay, so someone looked into it. It must be
Dialogue: 0,0:17:52.53,0:17:57.76,Default,,0000,0000,0000,,secure now. And then there's so many\Nfeatures coming. So there's all these IoT
Dialogue: 0,0:17:57.76,0:18:01.75,Default,,0000,0000,0000,,devices. So everybody nowadays has\Nwireless headphones and fitness trackers
Dialogue: 0,0:18:01.75,0:18:06.65,Default,,0000,0000,0000,,and Bluetooth always on. And in the Apple\Necosystem, it's really a mess. So if you
Dialogue: 0,0:18:06.65,0:18:11.08,Default,,0000,0000,0000,,have more than one Apple device, you would\Nhave Bluetooth enabled all the time.
Dialogue: 0,0:18:11.08,0:18:14.15,Default,,0000,0000,0000,,Otherwise you couldn't use a lot of\Nfeatures. And then there is like stuff
Dialogue: 0,0:18:14.15,0:18:18.45,Default,,0000,0000,0000,,like Web Bluetooth so Bluetooth LE\Nsupport from within the browser. So it's
Dialogue: 0,0:18:18.45,0:18:23.45,Default,,0000,0000,0000,,like a lot of new attack surfaces that\Narised since then. I think -- So that's
Dialogue: 0,0:18:23.45,0:18:31.57,Default,,0000,0000,0000,,more my personal estimation is, 2020 might\Nbe more BlueBorne like attacks. The
Dialogue: 0,0:18:31.57,0:18:34.98,Default,,0000,0000,0000,,saddest Bluetooth stack somehow is the\NLinux Bluetooth stack. So I don't want to
Dialogue: 0,0:18:34.98,0:18:39.00,Default,,0000,0000,0000,,blame the developers there. I mean, it's\Nnot their fault, but it's not enough
Dialogue: 0,0:18:39.00,0:18:43.72,Default,,0000,0000,0000,,people contributing to that project. And\Nif you would try to to analyze something
Dialogue: 0,0:18:43.72,0:18:48.05,Default,,0000,0000,0000,,that is going on in the stack and you\Ndon't really know what is going on, you
Dialogue: 0,0:18:48.05,0:18:52.09,Default,,0000,0000,0000,,would do git blame or whatever and you\Nwould always see the same guy as the
Dialogue: 0,0:18:52.09,0:18:56.71,Default,,0000,0000,0000,,commiter. So at least if you're on a\Nspecific problem, then there's only one
Dialogue: 0,0:18:56.71,0:19:01.62,Default,,0000,0000,0000,,person committing there. And so the\Npicture down there actually has the same
Dialogue: 0,0:19:01.62,0:19:06.82,Default,,0000,0000,0000,,guy thrice. So this is also a bit of a pun\Nhere intended. We did some fuzzing in
Dialogue: 0,0:19:06.82,0:19:12.03,Default,,0000,0000,0000,,there. We still need to evaluate some of\Nthe results. So yeah, but I also feel like
Dialogue: 0,0:19:12.03,0:19:16.88,Default,,0000,0000,0000,,nobody's really using it and it's kind of\Nsad. I mean, there's some Linux users, I
Dialogue: 0,0:19:16.88,0:19:23.11,Default,,0000,0000,0000,,guess, but ... Yeah. Then there is the\Nweirdest stack I would say. So there's the
Dialogue: 0,0:19:23.11,0:19:27.85,Default,,0000,0000,0000,,Apple Bluetooth stack and this one is\Nactually three. So there is there is the
Dialogue: 0,0:19:27.85,0:19:31.38,Default,,0000,0000,0000,,MacOS Bluetooth stack. There's an iOS\NBluetooth stack. They are definitely
Dialogue: 0,0:19:31.38,0:19:34.75,Default,,0000,0000,0000,,different. And then there is a third\Nembedded one, for example, for the
Dialogue: 0,0:19:34.75,0:19:43.30,Default,,0000,0000,0000,,AirPods. They are all running different\Ndifferent things. So, yeah, whatever. And
Dialogue: 0,0:19:43.30,0:19:47.85,Default,,0000,0000,0000,,then they also have tons of proprietary\Nprotocols on top of their Bluetooth stuff
Dialogue: 0,0:19:47.85,0:19:52.17,Default,,0000,0000,0000,,that they're also very special. And I had\Nlike at least two students, just one
Dialogue: 0,0:19:52.17,0:19:58.24,Default,,0000,0000,0000,,porting it to iOS one to MacOS. And then\Nwe also have students working on the other
Dialogue: 0,0:19:58.24,0:20:02.71,Default,,0000,0000,0000,,protocols that are on top of Bluetooth.\NAnd if you look into this, it's like, what
Dialogue: 0,0:20:02.71,0:20:06.56,Default,,0000,0000,0000,,the hell? It's really hard to reverse\Nengineer because you have like three
Dialogue: 0,0:20:06.56,0:20:10.65,Default,,0000,0000,0000,,different implementations and then\Nsometimes you're like: "yeah, okay. Maybe
Dialogue: 0,0:20:10.65,0:20:15.61,Default,,0000,0000,0000,,it's also just bad code." And in the end,\Nso from what I saw so far, I would say
Dialogue: 0,0:20:15.61,0:20:23.64,Default,,0000,0000,0000,,that it's kind of both. And then there is\Nthe stack that I played also lots around
Dialogue: 0,0:20:23.64,0:20:29.06,Default,,0000,0000,0000,,with, which is the Android Bluetooth\NStack. And they did a lot for the security
Dialogue: 0,0:20:29.06,0:20:32.78,Default,,0000,0000,0000,,in the recent releases. And it annoys me\Nso much that when I want to get internal
Dialogue: 0,0:20:32.78,0:20:36.77,Default,,0000,0000,0000,,blue running on it, I just echo to the\Nserial port instead so I bypass everything
Dialogue: 0,0:20:36.77,0:20:42.86,Default,,0000,0000,0000,,that the operating system does. And so\Nsomething that Android cannot do, which
Dialogue: 0,0:20:42.86,0:20:46.03,Default,,0000,0000,0000,,Apple does, is so Apple has all the\Nproprietary protocols. And if something
Dialogue: 0,0:20:46.03,0:20:50.32,Default,,0000,0000,0000,,goes wrong, they immediately cut the\Nconnection. But Android doesn't because of
Dialogue: 0,0:20:50.32,0:20:54.58,Default,,0000,0000,0000,,compatibility and stuff. So you could just\Nsend garbage for like two minutes and try
Dialogue: 0,0:20:54.58,0:20:57.84,Default,,0000,0000,0000,,and see what happens. And it would\Ncontinue listening and asking and
Dialogue: 0,0:20:57.84,0:21:04.98,Default,,0000,0000,0000,,confirming. But that's kind of an\Noverall design issue, I think. And yet
Dialogue: 0,0:21:04.98,0:21:10.63,Default,,0000,0000,0000,,there's Windows and I couldn't find any\Nstudents to work on Windows. {\i1}laughter{\i0}
Dialogue: 0,0:21:10.63,0:21:19.14,Default,,0000,0000,0000,,If someone wants to do this, that would be\Ngreat. And so another stack that's kind of
Dialogue: 0,0:21:19.14,0:21:26.44,Default,,0000,0000,0000,,missing here is LTE. And I would call this\Nlike the long term exploitation plan. So
Dialogue: 0,0:21:26.44,0:21:30.62,Default,,0000,0000,0000,,it's not. I think if the long term\Nevaluation, evolution, whatever, but
Dialogue: 0,0:21:30.62,0:21:37.32,Default,,0000,0000,0000,,exploitation I think is the best thing for\Nthe E. So we have like tons of wireless
Dialogue: 0,0:21:37.32,0:21:42.54,Default,,0000,0000,0000,,stuff where we are working on and I mean\Nlike even PowerPC. And then there is
Dialogue: 0,0:21:42.54,0:21:48.38,Default,,0000,0000,0000,,Qualcomm and they have they have this\NQualcomm hexagon DSP. I hate it so much.
Dialogue: 0,0:21:48.38,0:21:53.42,Default,,0000,0000,0000,,So there's even source code leaks for\Ntheir LTE stuff. But it's just such a pain
Dialogue: 0,0:21:53.42,0:21:58.90,Default,,0000,0000,0000,,to work on it. So you might have noticed\Nis that ARM has this LTE project with
Dialogue: 0,0:21:58.90,0:22:05.43,Default,,0000,0000,0000,,Qualcomm, but it's just not fun. But other\Npeople were doing a lot in this area and
Dialogue: 0,0:22:05.43,0:22:12.41,Default,,0000,0000,0000,,they've already presented here today and\Nyesterday. So the first thing is the SIM
Dialogue: 0,0:22:12.41,0:22:18.31,Default,,0000,0000,0000,,card in the phone. So the SIM cards should\Nbe a thing like. From from my perspective,
Dialogue: 0,0:22:18.31,0:22:23.54,Default,,0000,0000,0000,,that should be secure because it protects\Nyour key material. And then it runs tons
Dialogue: 0,0:22:23.54,0:22:27.04,Default,,0000,0000,0000,,of applications. I don't know. And then\Nyou can exploit them and get the victim's
Dialogue: 0,0:22:27.04,0:22:31.40,Default,,0000,0000,0000,,location, dial premium numbers and launch\Na browser. And then I didn't really
Dialogue: 0,0:22:31.40,0:22:38.89,Default,,0000,0000,0000,,understand, like there's just this WIB set\Nbrowser whatever, and then there's launch
Dialogue: 0,0:22:38.89,0:22:42.15,Default,,0000,0000,0000,,browser what, is it? And I think it even\Nlaunches a browser then on the smartphone,
Dialogue: 0,0:22:42.15,0:22:48.34,Default,,0000,0000,0000,,whatever. It's just crazy. And then I was\Ntrying to call Deutsche Telekom and I'm a
Dialogue: 0,0:22:48.34,0:22:52.12,Default,,0000,0000,0000,,business customer. So it's just like\Nthree minutes for a call for me. So giving
Dialogue: 0,0:22:52.12,0:22:57.70,Default,,0000,0000,0000,,a call there is nice. And then the first thing\Nthey told me is: "You are secure. We know
Dialogue: 0,0:22:57.70,0:23:03.08,Default,,0000,0000,0000,,you have three SIM cards and they are all\Nup to date." So I have to say, one of them
Dialogue: 0,0:23:03.08,0:23:08.13,Default,,0000,0000,0000,,is more than 10 years old, but maybe it's\Nup to date. And my answer is like, what
Dialogue: 0,0:23:08.13,0:23:12.52,Default,,0000,0000,0000,,exactly is running on my SIM card? They of\Ncourse not answered. So yeah, something is
Dialogue: 0,0:23:12.52,0:23:16.75,Default,,0000,0000,0000,,running there. If you want to know more\Nabout SIM cards, there has been talk
Dialogue: 0,0:23:16.75,0:23:22.57,Default,,0000,0000,0000,,already yesterday evening and it's already\Nonline. And then there's also a lot of
Dialogue: 0,0:23:22.57,0:23:27.17,Default,,0000,0000,0000,,people looking into LTE. And I think the\Nmost popular one is to work by Yongdae
Dialogue: 0,0:23:27.17,0:23:33.22,Default,,0000,0000,0000,,Kim. He did even some LTE fuzzing\Nframework that he didn't release publicly
Dialogue: 0,0:23:33.22,0:23:39.22,Default,,0000,0000,0000,,so far, because of the findings. So it's\Nlike, should you publish? Should you not
Dialogue: 0,0:23:39.22,0:23:44.20,Default,,0000,0000,0000,,publish? But so the findings are super\Ninteresting. And he also has students here
Dialogue: 0,0:23:44.20,0:23:51.75,Default,,0000,0000,0000,,who just did a talk this morning.\NResponsible disclosure. So that's the
Dialogue: 0,0:23:51.75,0:23:57.56,Default,,0000,0000,0000,,thing. When you find stuff you need to do\Nis responsible disclosure. And so I said
Dialogue: 0,0:23:57.56,0:24:02.36,Default,,0000,0000,0000,,Jan was writing a lot of e-mails. And one\Nof the first that he wrote was to ThreadX,
Dialogue: 0,0:24:02.36,0:24:08.06,Default,,0000,0000,0000,,because ThreadX is the operating system\Nthat runs on the Broadcom Bluetooth
Dialogue: 0,0:24:08.06,0:24:14.47,Default,,0000,0000,0000,,chip. And so he said, like, your\Nheap is a bit broken and does not have any
Dialogue: 0,0:24:14.47,0:24:18.64,Default,,0000,0000,0000,,checks. You could implement the following\Nchecks, which are pretty cheap and it
Dialogue: 0,0:24:18.64,0:24:22.44,Default,,0000,0000,0000,,should be cool. And then I could not\Nattack it anymore. And then ThreadX was
Dialogue: 0,0:24:22.44,0:24:28.04,Default,,0000,0000,0000,,answering, which was a bit unexpected,\Nthat they already knew about this
Dialogue: 0,0:24:28.04,0:24:33.38,Default,,0000,0000,0000,,exploitation technique and that it is up\Nto the application to not be vulnerable to
Dialogue: 0,0:24:33.38,0:24:37.83,Default,,0000,0000,0000,,memory corruption, so not to cause any\Nmemory corruption. So it's the programmers
Dialogue: 0,0:24:37.83,0:24:42.02,Default,,0000,0000,0000,,fault if they do something and it's not\Nthe operating system that has to take care
Dialogue: 0,0:24:42.02,0:24:51.64,Default,,0000,0000,0000,,of the heap. Okay. Yeah. Next issue. So\Nthe bin diffing and the testing if a
Dialogue: 0,0:24:51.64,0:24:56.59,Default,,0000,0000,0000,,vulnerability is still there. So you might\Nnot always get feedback from all the
Dialogue: 0,0:24:56.59,0:25:01.46,Default,,0000,0000,0000,,vendors. If they fix it, they may just fix\Nit at a certain point in time and then you
Dialogue: 0,0:25:01.46,0:25:04.62,Default,,0000,0000,0000,,tell them all we tested the next release\Nand it's still vulnerable. And then they
Dialogue: 0,0:25:04.62,0:25:08.38,Default,,0000,0000,0000,,would say, like for Samsung said, Yeah, we\Ncannot send your patches in advance
Dialogue: 0,0:25:08.38,0:25:12.09,Default,,0000,0000,0000,,without an NDA because Broadcom, blah,\Nblah, blah and so on and so forth. And
Dialogue: 0,0:25:12.09,0:25:17.25,Default,,0000,0000,0000,,then Broadcom offered to send us patches\Nin advance. And I said, Yeah. Nice. And I
Dialogue: 0,0:25:17.25,0:25:21.50,Default,,0000,0000,0000,,also sent them a device list because they\Nalready knew it from the previous process.
Dialogue: 0,0:25:21.50,0:25:24.61,Default,,0000,0000,0000,,So if you tell them the following 10\Ndevices have an issue, then you would
Dialogue: 0,0:25:24.61,0:25:28.77,Default,,0000,0000,0000,,already know that we can test those\Ndevices anyway. And so and after I sent
Dialogue: 0,0:25:28.77,0:25:33.52,Default,,0000,0000,0000,,them the list, they said: "Oh, wait, but\Nyou need an NDA." So no, I mean, we are
Dialogue: 0,0:25:33.52,0:25:40.56,Default,,0000,0000,0000,,doing this for free anyway. And signing an\NNDA, I wouldn't do that. Yeah. So overall,
Dialogue: 0,0:25:40.56,0:25:44.55,Default,,0000,0000,0000,,it also did Broadcom Product Security\NIncident Response Team is a bit strange so
Dialogue: 0,0:25:44.55,0:25:49.55,Default,,0000,0000,0000,,they wouldn't hand out any CVEs. And what\NI mean what I do is like I first get a CVE
Dialogue: 0,0:25:49.55,0:25:53.06,Default,,0000,0000,0000,,and then informed them and the other\Ncustomers because I also don't get any
Dialogue: 0,0:25:53.06,0:25:56.50,Default,,0000,0000,0000,,incident number or something. So if I\Nwouldn't do this, I wouldn't have any
Dialogue: 0,0:25:56.50,0:26:03.14,Default,,0000,0000,0000,,number to refer a vulnerability to. And\Nwell, at least they are also not doing
Dialogue: 0,0:26:03.14,0:26:07.48,Default,,0000,0000,0000,,that much legal trouble. But it's just.\NYeah, not really something happening
Dialogue: 0,0:26:07.48,0:26:13.86,Default,,0000,0000,0000,,there. But some of their customers were\Nnice at least to my students, so they paid.
Dialogue: 0,0:26:13.86,0:26:17.95,Default,,0000,0000,0000,,So one customer, they don't want to be\Nnamed here, but they payed to fly to DefCon
Dialogue: 0,0:26:17.95,0:26:22.16,Default,,0000,0000,0000,,for one of my students and Samsung gave a\Nbounty off one thousand dollar. I mean,
Dialogue: 0,0:26:22.16,0:26:26.63,Default,,0000,0000,0000,,still I mean we are in the range of of\Nvery very more expensive exploits if it
Dialogue: 0,0:26:26.63,0:26:31.04,Default,,0000,0000,0000,,would be on the black market, but for\Nstudents it's definitely nice. Yeah.
Dialogue: 0,0:26:31.04,0:26:34.86,Default,,0000,0000,0000,,Responsible disclosure timelines. So this\Nis something that I thought like maybe
Dialogue: 0,0:26:34.86,0:26:38.50,Default,,0000,0000,0000,,some of this responsible disclosure\Ntimeline is just because of how I
Dialogue: 0,0:26:38.50,0:26:42.35,Default,,0000,0000,0000,,communicate with the vendor. And sometimes\NI'm writing e-mails like a five year old
Dialogue: 0,0:26:42.35,0:26:49.40,Default,,0000,0000,0000,,or something - I don't know. But actually.\NSo this is a timeline of Quarkslab, who
Dialogue: 0,0:26:49.40,0:26:54.49,Default,,0000,0000,0000,,also found just this year vulnerabilities\Nin Broadcom Wi-Fi chips. And so they've
Dialogue: 0,0:26:54.49,0:27:00.84,Default,,0000,0000,0000,,also asked about NDA and then also their\Nexploit timeline. It's a bit fun because
Dialogue: 0,0:27:00.84,0:27:04.65,Default,,0000,0000,0000,,they had similar exploitation strategies\Nas the very first exploit that you could
Dialogue: 0,0:27:04.65,0:27:10.71,Default,,0000,0000,0000,,see by Google Project Zero and then, yeah,\Nmore distorted timeline, whatever. And in
Dialogue: 0,0:27:10.71,0:27:18.81,Default,,0000,0000,0000,,the end, well. So it's just taking time.\NAnd again, no CVE id issued and so on and
Dialogue: 0,0:27:18.81,0:27:26.11,Default,,0000,0000,0000,,so forth. So it's the very same stuff for\Nothers, which is pretty sad. And then so
Dialogue: 0,0:27:26.11,0:27:31.23,Default,,0000,0000,0000,,for Cyprus, which is partially having\Nsource code of Broadcom, it also
Dialogue: 0,0:27:31.23,0:27:36.59,Default,,0000,0000,0000,,manufactures chips. It's also very slow\Nfor the response of disclosure. And then I
Dialogue: 0,0:27:36.59,0:27:40.22,Default,,0000,0000,0000,,got told by other people, like, yeah, if\Nyou would disclose something to Qualcomm,
Dialogue: 0,0:27:40.22,0:27:46.10,Default,,0000,0000,0000,,it also takes very long. And luckily we\Ndidn't find something in an Intel CPU. But
Dialogue: 0,0:27:46.10,0:27:49.71,Default,,0000,0000,0000,,yeah, there is ... so on the wireless\Nmarket, there still so many other vendors
Dialogue: 0,0:27:49.71,0:27:56.31,Default,,0000,0000,0000,,to become friends with. So yeah. So\Npractical solutions to end my talk. What
Dialogue: 0,0:27:56.31,0:28:01.11,Default,,0000,0000,0000,,could you do to defend yourself if you\Ndon't have a tinfoil hat? Other things I
Dialogue: 0,0:28:01.11,0:28:06.62,Default,,0000,0000,0000,,can recommend is the secure Wi-Fi set up.\NSo don't use antennas, just use antenna
Dialogue: 0,0:28:06.62,0:28:13.39,Default,,0000,0000,0000,,cables. If you do that in our lap a lot.\NSo this is a setup by Felix. And so when I
Dialogue: 0,0:28:13.39,0:28:17.71,Default,,0000,0000,0000,,was sending my slides to Francesca in\Nadvance she just said "cool, I have the
Dialogue: 0,0:28:17.71,0:28:23.96,Default,,0000,0000,0000,,same one right now at my desktop". So it's\Na very common setup. Maybe not at your
Dialogue: 0,0:28:23.96,0:28:30.45,Default,,0000,0000,0000,,home, but for us it is. Or you'd just go\Nto the air-gapped device. So this is my
Dialogue: 0,0:28:30.45,0:28:37.40,Default,,0000,0000,0000,,Powerbook 170, that's a really great\Ndevice. Almost impossible to get it online
Dialogue: 0,0:28:37.40,0:28:45.31,Default,,0000,0000,0000,,and it has Word and Excel.\NSo ask all the questions.
Dialogue: 0,0:28:45.31,0:28:54.15,Default,,0000,0000,0000,,{\i1}Applause{\i0}
Dialogue: 0,0:28:54.15,0:28:58.25,Default,,0000,0000,0000,,Herald Angel: Thank you very much to\Njiska. We still have several minutes left.
Dialogue: 0,0:28:58.25,0:29:03.00,Default,,0000,0000,0000,,You will find eight microphones in the\Nroom. Please line up in behind the
Dialogue: 0,0:29:03.00,0:29:08.19,Default,,0000,0000,0000,,microphones to ask a question. And the\Nfirst question goes to the Internet.
Dialogue: 0,0:29:08.19,0:29:12.52,Default,,0000,0000,0000,,Signal Angel: So at jiska, the question\Nis, are the Bluetooth issues you are
Dialogue: 0,0:29:12.52,0:29:17.74,Default,,0000,0000,0000,,talking about also present in Bluetooth\NLow Energy IoT devices.
Dialogue: 0,0:29:17.74,0:29:22.83,Default,,0000,0000,0000,,jiska: Yes. So, I mean, there is IoT\Ndevices, I cannot tell the vendor, but
Dialogue: 0,0:29:22.83,0:29:28.62,Default,,0000,0000,0000,,there is also some popular devices that\Nhave like Cypress Broadcom chips and then
Dialogue: 0,0:29:28.62,0:29:33.38,Default,,0000,0000,0000,,it's even worse because they don't have a\Nseparate stack, but often they have an
Dialogue: 0,0:29:33.38,0:29:37.11,Default,,0000,0000,0000,,application running on the same arm core\Nand then you don't even need any
Dialogue: 0,0:29:37.11,0:29:40.07,Default,,0000,0000,0000,,escalation.\NHerald: All right. We have another
Dialogue: 0,0:29:40.07,0:29:42.72,Default,,0000,0000,0000,,question at the microphone number one,\Nplease.
Dialogue: 0,0:29:42.72,0:29:47.39,Default,,0000,0000,0000,,Microphone 1: Thank you for the talk. My\Nquestion is, could you like did you
Dialogue: 0,0:29:47.39,0:29:53.85,Default,,0000,0000,0000,,actually when you fuzzed the Bluetooth low\Nenergy chip, did you when you managed to
Dialogue: 0,0:29:53.85,0:29:57.71,Default,,0000,0000,0000,,get code execution, did you actually\Nclimb up the protocol?
Dialogue: 0,0:29:57.71,0:30:01.07,Default,,0000,0000,0000,,Did you like access Bluetooth profiles or\Nsomething like this?
Dialogue: 0,0:30:01.07,0:30:06.81,Default,,0000,0000,0000,,jiska: Ah, so we, for example with the\Nlink key extraction, we were building some
Dialogue: 0,0:30:06.81,0:30:14.80,Default,,0000,0000,0000,,proof of concepts. But so it depends. We\Ndon't currently have like a fully exploit
Dialogue: 0,0:30:14.80,0:30:18.93,Default,,0000,0000,0000,,chain in terms of first on the chip and\Nthen on the host. We have something that
Dialogue: 0,0:30:18.93,0:30:25.97,Default,,0000,0000,0000,,goes directly on some hosts, but yeah,\Nthere's tons of things there to do. Sorry?
Dialogue: 0,0:30:25.97,0:30:30.17,Default,,0000,0000,0000,,Microphone 1: Yeah. And when you fuzz the\N... how did you actually fuzz the chip
Dialogue: 0,0:30:30.17,0:30:33.61,Default,,0000,0000,0000,,itself? How did you extract the\Nfirmware from the chip?
Dialogue: 0,0:30:33.61,0:30:37.20,Default,,0000,0000,0000,,jiska: So there is ... so Broadcom and\NCyprus are very nice because they have a
Dialogue: 0,0:30:37.20,0:30:41.89,Default,,0000,0000,0000,,read RAM command so you don't need any\Nsecure bypass or something. And for the
Dialogue: 0,0:30:41.89,0:30:50.71,Default,,0000,0000,0000,,evaluation kits, there is even symbols\Nthat we found in it. So symbols only means
Dialogue: 0,0:30:50.71,0:30:55.70,Default,,0000,0000,0000,,like function names and global variable\Nnames, that's it. But that's something to
Dialogue: 0,0:30:55.70,0:30:59.32,Default,,0000,0000,0000,,work with.\NHerald: Thank you. Another question from
Dialogue: 0,0:30:59.32,0:31:02.74,Default,,0000,0000,0000,,the Internet, please.\NSignal: Would you like the return of
Dialogue: 0,0:31:02.74,0:31:06.48,Default,,0000,0000,0000,,physical switches for\Nthe network controller?
Dialogue: 0,0:31:06.48,0:31:11.38,Default,,0000,0000,0000,,jiska: Yeah, so that would be nice to like\Nphysically switch it off. Actually, I
Dialogue: 0,0:31:11.38,0:31:14.73,Default,,0000,0000,0000,,don't know where Paul is, but he is\Nbuilding ... There is Paul. He is building
Dialogue: 0,0:31:14.73,0:31:22.44,Default,,0000,0000,0000,,such a device. When is your talk at 10\No'clock. Paul is giving a talk about a
Dialogue: 0,0:31:22.44,0:31:25.88,Default,,0000,0000,0000,,device where you have a physical\Ncontroller to switch off your wireless
Dialogue: 0,0:31:25.88,0:31:28.89,Default,,0000,0000,0000,,stuff.\NHerald: OK. The next question is again
Dialogue: 0,0:31:28.89,0:31:33.56,Default,,0000,0000,0000,,microphone number one, please.\NMicrophone 1: Yes. Thank you. We just
Dialogue: 0,0:31:33.56,0:31:38.98,Default,,0000,0000,0000,,bought a new car and by because\Nconnecting the Bluetooth of my phone to
Dialogue: 0,0:31:38.98,0:31:45.62,Default,,0000,0000,0000,,the car's system was very, very hard. And\NI had to reboot the radio several times.
Dialogue: 0,0:31:45.62,0:31:51.55,Default,,0000,0000,0000,,And then I found a message that the radio\Nmust be directly connected to the CAN-bus
Dialogue: 0,0:31:51.55,0:31:57.09,Default,,0000,0000,0000,,of the car. So you have a blueooth stack\Nconnected directly to a CAN-bus. It was a
Dialogue: 0,0:31:57.09,0:32:02.25,Default,,0000,0000,0000,,very cheap car. But if you\Nhave an idea of what this means then...
Dialogue: 0,0:32:02.25,0:32:08.22,Default,,0000,0000,0000,,jiska: Can you can you borrow me that car?\NMicrophone 1: It's a Toyota Aygo, you can
Dialogue: 0,0:32:08.22,0:32:13.82,Default,,0000,0000,0000,,have it everywhere.\Njiska: Well, that shouldn't be.
Dialogue: 0,0:32:13.82,0:32:17.24,Default,,0000,0000,0000,,Herald: Alright, do we have a question at\Nmicrophone number eight, please?
Dialogue: 0,0:32:17.24,0:32:21.59,Default,,0000,0000,0000,,Microphone 8: Hi and thank you for the\Ntalk first of all. Uh well, if I
Dialogue: 0,0:32:21.59,0:32:26.73,Default,,0000,0000,0000,,understood correctly, you said that the\Nvendors didn't mention if they fixed it or
Dialogue: 0,0:32:26.73,0:32:32.09,Default,,0000,0000,0000,,not or they don't know if they fixed it.\Njiska: Umm, yeah. So it depends. I know
Dialogue: 0,0:32:32.09,0:32:36.65,Default,,0000,0000,0000,,like so if you look into the Android\Nsecurity updates, so for example, August 5
Dialogue: 0,0:32:36.65,0:32:40.92,Default,,0000,0000,0000,,has some Broadcom issue that was fixed and\NI know which one that was and so on and so
Dialogue: 0,0:32:40.92,0:32:46.99,Default,,0000,0000,0000,,forth. But so then it also means I like to\Nget that one onto a Samsung device. I
Dialogue: 0,0:32:46.99,0:32:50.39,Default,,0000,0000,0000,,would need ... so they wouldn't build it\Nin the August update, but only in the
Dialogue: 0,0:32:50.39,0:32:55.16,Default,,0000,0000,0000,,September update and then release it to\NEurope, which is like mid or end of
Dialogue: 0,0:32:55.16,0:32:59.37,Default,,0000,0000,0000,,September. And then I could download it to\Nmy phone and test it over the air if it's
Dialogue: 0,0:32:59.37,0:33:06.63,Default,,0000,0000,0000,,like really fixed and so on and so forth.\NSo it's ... there is like the first thing
Dialogue: 0,0:33:06.63,0:33:10.19,Default,,0000,0000,0000,,is like that is listed publicly that it is\Nfixed. And then the next thing is that it
Dialogue: 0,0:33:10.19,0:33:14.89,Default,,0000,0000,0000,,is actually fixed and it's really hard.\NAnd for the communication with Apple, I
Dialogue: 0,0:33:14.89,0:33:18.06,Default,,0000,0000,0000,,don't know. So sometimes they fix it\Nsilently without mentioning us. And then
Dialogue: 0,0:33:18.06,0:33:24.44,Default,,0000,0000,0000,,there's this iOS 13 thing where they\Nmentioned us but didn't fix it. So, yeah.
Dialogue: 0,0:33:24.44,0:33:27.72,Default,,0000,0000,0000,,Microphone 8: Were there any issues like\Nthat they found and they didn't know if
Dialogue: 0,0:33:27.72,0:33:31.20,Default,,0000,0000,0000,,they fixed it or not. And you did like\Npatch-diffing or something like that?
Dialogue: 0,0:33:31.20,0:33:35.06,Default,,0000,0000,0000,,jiska: Yeah, I did a lot of patch-diffing\Nand I currently have a student who is
Dialogue: 0,0:33:35.06,0:33:40.21,Default,,0000,0000,0000,,doing nothing else than developing diffing\Ntools for the particular issues that I
Dialogue: 0,0:33:40.21,0:33:42.83,Default,,0000,0000,0000,,have.\NMicrophone 8: And did you find that they
Dialogue: 0,0:33:42.83,0:33:45.93,Default,,0000,0000,0000,,fixed it or not?\Njiska: So it's first of all ... so we are
Dialogue: 0,0:33:45.93,0:33:50.75,Default,,0000,0000,0000,,... so first of all, it's currently about\Nspeed and stuff and I gave him some some
Dialogue: 0,0:33:50.75,0:33:54.33,Default,,0000,0000,0000,,iPhone stuff for the next task.\NBut yes, it's work in progress. So most of
Dialogue: 0,0:33:54.33,0:33:59.70,Default,,0000,0000,0000,,the other stuff I did by hand, so I also\Nhave a good idea about like what a changed
Dialogue: 0,0:33:59.70,0:34:05.20,Default,,0000,0000,0000,,within each kind of chip generation.\NMicrophone 8: Okay. Thank you very much.
Dialogue: 0,0:34:05.20,0:34:09.18,Default,,0000,0000,0000,,Herald: All right. We had another question\Nfrom the Internet.
Dialogue: 0,0:34:09.18,0:34:13.82,Default,,0000,0000,0000,,Signal: Yes. So from Mastodon, how exactly\Nwas the snapshot of the Samsung Bluetooth
Dialogue: 0,0:34:13.82,0:34:18.20,Default,,0000,0000,0000,,stack extracted for the fuzzing process?\Njiska: The Samsung is ... so for Samsung
Dialogue: 0,0:34:18.20,0:34:24.15,Default,,0000,0000,0000,,we have snap shotting, but for Samsung, we\Ndon't have the rest of Frankenstein. The
Dialogue: 0,0:34:24.15,0:34:30.86,Default,,0000,0000,0000,,other stuff is running on an evaluation\Nboard. So the first part is mapping all
Dialogue: 0,0:34:30.86,0:34:34.68,Default,,0000,0000,0000,,the hardware registers. So this is the\Nfirst trip that runs and tries to find
Dialogue: 0,0:34:34.68,0:34:40.62,Default,,0000,0000,0000,,like all the memory regions. And once that\Nis done, there is a snapshotting hook that
Dialogue: 0,0:34:40.62,0:34:44.13,Default,,0000,0000,0000,,you set to the function. So let's say you\Nwant to look into a device scanning so you
Dialogue: 0,0:34:44.13,0:34:48.76,Default,,0000,0000,0000,,would set the function into device\Nscanning. And once that it's called by the
Dialogue: 0,0:34:48.76,0:34:53.53,Default,,0000,0000,0000,,Linux stack, he would freeze the whole chip\Nand disable like other interrupt stuff,
Dialogue: 0,0:34:53.53,0:34:57.58,Default,,0000,0000,0000,,whatever that would kill it otherwise and\Nthen copy everything that is in the
Dialogue: 0,0:34:57.58,0:35:02.68,Default,,0000,0000,0000,,registers ... so that is kind of the snap\Nshotting. And once you have a snapshot,
Dialogue: 0,0:35:02.68,0:35:08.12,Default,,0000,0000,0000,,then you can try to find everything that\Nkills your emulation like interrupts again
Dialogue: 0,0:35:08.12,0:35:12.74,Default,,0000,0000,0000,,and thread switches and so on.\NHerald: All right. We have one more
Dialogue: 0,0:35:12.74,0:35:15.81,Default,,0000,0000,0000,,question from microphone, number one,\Nplease.
Dialogue: 0,0:35:15.81,0:35:21.38,Default,,0000,0000,0000,,Microphone 1: OK. So do you think that\Nopen source, the driver or that open
Dialogue: 0,0:35:21.38,0:35:25.50,Default,,0000,0000,0000,,hardware design will improve the\Nsituation?
Dialogue: 0,0:35:25.50,0:35:30.95,Default,,0000,0000,0000,,jiska: So open source? I think it would\Nimprove the situation. But also one thing.
Dialogue: 0,0:35:30.95,0:35:36.63,Default,,0000,0000,0000,,So I had to talk at mrmcd in September\Nthis year. Another thing which is not
Dialogue: 0,0:35:36.63,0:35:41.19,Default,,0000,0000,0000,,about open source is that the patching\Ncapabilities of the Broadcom bluetooth
Dialogue: 0,0:35:41.19,0:35:47.98,Default,,0000,0000,0000,,chips are very limited in terms of how\Nmuch can be fixed. So just open sourcing
Dialogue: 0,0:35:47.98,0:35:54.12,Default,,0000,0000,0000,,wouldn't help Broadcom, for example.\NMicrophone 1: Like you mean like the
Dialogue: 0,0:35:54.12,0:35:59.51,Default,,0000,0000,0000,,firmware is burnt into the chip and it's\Nlimited to ...
Dialogue: 0,0:35:59.51,0:36:01.18,Default,,0000,0000,0000,,jiska: Yeah\NMicrophone 1: Yeah, it's limited, right?
Dialogue: 0,0:36:01.18,0:36:06.43,Default,,0000,0000,0000,,jiska: Yes, it's in the ROM. And then you\Nhave patch ROM slots and you have like 128
Dialogue: 0,0:36:06.43,0:36:10.90,Default,,0000,0000,0000,,patch ROM slot and each patch ROM slot is\Na four byte override breakpoint thingy
Dialogue: 0,0:36:10.90,0:36:14.88,Default,,0000,0000,0000,,that branches then somewhere else into\NRAM. And then RAM is also limited.
Dialogue: 0,0:36:14.88,0:36:21.43,Default,,0000,0000,0000,,So you couldn't like branch into large\Nchunks of RAM all the time. Yeah.
Dialogue: 0,0:36:21.43,0:36:25.28,Default,,0000,0000,0000,,Microphone 1: Thank you.\NHerald: All right. If there are not any
Dialogue: 0,0:36:25.28,0:36:28.19,Default,,0000,0000,0000,,more questions?\Njiska: Internet!
Dialogue: 0,0:36:28.19,0:36:31.87,Default,,0000,0000,0000,,Herald: Internet? Oh, more Internet\Nquestions. Then, please go ahead.
Dialogue: 0,0:36:31.87,0:36:36.24,Default,,0000,0000,0000,,Signal: Yes. So winfreak on Twitter asks\Nwhat stack was tested when mentioning
Dialogue: 0,0:36:36.24,0:36:40.70,Default,,0000,0000,0000,,Android? There are several and Google is\Nconvinced rewriting it every year is a
Dialogue: 0,0:36:40.70,0:36:45.22,Default,,0000,0000,0000,,good idea.\Njiska: Ah, yeah. So this stuff that's like
Dialogue: 0,0:36:45.22,0:36:51.14,Default,,0000,0000,0000,,the standard stack that runs on a Samsung\Nphone for example. So I think, like for
Dialogue: 0,0:36:51.14,0:36:55.00,Default,,0000,0000,0000,,the main entry, there's only one ... I\Nknow that there's like legacy stacks, but
Dialogue: 0,0:36:55.00,0:37:02.34,Default,,0000,0000,0000,,they switch to only one.\NHerald: So Signal Angel, do you have more
Dialogue: 0,0:37:02.34,0:37:10.20,Default,,0000,0000,0000,,for us?\NSignal: Yes. What is your hat made of?
Dialogue: 0,0:37:10.20,0:37:18.44,Default,,0000,0000,0000,,jiska: My hat? So it's like aluminum foil.\NAnd then there is the cyber cyber thingy.
Dialogue: 0,0:37:18.44,0:37:26.27,Default,,0000,0000,0000,,So that's also important. Yeah. So but as\NI said, it doesn't really help. It would
Dialogue: 0,0:37:26.27,0:37:31.87,Default,,0000,0000,0000,,more help to put the smartphone in a\Nblender, for example.
Dialogue: 0,0:37:31.87,0:37:35.95,Default,,0000,0000,0000,,Herald: Alright. Thank you very much for\Nthis awesome talk. Give her a huge round
Dialogue: 0,0:37:35.95,0:37:37.74,Default,,0000,0000,0000,,of applause to jiska.
Dialogue: 0,0:37:37.74,0:37:40.98,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:37:40.98,0:37:44.29,Default,,0000,0000,0000,,{\i1}36c3 postroll{\i0}
Dialogue: 0,0:37:44.29,0:38:08.00,Default,,0000,0000,0000,,subtitles created by c3subtitles.de\Nin the year 2020. Join, and help us!