The Chipolo ONE is a Bluetooth tracker built around the Dialog (now Renesas)
DA14580 chip. This talk will present the research made on this device, from
extracting the firmware from the locked down chip using fault injection up to
getting remote code execution over Bluetooth.
The talk will also present the disclosure process and how the vendor reacted to
an unpatchable vulnerability on their product.
This talk will present the journey through the analysis of the Chipolo ONE
Bluetooth tracker. As for lots of IoT devices, this analysis mixes both hardware
and software attacks so this talk will be packed with lots of techniques that
can be applied to other devices as well:
- Using fault injection to bypass the debug locking mechanism on a chip that has
apparently never been broken before.
- Reverse engineering an unknown firmware with Ghidra, a PDF and parts of a SDK
- Analyzing weak cryptographic algorithms to be able to authenticate to any
device
- Finding a buffer overflow and achieve code execution over Bluetooth
- Disclosing an unpatchable vulnerability to the vendor
Licensed to the public under http://creativecommons.org/licenses/by/4.0
This Talk was translated into multiple languages. The files available for download contain all languages as separate audio-tracks. Most desktop video players allow you to choose between them.
Please look for "audio tracks" in your desktop video player.