Submitted via IRC for boru.
https://www.infoq.com/news/2020/07/nRF52-debug-resurrect/:
A recent hardware attack on the Nordic nRF52 chip uses local access to gain chip-level debugging capabilities that persist in silicon, unpatchable in software. Nordic has confirmed the issue and encouraged device manufacturers to detect openings of the enclosure, as the chip is not hardened against fault injection.
This chip is used in so many bluetooth products. Might be fun to go wardriving and find some and see if any have accessible SWD pins.
(Score: 2) by DannyB on Friday July 17 2020, @08:41PM (3 children)
Yes, I get it that you have to tamper with your own bluetooth chip to get debug mode.
Once you have that, what level of control of the hardware do you have? Can you transmit bluetooth packets in ways that you ordinarily would not be able to? Especially malformed packets? Reaching that point is the very beginning of what I suggest.
From transmitting malformed packets, that no ordinary bluetooth device would transmit, can you then exploit other bluetooth devices?
Another way of putting it is this: the security of a bluetooth device might partly rest on the assumption that no invalid malformed packets would ever be received. Why should I check for this overflow condition, etc? No device that would send such a malformed packet would ever get certified! (but what if the device were in debug mode and manipulated?)
I don't know how much of this is feasible. What capabilities do you actually gain by getting your own RF hardware into debug mode?
Then there is the thought about, what if you were to use SDR ?
The lower I set my standards the more accomplishments I have.
(Score: 2) by ilsa on Friday July 17 2020, @10:40PM
Oh I see what you mean. Yes, I suppose that's entirely possible. Who knows what corners got cut during the implementation of the chip.
At a minimum, having debug access to the chip would certainly make it much easier to uncover other potential bugs/exploits that the chip may contain. Then you could freely target any device using that chip. It wouldn't necessarily mean you now have broad access to all BT devices though... only the ones using Nordic chip.
But if you found other exploits.... You could build up a library of exploits across different BT chips, and then you could execute it from a single SDR for a one stop BT hacking shop.
(Score: 2) by c0lo on Friday July 17 2020, @11:15PM (1 child)
You can transmit anything you want with a software defined radio. Why go through the pain of cracking first a device that you own when you can put together something far more powerful?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by DannyB on Monday July 20 2020, @01:49PM
That is what occurred to me too in my very last sentence.
If you want to study fuzzing bluetooth packets, maybe just use SDR?
But I like fizzing packets instead.
The lower I set my standards the more accomplishments I have.