3,348 research outputs found
InternalBlue - Bluetooth Binary Patching and Experimentation Framework
Bluetooth is one of the most established technologies for short range digital
wireless data transmission. With the advent of wearables and the Internet of
Things (IoT), Bluetooth has again gained importance, which makes security
research and protocol optimizations imperative. Surprisingly, there is a lack
of openly available tools and experimental platforms to scrutinize Bluetooth.
In particular, system aspects and close to hardware protocol layers are mostly
uncovered.
We reverse engineer multiple Broadcom Bluetooth chipsets that are widespread
in off-the-shelf devices. Thus, we offer deep insights into the internal
architecture of a popular commercial family of Bluetooth controllers used in
smartphones, wearables, and IoT platforms. Reverse engineered functions can
then be altered with our InternalBlue Python framework---outperforming
evaluation kits, which are limited to documented and vendor-defined functions.
The modified Bluetooth stack remains fully functional and high-performance.
Hence, it provides a portable low-cost research platform.
InternalBlue is a versatile framework and we demonstrate its abilities by
implementing tests and demos for known Bluetooth vulnerabilities. Moreover, we
discover a novel critical security issue affecting a large selection of
Broadcom chipsets that allows executing code within the attacked Bluetooth
firmware. We further show how to use our framework to fix bugs in chipsets out
of vendor support and how to add new security features to Bluetooth firmware
MagicPairing: Apple's Take on Securing Bluetooth Peripherals
Device pairing in large Internet of Things (IoT) deployments is a challenge
for device manufacturers and users. Bluetooth offers a comparably smooth trust
on first use pairing experience. Bluetooth, though, is well-known for security
flaws in the pairing process. In this paper, we analyze how Apple improves the
security of Bluetooth pairing while still maintaining its usability and
specification compliance. The proprietary protocol that resides on top of
Bluetooth is called MagicPairing. It enables the user to pair a device once
with Apple's ecosystem and then seamlessly use it with all their other Apple
devices. We analyze both, the security properties provided by this protocol, as
well as its implementations. In general, MagicPairing could be adapted by other
IoT vendors to improve Bluetooth security. Even though the overall protocol is
well-designed, we identified multiple vulnerabilities within Apple's
implementations with over-the-air and in-process fuzzing
Inside Job: Diagnosing Bluetooth Lower Layers Using Off-the-Shelf Devices
Bluetooth is among the dominant standards for wireless short-range
communication with multi-billion Bluetooth devices shipped each year. Basic
Bluetooth analysis inside consumer hardware such as smartphones can be
accomplished observing the Host Controller Interface (HCI) between the
operating system's driver and the Bluetooth chip. However, the HCI does not
provide insights to tasks running inside a Bluetooth chip or Link Layer (LL)
packets exchanged over the air. As of today, consumer hardware internal
behavior can only be observed with external, and often expensive tools, that
need to be present during initial device pairing. In this paper, we leverage
standard smartphones for on-device Bluetooth analysis and reverse engineer a
diagnostic protocol that resides inside Broadcom chips. Diagnostic features
include sniffing lower layers such as LL for Classic Bluetooth and Bluetooth
Low Energy (BLE), transmission and reception statistics, test mode, and memory
peek and poke
Steps toward accurate large-area analyses of Genesis solar wind samples: evaluation of surface cleaning methods using total reflection X-ray fluorescence spectrometry
Total reflection X-ray fluorescence spectrometry (TXRF) was used to analyze residual surface contamination on Genesis solar wind samples and to evaluate different cleaning methods. To gauge the suitability of a cleaning method, two samples were analyzed following cleaning by lab-based TXRF. The analysis comprised an overview and a crude manual mapping of the samples by orienting them with respect to the incident X-ray beam in such a way that different regions were covered. The results show that cleaning with concentrated hydrochloric acid and a combination of hydrochloric acid and hydrofluoric acid decreased persistent inorganic contaminants substantially on one sample. The application of CO2 snow for surface cleaning tested on the other sample appears to be effective in removing one persistent Genesis contaminant, namely germanium. Unfortunately, the TXRF analysis results of the second sample were impacted by relatively high background contamination. This was mostly due to the relatively small sample size and that the solar wind collector was already mounted with silver glue for resonance ion mass spectrometry (RIMS) on an aluminium stub. Further studies are planned to eliminate this problem. In an effort to identify the location of very persistent contaminants, selected samples were also subjected to environmental scanning electron microscopy. The results showed excellent agreement with TXRF analysis
Quality of experience study for multiple sensorial media delivery
Traditional video sequences make use of both visual images and audio tracks which are perceived by human eyes and ears, respectively. In order to present better ultra-reality virtual experience, the comprehensive human sensations (e.g. olfaction, haptic, gustatory, etc) needed to be exploited. In this paper, a multiple sensorial media (mulsemedia) delivery system is introduced to deliver multimedia sequences integrated with multiple media components which engage three or more of human senses such as sight, hearing, olfaction, haptic, gustatory, etc. Three sensorial effects (i.e. haptic, olfaction, and air-flowing) are selected for the purpose of demonstration. Subjective test is conducted to analyze the user perceived quality of experience of the mulsemedia service. It is concluded that the mulsemedia sequences can partly mask the decreased movie quality. Additionally the most preferable sensorial effect is haptic, followed by air-flowing and olfaction.This work was supported in part by Enterprise Ireland Innovation Partnership programme
Frankenstein: Advanced Wireless Fuzzing to Exploit New Bluetooth Escalation Targets
Wireless communication standards and implementations have a troubled history
regarding security. Since most implementations and firmwares are closed-source,
fuzzing remains one of the main methods to uncover Remote Code Execution (RCE)
vulnerabilities in deployed systems. Generic over-the-air fuzzing suffers from
several shortcomings, such as constrained speed, limited repeatability, and
restricted ability to debug. In this paper, we present Frankenstein, a fuzzing
framework based on advanced firmware emulation, which addresses these
shortcomings. Frankenstein brings firmware dumps "back to life", and provides
fuzzed input to the chip's virtual modem. The speed-up of our new fuzzing
method is sufficient to maintain interoperability with the attached operating
system, hence triggering realistic full-stack behavior. We demonstrate the
potential of Frankenstein by finding three zero-click vulnerabilities in the
Broadcom and Cypress Bluetooth stack, which is used in most Apple devices, many
Samsung smartphones, the Raspberry Pis, and many others.
Given RCE on a Bluetooth chip, attackers may escalate their privileges beyond
the chip's boundary. We uncover a Wi-Fi/Bluetooth coexistence issue that
crashes multiple operating system kernels and a design flaw in the Bluetooth
5.2 specification that allows link key extraction from the host. Turning off
Bluetooth will not fully disable the chip, making it hard to defend against RCE
attacks. Moreover, when testing our chip-based vulnerabilities on those
devices, we find BlueFrag, a chip-independent Android RCE.Comment: To be published at USENIX Securit
Firmware Insider: Bluetooth Randomness is Mostly Random
Bluetooth chips must include a Random Number Generator (RNG). This RNG is
used internally within cryptographic primitives but also exposed to the
operating system for chip-external applications. In general, it is a black box
with security-critical authentication and encryption mechanisms depending on
it. In this paper, we evaluate the quality of RNGs in various Broadcom and
Cypress Bluetooth chips. We find that the RNG implementation significantly
changed over the last decade. Moreover, most devices implement an insecure
Pseudo-Random Number Generator (PRNG) fallback. Multiple popular devices, such
as the Samsung Galaxy S8 and its variants as well as an iPhone, rely on the
weak fallback due to missing a Hardware Random Number Generator (HRNG). We
statistically evaluate the output of various HRNGs in chips used by hundreds of
millions of devices. While the Broadcom and Cypress HRNGs pass advanced tests,
it remains indistinguishable for users if a Bluetooth chip implements a secure
RNG without an extensive analysis as in this paper. We describe our measurement
methods and publish our tools to enable further public testing.Comment: WOOT'2
Preface - Creativity and HCI: From Experience to Design in Education
Abstract included in text
- …