Lower layers of the Bluetooth protocol are very interesting with regards to security. Mobile devices with Bluetooth enabled will parse frames addressed to them even if they are currently not discoverable. Improper parsing and weird state machines lead to funny exploits.
Our talk starts with an overview of InternalBlue, which is a Bluetooth firmware analysis and patching framework working on Broadcom Bluetooth chips produced within the last decade. We give insights into how we reverse engineered a firmware with more than 11k undefined functions and practical problems we encountered when porting features initially developed for a firmware from 2012 to firmwares back from 2008 or the newest version from 2018.
Since functionality within Broadcom chips can be changed with InternalBlue, it is a cheap and powerful Bluetooth testing framework. We will give examples on how to write patches, both plain assembly and C, to add custom features. C support is added as an extension to the Nexmon project, which has been initially developed to patch Broadcom WiFi firmware.
During reverse engineering and testing in the lower layers, we discovered CVE-2018-19860 and CVE-2019-6994. We will talk about these in detail and discuss the practical problems of bugfixing Bluetooth firmware in the wild.