EPISODE · Dec 27, 2024 · 31 MIN
From fault injection to RCE: Analyzing a Bluetooth tracker (38c3)
from Chaos Computer Club - archive feed · host Nicolas Oberli
The Chipolo ONE is a Bluetooth tracker built around the Dialog (now Renesas) DA14580 chip. This talk will present the research made on this device, from extracting the firmware from the locked down chip using fault injection up to getting remote code execution over Bluetooth. The talk will also present the disclosure process and how the vendor reacted to an unpatchable vulnerability on their product. This talk will present the journey through the analysis of the Chipolo ONE Bluetooth tracker. As for lots of IoT devices, this analysis mixes both hardware and software attacks so this talk will be packed with lots of techniques that can be applied to other devices as well: - Using fault injection to bypass the debug locking mechanism on a chip that has apparently never been broken before. - Reverse engineering an unknown firmware with Ghidra, a PDF and parts of a SDK - Analyzing weak cryptographic algorithms to be able to authenticate to any device - Finding a buffer overflow and achieve code execution over Bluetooth - Disclosing an unpatchable vulnerability to the vendor Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/from-fault-injection-to-rce-analyzing-a-bluetooth-tracker/
What this episode covers
The Chipolo ONE is a Bluetooth tracker built around the Dialog (now Renesas) DA14580 chip. This talk will present the research made on this device, from extracting the firmware from the locked down chip using fault injection up to getting remote code execution over Bluetooth. The talk will also present the disclosure process and how the vendor reacted to an unpatchable vulnerability on their product. This talk will present the journey through the analysis of the Chipolo ONE Bluetooth tracker. As for lots of IoT devices, this analysis mixes both hardware and software attacks so this talk will be packed with lots of techniques that can be applied to other devices as well: - Using fault injection to bypass the debug locking mechanism on a chip that has apparently never been broken before. - Reverse engineering an unknown firmware with Ghidra, a PDF and parts of a SDK - Analyzing weak cryptographic algorithms to be able to authenticate to any device - Finding a buffer overflow and achieve code execution over Bluetooth - Disclosing an unpatchable vulnerability to the vendor Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/from-fault-injection-to-rce-analyzing-a-bluetooth-tracker/
NOW PLAYING
From fault injection to RCE: Analyzing a Bluetooth tracker (38c3)
No transcript for this episode yet
Similar Episodes
Jun 9, 2026 ·50m
Jun 1, 2026 ·31m
May 25, 2026 ·39m
May 17, 2026 ·37m
May 8, 2026 ·39m
Apr 28, 2026 ·25m