The course teaches learners how to find new Bluetooth Low Energy exploits through reverse engineering multiple vendors' firmwares. The learning outcomes include understanding the BLE protocol stack, identifying vulnerabilities at the lowest levels, and demonstrating remote code execution exploits. The course covers skills such as analyzing BLE stack configurations, setting up lab environments for debugging and testing, conducting static and dynamic analysis, and exploiting vulnerabilities like stack buffer overflows and heap buffer overflows. The teaching method involves a combination of theoretical explanations, practical demonstrations, and hands-on lab exercises. This course is intended for individuals interested in cybersecurity, Bluetooth technology, reverse engineering, and vulnerability research.
Finding New Bluetooth Low Energy Exploits via Reverse Engineering Multiple Vendors' Firmwares
Overview
Syllabus
Intro
Learning mode
BLE stack in dual chip configuration Host
BLE stack in single chip configuration Controller
New BLE low layer vulnerabilities!
Lab setup: targets
Lab setup: for basic HW debug 1
Lab setup: for fuzzer and convenience
Lab setup: sniffers
Lab setup: packet sending HW
Lab setup: JackBNimBLE, packet sending SW
Target #1: Texas Instruments WL1835 MOD
Static analysis
Dynamic analysis
Remote code execution bugs
Stack buffer overflow 1 CVE-2019-15948
Attack packet example 1
"Quiet Place" attack
Stack buffer overflow 2 CVE-2019-15948
Attack packet example 2
Target #2
Fuzzing extended advertisements
Difference from the target #1's RCE bug
RCE: heap buffer overflow CVE-2020-15531
Impact assessment
Taught by
Black Hat
