toothpicker
play

ToothPicker Apple Picking in the iOS Bluetooth Stack TOOTHP CKER - PowerPoint PPT Presentation

Mar 12, 2023 •200 likes •578 views

ToothPicker Apple Picking in the iOS Bluetooth Stack TOOTHP CKER Dennis Heinze Jiska Classen, Matthias Hollick Technische Universitt Darmstadt Technische Universitt Darmstadt Secure Mobile Networking Lab - SEEMOO Secure Mobile Networking

  1. ToothPicker Apple Picking in the iOS Bluetooth Stack TOOTHP CKER Dennis Heinze Jiska Classen, Matthias Hollick Technische Universität Darmstadt Technische Universität Darmstadt Secure Mobile Networking Lab - SEEMOO Secure Mobile Networking Lab - SEEMOO ERNW Enno Rey Netzwerke GmbH

  2. Bluetooth in the Apple Ecosystem Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 2

  3. Bluetooth in the Apple Ecosystem The Apple ecosystem encourages turning on Bluetooth… Handoff Apple Watch Continuity AirPods (BT Headphones in general) … Apple TV Remote Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 3

  4. Bluetooth in the Apple Ecosystem Three different Bluetooth stack implementations: RTKit macOS iOS (AirPods, Siri Remote, …) Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 4

  5. Bluetooth in the Apple Ecosystem Three different Bluetooth stack implementations: Recent work: blogs.360.cn/post/ macOS_Bluetoothd_0-click.html RTKit macOS iOS (AirPods, Siri Remote, …) Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 4

  6. Bluetooth in the Apple Ecosystem Three different Bluetooth stack implementations: Recent work: Difficult to inspect (no debugging, no blogs.360.cn/post/ logs) macOS_Bluetoothd_0-click.html RTKit macOS iOS (AirPods, Siri Remote, …) Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 4

  7. Bluetooth in the Apple Ecosystem Three different Bluetooth stack implementations: Implements most of Apples Recent work: Difficult to inspect (no debugging, no proprietary Bluetooth protocols + is blogs.360.cn/post/ logs) carried around by people macOS_Bluetoothd_0-click.html RTKit macOS iOS (AirPods, Siri Remote, …) Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 4

  8. Bluetooth on iOS While it’s not a “remote” zero-click attack surface for targeted attacks, Bluetooth RCEs are easily worm-able 🐜 Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 5

  9. Proprietary Bluetooth Protocols Category Protocol iOS macOS RTKit Fixed L2CAP Channels MagicPairing ✓ ✓ ✓ Magnet ✓ ✓ - LEA{P,S} ✓ - ✓ FastConnect Discovery ✓ ✓ ✓ DoAP ✓ ✓ ✓ L2CAP Channels ExternalAccessory ✓ ✓ ✓ AAP ✓ ✓ ✓ Magnet Channels ✓ ✓ - FastConnect ✓ ✓ ✓ - Apple Pencil GATT ✓ ✓ Other BRO/UTP - - ✓ USB OOB Pairing - - ✓ Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 6

  10. Fuzzing iOS bluetoothd Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 7

  11. Bluetooth on iOS Lots of interaction with • bluetoothaudiod different system daemons Constant interaction with • sharingd ... the Bluetooth Chip Multiple Threads • StackLoop (for HCI 1 ) • bluetoothd RxLoop • TxLoop • … • Huge binary file • (Almost) no symbols • Bluetooth Chip 1: Host Controller Interface, interface to interact with BT Chip Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 8

  12. Over-the-Air Fuzzing Fuzzing Data macOS with PacketLogger Target iPhone Attacker iPhone with InternalBlue 1 1: https://github.com/seemoo-lab/internalblue Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 9

  13. Over-the-Air Fuzzing + few false positives + platform independence Fuzzing Data - connection termination - speed macOS with - coverage / feedback PacketLogger Target iPhone Attacker iPhone with InternalBlue 1 1: https://github.com/seemoo-lab/internalblue Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 10

  14. Fuzzing bluetoothd Coverage F Я IDA Stalker Feedback on crashes F Я IDA Exception Handler } No physical connection Virtual Connections by code injection No connection termination Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 11

  15. ToothPicker Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 12

  16. In-Process Fuzzing Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 13

  17. In-Process Fuzzing Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 13

  18. In-Process Fuzzing General Fuzzing Harness Specialized Fuzzing Harness Fuzzing Harness Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 14

  19. In-Process Fuzzing Send fuzzing input 2 3 Execute reception 4 handler Report BB coverage or crash 1 Generate Fuzzing Input General Fuzzing Harness Specialized Fuzzing Harness Fuzzing Harness Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 14

  20. In-Process Fuzzing Send fuzzing input 2 3 5 Execute Store coverage reception 4 information handler for input Report BB coverage Coverage or crash 1 Generate Fuzzing Input General Fuzzing Harness Specialized Fuzzing Harness Fuzzing Harness Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 14

  21. In-Process Fuzzing Send fuzzing input 2 3 5 Execute Store coverage reception 4 information handler for input Report BB coverage Coverage or crash 1 Generate Fuzzing 6a Input General Fuzzing Harness If new coverage: add input to Specialized Fuzzing Harness corpus Fuzzing Harness Corpus Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 14

  22. In-Process Fuzzing Crashes Send fuzzing input 2 If crash: store input and crash type 6b optional: put corpus in blocklist 3 5 Execute Store coverage reception 4 information handler for input Report BB coverage Coverage or crash 1 Generate Fuzzing 6a Input General Fuzzing Harness If new coverage: add input to Specialized Fuzzing Harness corpus Fuzzing Harness Corpus Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 14

  23. In-Process Fuzzing Send to OTA- 7 Crashes Fuzzer to verify Send fuzzing input 2 If crash: store input and crash type 6b optional: put corpus in blocklist 3 5 Execute Store coverage reception 4 information handler for input Report BB coverage Coverage or crash 1 Generate Fuzzing 6a Input General Fuzzing Harness If new coverage: add input to Specialized Fuzzing Harness corpus Fuzzing Harness Corpus Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 14

  24. In-Process Fuzzing Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 15

  25. In-Process Fuzzing Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 15

  26. In-Process Fuzzing void acl_reception_handler( short handle, size_t len, char * data) Connection Data and length handle value of of received ACL the Bluetooth data connection The functions and structures are named by us, Apple stripped all these symbols Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 16

  27. In-Process Fuzzing void acl_reception_handler( short handle, size_t len, char * data) Connection Data and length handle value of We need to of received ACL the Bluetooth create this! data connection The functions and structures are named by us, Apple stripped all these symbols Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 16

  28. In-Process Fuzzing bt_connection_t * allocate_connection( char * bd_addr, int state) Create a Bluetooth connection structure The functions and structures are named by us, Apple stripped all these symbols Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 17

  29. In-Process Fuzzing bt_connection_t * allocate_connection( char * bd_addr, int state) Create a Set the handle value of the connection: Bluetooth connection *( short *)connection = 0 x 11 ; structure The functions and structures are named by us, Apple stripped all these symbols Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 17

  30. In-Process Fuzzing bt_connection_t * allocate_connection( char * bd_addr, int state) Create a Set the handle value of the connection: Bluetooth connection *( short *)connection = 0 x 11 ; structure Now we can call the reception handler with our fuzzing data acl_reception_handler( 0 x 11 , len, data); The functions and structures are named by us, Apple stripped all these symbols Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 17

  31. In-Process Fuzzing Forge connection • - Call allocate_connection to create connection object Set handle value of the connection - Filter BT Chip interaction • - Overwrite other HCI-related functions that confuse bluetoothd ( the connection is not real and the BT chip does not know the handle value) Stabilize Connection • Overwrite functions that force-disconnect the handle - ➡ Similar process for BLE connections (more complex connection creation) Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 18

  32. Results Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 19

  33. Bluetooth Protocol Targets Category Protocol iOS macOS RTKit Accessibility Proprietary Knowledge Target Fixed L2CAP MagicPairing ✓ ✓ ✓ ↑ ✓ ↑ ✓ Channels GATT ✓ ✓ ( ✓ ) ↑ ↑ ✓ Signal Channel ✓ ✓ ✓ ↑ ↑ ✓ Magnet ? - - ✓ ✓ ✓ ✓ LEA{P,S} - - ✓ ✓ ✓ ✓ FastConnect Discovery ✓ ✓ ✓ ↑ ✓ ↑ ✓ L2CAP Channels SDP ✓ ✓ ✓ ↑ ↑ ✓ Other ACL ✓ ✓ ✓ ↑ ↑ ✓ Slide ToothPicker: Apple Picking in the iOS Bluetooth Stack 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Web Crawling gzsun@ustc.edu.cn Reference [ ACGPR01] Searching the Web , Arvind Arasu,

Web Crawling gzsun@ustc.edu.cn Reference [ ACGPR01] Searching the Web , Arvind Arasu,

Web Crawling gzsun@ustc.edu.cn Reference [ ACGPR01] Searching the Web , Arvind Arasu, Junghoo Cho, Hector Garcia- Molina, Andreas Paepcke, and Sriram Raghavan. ACM Transactions on Internet Technology, 1, p. 2-43, 2001. [ BP98] The

594 views • 23 slides
Optimizing Impression Counts for Outdoor Advertising Yipeng Zhang, Yuchen Li, Zhifeng Bao,

Optimizing Impression Counts for Outdoor Advertising Yipeng Zhang, Yuchen Li, Zhifeng Bao,

Optimizing Impression Counts for Outdoor Advertising Yipeng Zhang, Yuchen Li, Zhifeng Bao, Songsong Mo and Ping Zhang RMIT University, Melbourne, Australia 1 $30 Billion 80% 2 I Impression I I mpression mpression mpression C C

993 views • 39 slides
Theory of Computation Textbook The Nature of Computation by Cristopher Moore and (CS

Theory of Computation Textbook The Nature of Computation by Cristopher Moore and (CS

CS422 CS422 Fall Semester 2014 Textbook Theory of Computation Textbook The Nature of Computation by Cristopher Moore and (CS 422/MAS480B) Stephan Mertens. Expensive and has about 1000 pages. The book is available on course reserve in the

500 views • 5 slides
So, how many are familiar with IRC?

So, how many are familiar with IRC?

So, how many are familiar with IRC? How about ICQ? Presence: The ability to see when your friends (or whoever is on

485 views • 7 slides
EECS 583 Class 5 Dataflow Analysis Intro University of Michigan September 17, 2014 Reading

EECS 583 Class 5 Dataflow Analysis Intro University of Michigan September 17, 2014 Reading

EECS 583 Class 5 Dataflow Analysis Intro University of Michigan September 17, 2014 Reading Material + Announcements Reminder HW 1 due Monday at midnight Before asking questions: 1) Read all threads on piazza, 2) Think a bit

484 views • 25 slides
SIM PTO TRAINING SEPTEMBER 26, 2018 9:00 AM Call Instructions: Please Mute your phone,

SIM PTO TRAINING SEPTEMBER 26, 2018 9:00 AM Call Instructions: Please Mute your phone,

SIM PTO TRAINING SEPTEMBER 26, 2018 9:00 AM Call Instructions: Please Mute your phone, microphone, and speakers on your computer/device Turn off the zoom video feature Enter your name/organization in the chat box feature for

676 views • 33 slides
MAVERIC: 6-Month Outcomes of Transcatheter MV Repair in Patients With Severe Secondary Mitral

MAVERIC: 6-Month Outcomes of Transcatheter MV Repair in Patients With Severe Secondary Mitral

MAVERIC: 6-Month Outcomes of Transcatheter MV Repair in Patients With Severe Secondary Mitral Regurgitation S.G. Worthley, MB, BS, PhD., S. Redwood, MD, PhD., D. Hildick-Smith, MD., T. Rafter, MB, BBS., F. Demarco, MD., M. Horrigan, MB., V.

207 views • 17 slides
Cal Poly Outline Jupyter + Computational Notebooks Data Science in Large, Complex

Cal Poly Outline Jupyter + Computational Notebooks Data Science in Large, Complex

@ellisonbg Project Jupyter: From Computational Notebooks to Large Scale Data Science with Sensitive Data Brian Granger Cal Poly, Physics/Data Science Project Jupyter, Co-Founder ACM Learning Seminar September 2018 Cal Poly Outline

353 views • 33 slides
Adiabatic limits, Theta functions, and Geometric Quantization 2019 CMS Winter Meeting Takahiko

Adiabatic limits, Theta functions, and Geometric Quantization 2019 CMS Winter Meeting Takahiko

Adiabatic limits, Theta functions, and Geometric Quantization 2019 CMS Winter Meeting Takahiko Yoshida Meiji University Based on arXiv:1904.04076 1 Purpose & Main Theorems Geometric quantization Geometric quantization

472 views • 15 slides
Generation CMSC 426 - Computer Security Slides originally by Dr. Marron, modified by Robert Joyce

Generation CMSC 426 - Computer Security Slides originally by Dr. Marron, modified by Robert Joyce

Random Number Generation CMSC 426 - Computer Security Slides originally by Dr. Marron, modified by Robert Joyce Outline Properties of PRNGs LCGs Blum, Blum, Shub NIST SP 800-90A Random Number Uses Generation of symmetric

540 views • 18 slides
Anonymous and Transferable Electronic Ticketing Scheme Data Privacy Management, 8th

Anonymous and Transferable Electronic Ticketing Scheme Data Privacy Management, 8th

Anonymous and Transferable Electronic Ticketing Scheme Data Privacy Management, 8th International Workshop Arnau Vives-Guasch 1 a 2 M. Magdalena Payeras-Capell` a Mut-Puigserver 2 a-Roca 1 Maci` Jordi Castell` s Ferrer-Gomila 2

605 views • 27 slides
News System Environment bbsd Innd Jail Server Requirement(Innd) Install INN news server

News System Environment bbsd Innd Jail Server Requirement(Innd) Install INN news server

News System Environment bbsd Innd Jail Server Requirement(Innd) Install INN news server and use news reader to read/post it properly Using CNFS and TradSpool for different newsgroups Create a newsgroup na.share to exchange

483 views • 10 slides
Management: Evidence from the Pension Fund Industry David Blake, Alberto Rossi, Allan Timmermann,

Management: Evidence from the Pension Fund Industry David Blake, Alberto Rossi, Allan Timmermann,

Decentralized Investment Management: Evidence from the Pension Fund Industry David Blake, Alberto Rossi, Allan Timmermann, Ian Tonks & Russ Wermers Funded pensions: some numbers Total Assets = 1,797bn Auto-enrolment (from 2012),

395 views • 28 slides
Graph Analytics: Complexity, Scalability, and Architectures Peter M. Kogge McCourtney Prof. of

Graph Analytics: Complexity, Scalability, and Architectures Peter M. Kogge McCourtney Prof. of

Graph Analytics: Complexity, Scalability, and Architectures Peter M. Kogge McCourtney Prof. of CSE Univ. of Notre Dame IBM Fellow (retired) Please Sir, I want more GABB: May 23, 2016 1 Thesis Graph computation is increasing To

557 views • 34 slides
Recent results on branching Brownian motion on the positive real axis Pascal Maillard

Recent results on branching Brownian motion on the positive real axis Pascal Maillard

Recent results on branching Brownian motion on the positive real axis Pascal Maillard (Universit Paris-Sud (soon Paris-Saclay)) CMAP, Ecole Polytechnique, May 18 2017 Pascal Maillard Branching Brownian motion with selection 1 / 27 Outline

689 views • 36 slides
Symbolic Execution and Fuzz Testing ISSISP Summer School 2018 Prof. Abhik Roychoudhury National

Symbolic Execution and Fuzz Testing ISSISP Summer School 2018 Prof. Abhik Roychoudhury National

Symbolic Execution and Fuzz Testing ISSISP Summer School 2018 Prof. Abhik Roychoudhury National University of Singapore 1 Thanks to organizers and ISSISP Steve Blackburn Adrian Herrera ISSISP Summer School 2018 Tony Hosking

1.17k views • 99 slides
Automatic Groups Redux Robert Gilman Stevens Institute of Technology Geometric and Asymptotic

Automatic Groups Redux Robert Gilman Stevens Institute of Technology Geometric and Asymptotic

Automatic Groups Redux Robert Gilman Stevens Institute of Technology Geometric and Asymptotic Group Theory with Applications City College of New York May 28, 2013 Robert Gilman (Stevens) Automatic Groups Redux GAGTA 2013 1 / 11 Automatic

351 views • 11 slides
Security and Privacy at Scale Geetanjali Sampemane geta@google.com Cloud All your stuff is

Security and Privacy at Scale Geetanjali Sampemane geta@google.com Cloud All your stuff is

Security and Privacy at Scale Geetanjali Sampemane geta@google.com Cloud All your stuff is online All your stuff The cloud, aka "online" You Cloud v0? Shared multi-user computing: Multics, Unix, VMS, ... Online user

463 views • 22 slides
Progress on B-physics lattice calculations by ETMC Petros Dimopoulos University of Rome Tor

Progress on B-physics lattice calculations by ETMC Petros Dimopoulos University of Rome Tor

Progress on B-physics lattice calculations by ETMC Petros Dimopoulos University of Rome Tor Vergata on behalf of ETM Collaboration September 19, 2012 New Frontiers in Lattice Gauge Theory Galileo Galilei Institute for Theoretical

646 views • 36 slides
Wireless and Mobile Networks Background: # wireless (mobile) phone subscribers now exceeds #

Wireless and Mobile Networks Background: # wireless (mobile) phone subscribers now exceeds #

Wireless and Mobile Networks Background: # wireless (mobile) phone subscribers now exceeds # wired phone subscribers (5-to-1)! # wireless Internet-connected devices equals # wireline Internet-connected devices laptops,

1.26k views • 85 slides
On Combining 01X-Logic and QBF Marc Herbstritt (joint work with Bernd Becker) Institute of

On Combining 01X-Logic and QBF Marc Herbstritt (joint work with Bernd Becker) Institute of

On Combining 01X-Logic and QBF Marc Herbstritt (joint work with Bernd Becker) Institute of Computer Science Albert-Ludwigs-University Freiburg im Breisgau, Germany Presentation at EuroCAST 2007 Applied Formal Verification Track Feb 14 2007

803 views • 34 slides
W RITING AN LLVMP ASS DCC888 Passes

W RITING AN LLVMP ASS DCC888 Passes

UniversidadeFederaldeMinasGeraisDepartmentofComputerScienceProgrammingLanguagesLaboratory W RITING AN LLVMP ASS DCC888 Passes

646 views • 26 slides
PERUN: Virtual Payment Hubs over Cryptocurrencies Stefan Dziembowski Lisa Eckey Sebastian

PERUN: Virtual Payment Hubs over Cryptocurrencies Stefan Dziembowski Lisa Eckey Sebastian

PERUN: Virtual Payment Hubs over Cryptocurrencies Stefan Dziembowski Lisa Eckey Sebastian Faust Daniel Malinowski Blockchain Scalability Problem: Blockchain transactions are slow and expensive Transaction Send to Bob Fees Alice Bob

453 views • 21 slides
Unbounded number of channel uses are required to see quantum capacity T. Cubitt, D. Elkouss, W.

Unbounded number of channel uses are required to see quantum capacity T. Cubitt, D. Elkouss, W.

Introduction Two copies n copies Discussion Unbounded number of channel uses are required to see quantum capacity T. Cubitt, D. Elkouss, W. Matthews, M. Ozols, D. P erez-Garc a, S. Strelchuk University of Cambridge, Universidad

600 views • 25 slides

More recommend