-
36C3 preroll music
-
Herald Angel: Our next speaker is jiska.
jiska is attending this conference since
-
ages like a decade? even more?
jiska: 20, 22 C3
-
Herald Angel: Long, long time. Sometimes
she is also doing some talks here. The
-
last one last year was about Bluetooth.
There she was in depth. This time it will
-
be a more general talk about wireless
protocols NFC, LTE, Wi-Fi, and, of course,
-
Bluetooth. So she will tell us what is
broken in all those protocols. So have fun
-
and enjoy the talk "All wireless
communications stacks are equally broken"
-
by jiska.
-
applause
-
jiska: So welcome to my talk. I thought it
first to be a foundation talk, but it will
-
also have new topics about everything that
is kind of fundamentally broken in
-
wireless communication and it will cover
anything in your smartphone soul like NFC,
-
Bluetooth, Wi-Fi, LTE. You could order
them like by communication range or by
-
specification length or lines of code. But
the thing is, so the specification length
-
and line of code also mean increased
complexity. And if there is increased
-
complexity, you might have issues with
security in it, in the very end. And then
-
there is something that is even worse than
LTE, which is vendor specific additions
-
that would be when you open like five
instances of IDA and like tried to
-
analyze where the wireless message is
going and what it is doing. So most of
-
this in this talk will be about wireless
exploitation and the new stuff will be
-
fuzzing techniques and a new escalation
target. But everything else is more like a
-
general view on wireless exploitation. So
first, to understand what the wireless
-
exploit does is to separate it in
different layers. So there is the lowest
-
layer, which is some hybrid chip which
runs a firmware, let's say bluetooth
-
firmware, which is then attached to a
driver. Then there's some privileged
-
stuff, it depends a bit on what kind of
system you're on. And in the end, there
-
will be applications and no matter where
you exploit is on that layer that you're
-
exploiting, some security measures become
ineffective. So, for example, if there is
-
encryption and you have an exploit for
that layer, it would become ineffective.
-
And it depends, so the higher you are, the
higher also the exploit prices get. So for
-
the Wi-Fi RCE, you would be at 100K, for
baseband RCE with local privilege
-
escalation, it gets already 200 K, and if
it's just a messenger or something, then
-
it's like really, really high in the
price. So the question is like, why is
-
this wireless stuff a bit cheaper? So
well, you need a certain distance. And so
-
that's probably a thing. And then also,
maybe they are just too easy to find. I
-
don't know. Like at least, maybe for me, I
don't know for normal people. Or maybe the
-
market demand is not that high for them.
Or they are not privileged enough. I don't
-
know. But actually they'd need like only
like non or less interaction. So. Yeah.
-
Still a thing I would say. So within the
group I am working at we had a lot of
-
wireless research and also tools that we
released. And the first one I think that
-
was running on a mobile phone is NFCGate,
which is currently managed by Max. Then
-
there is nexmon, which is our largest
project, which is patching of Broadcom
-
Wi-Fi. And Matthias, who did that, reached
his goal by just saying, like, I now have
-
kind of a software defined radio in a
commodity like Broadcom Wi-Fi chip. And so
-
he was a bit bored and kicked off two new
projects before he left, which he then
-
handed over. The first one is Qualcomm LTE
and the second one was Broadcom Bluetooth,
-
which I ended up with. And then we have
someone else who is Milan and he is doing
-
stuff that comes more like from the
application layer. So he implemented an
-
open source solution for Apple Airdrop
that you can run on your Raspberry Pi. And
-
well hackers gonna hack, so this stuff has
been used a lot for exploitation, not by
-
us, but by others. So there were three
groups using nexmon for Wi-Fi
-
exploitation, at least like what is
publicly known and like the bigger ones,
-
maybe I forget someone, but so there is a
lot of exploitation going on there. Then
-
internal blue has been used to demonstrate
an attack against a key negotiation of
-
Bluetooth just this august. And the open
Airdrop implementation was used for some
-
honeypots at Black Hat and AirDos. And
like a lot of stuff is going on there. And
-
then you might ask yourself, like, yeah,
so, if everybody is using it for
-
exploitation why don't we just do it
ourselves. And we actually did that and we
-
even did that for this very first project,
this NFC project. And the most important
-
thing you need to know about NFC is that
the near field is not really a near field.
-
So there's -- it's just communication, but
it's not near field communication, which
-
means so if you are able to forward the
communication, so for example, you have
-
like your credit card and then a
smartphone with NFC, you could forward it
-
over the cloud or some server and then to
another smartphone and then to the payment
-
terminal. And usually there's no time
constraint or distance pounding that would
-
prevent this. So you can at least forward
and relay messages and you might even be
-
able to modify them on the way. And some
students of us did like some testing in
-
some systems of some third parties who
then politely asked them to please stop
-
the testing. So it was not really a cool
thing overall. Like, not not good to
-
publish and so on. And the more happy I am
about that there's other researchers who
-
actually used some other tooling to look
into NFC. So just this month there has
-
been a talk at Black Hat, so not by us,
but by others about the visa credit cards.
-
And it's just all broken and it's cool
that some people like just did it anyway.
-
Yeah. So this is more about -- the NFC
stuff is more about forwarding and the
-
actual specification, but something that
is also cool is -- If you get code
-
execution within a chip and this is very
different attack scenario. And for
-
Bluetooth, I think it's especially bad
because of how everything is designed. And
-
the first design issue in Bluetooth is
that the encryption key is stored in a way
-
that the chip can always ask for
encryption keys here at the host, or it's
-
even already on the chip. And there is no
kind of security there. So whenever you
-
have code execution on the chip, it means
you can get all the encryption keys, not
-
of just the active connection, and then
break everything that is kind of a trusted
-
connection by this key. And that even
breaks features like the Android Smart
-
Lock. And Android Smart Lock is a thing
you can unlock your Android smartphone, if
-
you have a trusted device and if you'd
like add this, you might do this for your
-
car because it's nice in your car when you
have like your audio and your navigation
-
and everything without a locked
smartphone. But the question is like, how
-
secure is the Bluetooth of your car? Would
you trust that one to unlock your
-
smartphone? I don't know. And the next
thing is, so if you have code execution on
-
a Bluetooth chip, it also means that you
might be able to escalate into some other
-
components so that you go up all the
layers. The next question, is the exploit
-
persistent? So let's say I have something
that is running on the chip and I don't
-
know, extracting encryption keys or doing
whatever. You might ask yourself, so how
-
long will it be on the chip? I mean, it's
just a Bluetooth chip you switch Bluetooth
-
off sometimes and then the specifications.
So it's just a page like almost 1000. So
-
just like the first third of the
specification it says not the HCI_Reset
-
command will not necessarily perform a
hardware reset. This is implementation
-
defined. Then I looked into the Cypress
and Broadcom chips and saw, yeah, so if
-
you do each day reset, it's obviously not
a full hardware reset, it's just flashing
-
some queues connection stuff here and
there. So there is definitely a memory
-
area where you could put your exploit and
it would be persistent. So then you might
-
say, yeah, OK, so what do I do? I don't
know. I put my smartphone into flight mode
-
for a hard reset. That usually doesn't
work. You might also like reboot your
-
phone. In most cases, this works. For some
other coexistence stuff, I had the
-
impression that sometimes so it's a bit
strange, it might not necessarily like,
-
reset. Turning off for a while might hard-
reset the chip I think. Or you just put
-
your smartphone in a blender and then.
Yeah. So that might turn off the Bluetooth
-
chip finally. Yeah. So the next issue is
so let's say we have an exploit running
-
there, but we first need an exploit. So
the very first step is still missing as a
-
building block. And after the talk last
year, I did some stuff with the unicorn
-
and fuzzing on the chip and it was super
slow. And then suddenly Jan showed up and
-
Jan said, Hey, I want to build a fully
emulated chip for superfast fuzzing and
-
attach it to Linux and everything should
like run on the real -- like as on a real
-
system, just the over the air input will
be fast. And I was like, you cannot do
-
this for a master thesis. And then he was
building that thing within three months
-
and the remaining three months he was
writing a thesis and e-mails to vendors.
-
So here we go. What does Frankenstein do?
So it's running on an evaluation board of
-
that, yeah, it's just a normal Bluetooth
Bord that's connected to a Linux host over
-
UART and a modem over the air and then you
would snapshot that thing and emulate it
-
and give it fast input attached to the
real host. And that means that if you find
-
some vulnerability, it might be within all
the components or it might also be under
-
Linux host or it might be something that
is full stack. So you have something that
-
starts on the chip, gets to the host, the
host requests further things and then it
-
goes back to the chip. So you could build
like quite complex stuff. And for this I
-
have a short demo video. So the reason why
I do this as a video is that it might
-
happen that it finds heap overflows
otherwise. And then also it's not super
-
stable at the moment. So you can see it's
scanning for LE devices and then Wireshark
-
most of the time would get malformed
packets, but sometimes it could also get
-
normal packets and like some mesh stuff,
whatever. So this is Frankenstein running.
-
Ja, so what Jan focused on is early
connection states. That means stuff
-
where you don't need a pairing. And then
he found like heap overflows there in very
-
basic package types. So quite interesting.
And then the stuff was fixed, I think, or
-
hope, whatever. So at least like in very
recent devices and then the iPhone 11 came
-
out and in contrast to the specification,
over the air, the iPhone 11 says, hey, I'm
-
Bluetooth 5.1. I was like, wow, first
consumer device, Blueotooth 5.1. And I was
-
like, I don't really mind my way of the
exploitation as long as I can get code
-
execution on chip. So if it is with user
interaction and a pairing and whatever, I
-
don't care as long as I get code execution
on it. And then I was like, okay, let's
-
add some fuzz cases to Frankenstein,
continue fuzzing. And then I found that
-
specific evaluation board that Jan was
building this for has a problem with the
-
heap configuration for certain packet
types. And so if you change that, you
-
would hard-brick the device. I mean, I
bricked two evaluation boards trying to
-
fix stuff. So, yeah, it's just
bricked. And so that means for me to
-
continue fuzzing to write like to port
something like 200 handwritten hooks to
-
another evaluation board. It's almost
running. So there's just some stuff with
-
thread switching that's not super smooth
yet, but like it's almost on the next
-
board. And further plans are to add more
hardware. So we're also working on the
-
Samsung Galaxy S 10 and probably a MacBook
to get it in there. So then it would not
-
just be Linux, but at least macOS, maybe
Android. I don't know yet. And another
-
thing that would be cool and also we
didn't build yet, but it might be feasible
-
with some USRP X310 over PCI Express and
with FPGA and all the fancy stuff to get
-
real over the air input, which then would
mean that you would have a full queue like
-
from over the air real Bluetooth packets
going all the way up and then to a host
-
and the way back. And you could also use
that just to test your new emulation
-
scheme or whatever you want to change. So
not just security. Ja, so the next thing
-
is, so if you have code execution, what do
you do with it? And the normal approach is
-
to try to go all the layers up. But there
might also be some chip level escalation
-
and you might immediately see it on the
next picture. So this is from a Broadcom
-
chip, but that's something that you would
also see in many other chips, which is
-
that you have a shared antenna. And you
could also have two antennas, but they are
-
both on 2.5GHz and it's in the very same
smartphone super close next to each other
-
and you would get interference. So usually
you just have the same antenna and do some
-
coordination like when it's Bluetooth
sending, when it's Wi-Fi sending so that
-
they don't interfere. And this feature is
called coexistence and there is tons of
-
coexistence interfaces. So this is just
the one from Broadcom. And when I saw it,
-
I was like, oh, Francesco, let's look into
this. You know, all the Wi-Fi stuff, I
-
know all the Bluetooth stuff let's do
something. And he was like, no, it's just
-
it's just a marketing feature so that it
can like sell one chip for the price of
-
two chips or something. And I was like,
no, no, no, it must be an exploitation
-
feature. So, and then to end this
discussion, I went to Italy for eating
-
some ice cream and saw reality somewhere
in between. It's more like it's hardcoded
-
blacklisting for wireless channels and
stuff. It's traffic classes for different
-
types of traffic for Bluetooth and Wi-Fi.
And you can look it up in tons of patents
-
and it's like super, super proprietary.
And so we let's say we played a game which
-
was like I tried to steal his antenna and
he tried to steal my antenna. And so it
-
turned out, if you do that, yeah, you can
turn off Wi-Fi via Bluetooth, Bluetooth
-
via Wi-Fi. And then also like on most
phones, you need to reboot them and some
-
of them even reboot them themselves. So
this is just like a speed accelerated
-
thing with an Samsung Galaxy S 8 that is
not up to date. For iPhones, you would
-
just immediately see a reboot without any
interaction of things going off and on. So
-
Broadcom is still in the process of fixing
it. I don't know if they can fix it, but
-
they said they could fix it. But something
you should definitely fix is like the
-
driver itself so that the smartphone
reboots and so on. So I don't know. I
-
thought it would be fixed, actually, in
iOS 13 because it mentions Francesco and
-
me, but still on 13.3 I don't know, it,
it's still - um - you can
-
still crash the iPhone that way. But
-
it's just some resource blocking so it's
like not super dangerous thing, I would
-
say. And you still need a Bluetooth RCE
before you could do it and so on. But
-
still not cool that it's still not fixed.
Yeah, so what about the other stacks and
-
the escalations? So there is tons of
different Bluetooth stacks, so it's really
-
a mess. And obviously because of
Frankenstein, we had this first Linux
-
Bluetooth stack attached and so on. But,
yeah. So what has been there for a
-
wireless 2017, these BlueBorne attacks,
you might have heard of them. And they
-
found escalations like on Android,
Windows, Linux, iOS, whatever. And then
-
you might say, like in security, you often
say, so someone looked into it. It must be
-
secure now. And then there's so many
features coming. So there's all these IoT
-
devices. So everybody nowadays has
wireless headphones and fitness trackers
-
and Bluetooth always on. And in the Apple
ecosystem, it's really a mess. So if you
-
have more than one Apple device, you would
have Bluetooth enabled all the time.
-
Otherwise you couldn't use a lot of
features. And then there is like stuff
-
like Web Bluetooth so Bluetooth LE
support from within the browser. So it's
-
like a lot of new attack surfaces that
arised since then. I think -- So that's
-
more my personal estimation is, 2020 might
be more BlueBorne like attacks. The
-
saddest Bluetooth stack somehow is the
Linux Bluetooth stack. So I don't want to
-
blame the developers there. I mean, it's
not their fault, but it's not enough
-
people contributing to that project. And
if you would try to to analyze something
-
that is going on in the stack and you
don't really know what is going on, you
-
would do git blame or whatever and you
would always see the same guy as the
-
commiter. So at least if you're on a
specific problem, then there's only one
-
person committing there. And so the
picture down there actually has the same
-
guy thrice. So this is also a bit of a pun
here intended. We did some fuzzing in
-
there. We still need to evaluate some of
the results. So yeah, but I also feel like
-
nobody's really using it and it's kind of
sad. I mean, there's some Linux users, I
-
guess, but ... Yeah. Then there is the
weirdest stack I would say. So there's the
-
Apple Bluetooth stack and this one is
actually three. So there is there is the
-
MacOS Bluetooth stack. There's an iOS
Bluetooth stack. They are definitely
-
different. And then there is a third
embedded one, for example, for the
-
AirPods. They are all running different
different things. So, yeah, whatever. And
-
then they also have tons of proprietary
protocols on top of their Bluetooth stuff
-
that they're also very special. And I had
like at least two students, just one
-
porting it to iOS one to MacOS. And then
we also have students working on the other
-
protocols that are on top of Bluetooth.
And if you look into this, it's like, what
-
the hell? It's really hard to reverse
engineer because you have like three
-
different implementations and then
sometimes you're like: "yeah, okay. Maybe
-
it's also just bad code." And in the end,
so from what I saw so far, I would say
-
that it's kind of both. And then there is
the stack that I played also lots around
-
with, which is the Android Bluetooth
Stack. And they did a lot for the security
-
in the recent releases. And it annoys me
so much that when I want to get internal
-
blue running on it, I just echo to the
serial port instead so I bypass everything
-
that the operating system does. And so
something that Android cannot do, which
-
Apple does, is so Apple has all the
proprietary protocols. And if something
-
goes wrong, they immediately cut the
connection. But Android doesn't because of
-
compatibility and stuff. So you could just
send garbage for like two minutes and try
-
and see what happens. And it would
continue listening and asking and
-
confirming. But that's kind of an
overall design issue, I think. And yet
-
there's Windows and I couldn't find any
students to work on Windows. laughter
-
If someone wants to do this, that would be
great. And so another stack that's kind of
-
missing here is LTE. And I would call this
like the long term exploitation plan. So
-
it's not. I think if the long term
evaluation, evolution, whatever, but
-
exploitation I think is the best thing for
the E. So we have like tons of wireless
-
stuff where we are working on and I mean
like even PowerPC. And then there is
-
Qualcomm and they have they have this
Qualcomm hexagon DSP. I hate it so much.
-
So there's even source code leaks for
their LTE stuff. But it's just such a pain
-
to work on it. So you might have noticed
is that ARM has this LTE project with
-
Qualcomm, but it's just not fun. But other
people were doing a lot in this area and
-
they've already presented here today and
yesterday. So the first thing is the SIM
-
card in the phone. So the SIM cards should
be a thing like. From from my perspective,
-
that should be secure because it protects
your key material. And then it runs tons
-
of applications. I don't know. And then
you can exploit them and get the victim's
-
location, dial premium numbers and launch
a browser. And then I didn't really
-
understand, like there's just this WIB set
browser whatever, and then there's launch
-
browser what, is it? And I think it even
launches a browser then on the smartphone,
-
whatever. It's just crazy. And then I was
trying to call Deutsche Telekom and I'm a
-
business customer. So it's just like
three minutes for a call for me. So giving
-
a call there is nice. And then the first thing
they told me is: "You are secure. We know
-
you have three SIM cards and they are all
up to date." So I have to say, one of them
-
is more than 10 years old, but maybe it's
up to date. And my answer is like, what
-
exactly is running on my SIM card? They of
course not answered. So yeah, something is
-
running there. If you want to know more
about SIM cards, there has been talk
-
already yesterday evening and it's already
online. And then there's also a lot of
-
people looking into LTE. And I think the
most popular one is to work by Yongdae
-
Kim. He did even some LTE fuzzing
framework that he didn't release publicly
-
so far, because of the findings. So it's
like, should you publish? Should you not
-
publish? But so the findings are super
interesting. And he also has students here
-
who just did a talk this morning.
Responsible disclosure. So that's the
-
thing. When you find stuff you need to do
is responsible disclosure. And so I said
-
Jan was writing a lot of e-mails. And one
of the first that he wrote was to ThreadX,
-
because ThreadX is the operating system
that runs on the Broadcom Bluetooth
-
chip. And so he said, like, your
heap is a bit broken and does not have any
-
checks. You could implement the following
checks, which are pretty cheap and it
-
should be cool. And then I could not
attack it anymore. And then ThreadX was
-
answering, which was a bit unexpected,
that they already knew about this
-
exploitation technique and that it is up
to the application to not be vulnerable to
-
memory corruption, so not to cause any
memory corruption. So it's the programmers
-
fault if they do something and it's not
the operating system that has to take care
-
of the heap. Okay. Yeah. Next issue. So
the bin diffing and the testing if a
-
vulnerability is still there. So you might
not always get feedback from all the
-
vendors. If they fix it, they may just fix
it at a certain point in time and then you
-
tell them all we tested the next release
and it's still vulnerable. And then they
-
would say, like for Samsung said, Yeah, we
cannot send your patches in advance
-
without an NDA because Broadcom, blah,
blah, blah and so on and so forth. And
-
then Broadcom offered to send us patches
in advance. And I said, Yeah. Nice. And I
-
also sent them a device list because they
already knew it from the previous process.
-
So if you tell them the following 10
devices have an issue, then you would
-
already know that we can test those
devices anyway. And so and after I sent
-
them the list, they said: "Oh, wait, but
you need an NDA." So no, I mean, we are
-
doing this for free anyway. And signing an
NDA, I wouldn't do that. Yeah. So overall,
-
it also did Broadcom Product Security
Incident Response Team is a bit strange so
-
they wouldn't hand out any CVEs. And what
I mean what I do is like I first get a CVE
-
and then informed them and the other
customers because I also don't get any
-
incident number or something. So if I
wouldn't do this, I wouldn't have any
-
number to refer a vulnerability to. And
well, at least they are also not doing
-
that much legal trouble. But it's just.
Yeah, not really something happening
-
there. But some of their customers were
nice at least to my students, so they paid.
-
So one customer, they don't want to be
named here, but they payed to fly to DefCon
-
for one of my students and Samsung gave a
bounty off one thousand dollar. I mean,
-
still I mean we are in the range of of
very very more expensive exploits if it
-
would be on the black market, but for
students it's definitely nice. Yeah.
-
Responsible disclosure timelines. So this
is something that I thought like maybe
-
some of this responsible disclosure
timeline is just because of how I
-
communicate with the vendor. And sometimes
I'm writing e-mails like a five year old
-
or something - I don't know. But actually.
So this is a timeline of Quarkslab, who
-
also found just this year vulnerabilities
in Broadcom Wi-Fi chips. And so they've
-
also asked about NDA and then also their
exploit timeline. It's a bit fun because
-
they had similar exploitation strategies
as the very first exploit that you could
-
see by Google Project Zero and then, yeah,
more distorted timeline, whatever. And in
-
the end, well. So it's just taking time.
And again, no CVE id issued and so on and
-
so forth. So it's the very same stuff for
others, which is pretty sad. And then so
-
for Cyprus, which is partially having
source code of Broadcom, it also
-
manufactures chips. It's also very slow
for the response of disclosure. And then I
-
got told by other people, like, yeah, if
you would disclose something to Qualcomm,
-
it also takes very long. And luckily we
didn't find something in an Intel CPU. But
-
yeah, there is ... so on the wireless
market, there still so many other vendors
-
to become friends with. So yeah. So
practical solutions to end my talk. What
-
could you do to defend yourself if you
don't have a tinfoil hat? Other things I
-
can recommend is the secure Wi-Fi set up.
So don't use antennas, just use antenna
-
cables. If you do that in our lap a lot.
So this is a setup by Felix. And so when I
-
was sending my slides to Francesca in
advance she just said "cool, I have the
-
same one right now at my desktop". So it's
a very common setup. Maybe not at your
-
home, but for us it is. Or you'd just go
to the air-gapped device. So this is my
-
Powerbook 170, that's a really great
device. Almost impossible to get it online
-
and it has Word and Excel.
So ask all the questions.
-
Applause
-
Herald Angel: Thank you very much to
jiska. We still have several minutes left.
-
You will find eight microphones in the
room. Please line up in behind the
-
microphones to ask a question. And the
first question goes to the Internet.
-
Signal Angel: So at jiska, the question
is, are the Bluetooth issues you are
-
talking about also present in Bluetooth
Low Energy IoT devices.
-
jiska: Yes. So, I mean, there is IoT
devices, I cannot tell the vendor, but
-
there is also some popular devices that
have like Cypress Broadcom chips and then
-
it's even worse because they don't have a
separate stack, but often they have an
-
application running on the same arm core
and then you don't even need any
-
escalation.
Herald: All right. We have another
-
question at the microphone number one,
please.
-
Microphone 1: Thank you for the talk. My
question is, could you like did you
-
actually when you fuzzed the Bluetooth low
energy chip, did you when you managed to
-
get code execution, did you actually
climb up the protocol?
-
Did you like access Bluetooth profiles or
something like this?
-
jiska: Ah, so we, for example with the
link key extraction, we were building some
-
proof of concepts. But so it depends. We
don't currently have like a fully exploit
-
chain in terms of first on the chip and
then on the host. We have something that
-
goes directly on some hosts, but yeah,
there's tons of things there to do. Sorry?
-
Microphone 1: Yeah. And when you fuzz the
... how did you actually fuzz the chip
-
itself? How did you extract the
firmware from the chip?
-
jiska: So there is ... so Broadcom and
Cyprus are very nice because they have a
-
read RAM command so you don't need any
secure bypass or something. And for the
-
evaluation kits, there is even symbols
that we found in it. So symbols only means
-
like function names and global variable
names, that's it. But that's something to
-
work with.
Herald: Thank you. Another question from
-
the Internet, please.
Signal: Would you like the return of
-
physical switches for
the network controller?
-
jiska: Yeah, so that would be nice to like
physically switch it off. Actually, I
-
don't know where Paul is, but he is
building ... There is Paul. He is building
-
such a device. When is your talk at 10
o'clock. Paul is giving a talk about a
-
device where you have a physical
controller to switch off your wireless
-
stuff.
Herald: OK. The next question is again
-
microphone number one, please.
Microphone 1: Yes. Thank you. We just
-
bought a new car and by because
connecting the Bluetooth of my phone to
-
the car's system was very, very hard. And
I had to reboot the radio several times.
-
And then I found a message that the radio
must be directly connected to the CAN-bus
-
of the car. So you have a blueooth stack
connected directly to a CAN-bus. It was a
-
very cheap car. But if you
have an idea of what this means then...
-
jiska: Can you can you borrow me that car?
Microphone 1: It's a Toyota Aygo, you can
-
have it everywhere.
jiska: Well, that shouldn't be.
-
Herald: Alright, do we have a question at
microphone number eight, please?
-
Microphone 8: Hi and thank you for the
talk first of all. Uh well, if I
-
understood correctly, you said that the
vendors didn't mention if they fixed it or
-
not or they don't know if they fixed it.
jiska: Umm, yeah. So it depends. I know
-
like so if you look into the Android
security updates, so for example, August 5
-
has some Broadcom issue that was fixed and
I know which one that was and so on and so
-
forth. But so then it also means I like to
get that one onto a Samsung device. I
-
would need ... so they wouldn't build it
in the August update, but only in the
-
September update and then release it to
Europe, which is like mid or end of
-
September. And then I could download it to
my phone and test it over the air if it's
-
like really fixed and so on and so forth.
So it's ... there is like the first thing
-
is like that is listed publicly that it is
fixed. And then the next thing is that it
-
is actually fixed and it's really hard.
And for the communication with Apple, I
-
don't know. So sometimes they fix it
silently without mentioning us. And then
-
there's this iOS 13 thing where they
mentioned us but didn't fix it. So, yeah.
-
Microphone 8: Were there any issues like
that they found and they didn't know if
-
they fixed it or not. And you did like
patch-diffing or something like that?
-
jiska: Yeah, I did a lot of patch-diffing
and I currently have a student who is
-
doing nothing else than developing diffing
tools for the particular issues that I
-
have.
Microphone 8: And did you find that they
-
fixed it or not?
jiska: So it's first of all ... so we are
-
... so first of all, it's currently about
speed and stuff and I gave him some some
-
iPhone stuff for the next task.
But yes, it's work in progress. So most of
-
the other stuff I did by hand, so I also
have a good idea about like what a changed
-
within each kind of chip generation.
Microphone 8: Okay. Thank you very much.
-
Herald: All right. We had another question
from the Internet.
-
Signal: Yes. So from Mastodon, how exactly
was the snapshot of the Samsung Bluetooth
-
stack extracted for the fuzzing process?
jiska: The Samsung is ... so for Samsung
-
we have snap shotting, but for Samsung, we
don't have the rest of Frankenstein. The
-
other stuff is running on an evaluation
board. So the first part is mapping all
-
the hardware registers. So this is the
first trip that runs and tries to find
-
like all the memory regions. And once that
is done, there is a snapshotting hook that
-
you set to the function. So let's say you
want to look into a device scanning so you
-
would set the function into device
scanning. And once that it's called by the
-
Linux stack, he would freeze the whole chip
and disable like other interrupt stuff,
-
whatever that would kill it otherwise and
then copy everything that is in the
-
registers ... so that is kind of the snap
shotting. And once you have a snapshot,
-
then you can try to find everything that
kills your emulation like interrupts again
-
and thread switches and so on.
Herald: All right. We have one more
-
question from microphone, number one,
please.
-
Microphone 1: OK. So do you think that
open source, the driver or that open
-
hardware design will improve the
situation?
-
jiska: So open source? I think it would
improve the situation. But also one thing.
-
So I had to talk at mrmcd in September
this year. Another thing which is not
-
about open source is that the patching
capabilities of the Broadcom bluetooth
-
chips are very limited in terms of how
much can be fixed. So just open sourcing
-
wouldn't help Broadcom, for example.
Microphone 1: Like you mean like the
-
firmware is burnt into the chip and it's
limited to ...
-
jiska: Yeah
Microphone 1: Yeah, it's limited, right?
-
jiska: Yes, it's in the ROM. And then you
have patch ROM slots and you have like 128
-
patch ROM slot and each patch ROM slot is
a four byte override breakpoint thingy
-
that branches then somewhere else into
RAM. And then RAM is also limited.
-
So you couldn't like branch into large
chunks of RAM all the time. Yeah.
-
Microphone 1: Thank you.
Herald: All right. If there are not any
-
more questions?
jiska: Internet!
-
Herald: Internet? Oh, more Internet
questions. Then, please go ahead.
-
Signal: Yes. So winfreak on Twitter asks
what stack was tested when mentioning
-
Android? There are several and Google is
convinced rewriting it every year is a
-
good idea.
jiska: Ah, yeah. So this stuff that's like
-
the standard stack that runs on a Samsung
phone for example. So I think, like for
-
the main entry, there's only one ... I
know that there's like legacy stacks, but
-
they switch to only one.
Herald: So Signal Angel, do you have more
-
for us?
Signal: Yes. What is your hat made of?
-
jiska: My hat? So it's like aluminum foil.
And then there is the cyber cyber thingy.
-
So that's also important. Yeah. So but as
I said, it doesn't really help. It would
-
more help to put the smartphone in a
blender, for example.
-
Herald: Alright. Thank you very much for
this awesome talk. Give her a huge round
-
of applause to jiska.
-
applause
-
36c3 postroll
-
subtitles created by c3subtitles.de
in the year 2020. Join, and help us!
