Play all

Intro

Agenda

Why Bluetooth Low Energy?

Why do APs support BLE?

BLE Attack surface

OTA solutions over BLE

BLE in Aruba Access Points

OAD in General

OAD in Aruba Access Points

Extracting BLE firmware

Analyzing custom OAD

OTA OAD OMG

What would a BLEEDINGBIT attack look like? black hat

BLE Discovery

BLE link layer

TI CC2640 Architecture

CC2640 Memory Corruption

Lets try and crash it

Packet Length: Main Core vs Radio Core black hat

Case Study

What is being overwritten?

Where will the overflow data come from? black hat

Inter-core communication

Overflow mechanics

Spray

Exploit strategy

Size limitation

Tasks at hand

Making our first success last forever black hat

Restoring execution - Take 1

Restoring execution - Take 2

Installing a backdoor

Shellcode

Description:

Explore BLEEDINGBIT, two zero-day vulnerabilities in Texas Instruments' BLE chips used in popular wireless access points, allowing unauthenticated over-the-air enterprise network penetration. Delve into Bluetooth Low Energy attack surfaces, OTA solutions, and BLE in Aruba Access Points. Examine OAD implementation, firmware extraction, and custom OAD analysis. Discover BLE link layer intricacies, TI CC2640 architecture, and memory corruption techniques. Investigate inter-core communication, overflow mechanics, and exploit strategies. Learn to overcome size limitations, restore execution, and install backdoors. Gain insights into shellcode development for successful network infiltration in this comprehensive Black Hat conference presentation.

BLEEDINGBIT - Your APs Belong to Us

Black Hat

Add to list

#Conference Talks #Black Hat #Information Security (InfoSec) #Cybersecurity #Network Security #Wireless Security #Computer Science #Computer Networking #Network Engineering #Ethical Hacking #Exploit Development #Attack Surface Analysis #Engineering #Electrical Engineering #Embedded Systems #Firmware Analysis #Memory Management #Memory Corruption

0:00 / 0:00