Inside Job: Diagnosing Bluetooth Lower Layers Using Off-the-Shelf Devices

Bluetooth is among the dominant standards for wireless short-range communication with multi-billion Bluetooth devices shipped each year. Basic Bluetooth analysis inside consumer hardware such as smartphones can be accomplished observing the Host Controller Interface (HCI) between the operating system's driver and the Bluetooth chip. However, the HCI does not provide insights to tasks running inside a Bluetooth chip or Link Layer (LL) packets exchanged over the air. As of today, consumer hardware internal behavior can only be observed with external, and often expensive tools, that need to be present during initial device pairing. In this paper, we leverage standard smartphones for on-device Bluetooth analysis and reverse engineer a diagnostic protocol that resides inside Broadcom chips. Diagnostic features include sniffing lower layers such as LL for Classic Bluetooth and Bluetooth Low Energy (BLE), transmission and reception statistics, test mode, and memory peek and poke

InternalBlue - Bluetooth Binary Patching and Experimentation Framework

Bluetooth is one of the most established technologies for short range digital wireless data transmission. With the advent of wearables and the Internet of Things (IoT), Bluetooth has again gained importance, which makes security research and protocol optimizations imperative. Surprisingly, there is a lack of openly available tools and experimental platforms to scrutinize Bluetooth. In particular, system aspects and close to hardware protocol layers are mostly uncovered. We reverse engineer multiple Broadcom Bluetooth chipsets that are widespread in off-the-shelf devices. Thus, we offer deep insights into the internal architecture of a popular commercial family of Bluetooth controllers used in smartphones, wearables, and IoT platforms. Reverse engineered functions can then be altered with our InternalBlue Python framework---outperforming evaluation kits, which are limited to documented and vendor-defined functions. The modified Bluetooth stack remains fully functional and high-performance. Hence, it provides a portable low-cost research platform. InternalBlue is a versatile framework and we demonstrate its abilities by implementing tests and demos for known Bluetooth vulnerabilities. Moreover, we discover a novel critical security issue affecting a large selection of Broadcom chipsets that allows executing code within the attacked Bluetooth firmware. We further show how to use our framework to fix bugs in chipsets out of vendor support and how to add new security features to Bluetooth firmware

FLAMINGO – Fulfilling enhanced location accuracy in the mass-market through initial GalileO services

This paper discusses FLAMINGO, an initiative that will provide a high accuracy positioning service to be used by mass market applications. The status and future for the initiative are discussed, the required accuracies and other location parameters are described, and the target applications are identified. Finally, the currently achieved accuracies from today’s Smartphones are assessed and presented. FLAMINGO (Fulfilling enhanced Location Accuracy in the Mass-market through Initial GalileO services), part funded through the European GNSS Agency, is a collaborative venture comprising NSL (as lead organization), Telespazio France, University of Nottingham, Rokubun, Thales Alenia Space France, VVA, BQ, ECLEXYS and Blue Dot Solutions. The initiative is developing the infrastructure, solutions and services to enable the use of accurate and precise GNSS within the mass-market, thereby operating predominantly in an urban environment. Whilst mass-market receivers are yet to achieve accuracies below one metre for standard positioning, the introduction of Android raw GNSS measurements and the Broadcom dual frequency chipset (BCM47755), has presented the devices such an opportunity. FLAMINGO will enable and demonstrate the future of high accuracy positioning and navigation information on mass-market devices such as smartphones and Internet of Things (IoT) devices by producing a service delivering accuracies of 50cm (at 95%) and better, employing multi-constellation, PPP and RTK mechanisms, power consumption optimisation techniques. Whereas the Galileo High Accuracy Service targets 10cm precision within professional markets, FLAMINGO targets 30-50cm precision in the mass-market consumer markets. By targeting accuracies of a few decimetres, a range of improved and new applications in diverse market sectors are introduced. These sectors include, but are not limited to, mapping and GIS, autonomous vehicles, AR environments, mobile-location based gaming and people tracking. To obtain such high accuracies with mass market devices, FLAMINGO must overcome several challenges which are technical, operational and environmental. This includes the hardware capabilities of most mass-market devices, where components such as antennas and processors are prioritised for other purposes. We demonstrate that, despite these challenges, FLAMINGO has the potential to meet the accuracy required. Tests with the current Smartphones that provide access to multi-constellation raw measurements (the dual frequency Xiaomi Mi 8 and single frequency Samsung S8 and Huawei P10) demonstrate significant improvements to the PVT solution when processing using both RTK and PPP techniques

Vertical Merger Enforcement Actions: 1994–April 2020

We have revised our earlier listing of vertical merger enforcement actions by the Department of Justice and Federal Trade Commission since 1994. This revised listing includes 66 vertical matters beginning in 1994 through April 2020. It includes challenges and certain proposed transactions that were abandoned in the face of Agency concerns. This listing can be treated as an Appendix to Steven C. Salop and Daniel P. Culley, Revising the Vertical Merger Guidelines: Policy Issues and an Interim Guide for Practitioners, 4 JOURNAL OF ANTITRUST ENFORCEMENT 1 (2016)

Guest editorial for the special issue on software-defined radio transceivers and circuits for 5G wireless communications

Yichuang Sun, Baoyong Chi, and Heng Zhang, Guest Editorial for the Special Issue on Software-Defined Radio Transceivers and Circuits for 5G Wireless Communications, published in IEEEE Transactions on Circuits and Systems II: Express Briefs, Vol. 63 (1): 1-3, January 2016, doi: https://doi.org/10.1109/TCSII.2015.2506979.Peer reviewedFinal Accepted Versio

Software for Wearable Devices: Challenges and Opportunities

Wearable devices are a new form of mobile computer system that provides exclusive and user-personalized services. Wearable devices bring new issues and challenges to computer science and technology. This paper summarizes the development process and the categories of wearable devices. In addition, we present new key issues arising in aspects of wearable devices, including operating systems, database management system, network communication protocol, application development platform, privacy and security, energy consumption, human-computer interaction, software engineering, and big data.Comment: 6 pages, 1 figure, for Compsac 201

Behind the Curtain: How the 10 Largest Mutual Fund Families Voted When Presented with 12 Opportunities to Curb CEO Pay Abuse in 2004

[Excerpt] On August 31, 2004, for the first time, the nation’s mutual fund companies reported how they cast their proxy votes at the public companies in which they invest. The disclosure is the result of Securities and Exchange Commission rules adopted in January 2003, rules that the AFL-CIO first petitioned for in December 2000 and that the mutual fund industry strenuously opposed. This report evaluates how the 10 largest mutual fund families voted when presented with the opportunity to curb CEO pay abuses at a dozen S&P 500 companies in 2004. We chose executive compensation as our benchmark because, in the words of billionaire investor Warren Buffet, “The acid test for reform will be CEO compensation.” We found that, when it comes to voting proxies on proposals involving CEO pay abuses, there is significant variation among fund families. The scores in our survey ranged from a high of 100% for American Century to a low of 20% for Putnam