2024-12-27 –, Saal ZIGZAG
Language: English
The Chipolo ONE is a Bluetooth tracker built around the Dialog (now Renesas)
DA14580 chip. This talk will present the research made on this device, from
extracting the firmware from the locked down chip using fault injection up to
getting remote code execution over Bluetooth.
The talk will also present the disclosure process and how the vendor reacted to
an unpatchable vulnerability on their product.
This talk will present the journey through the analysis of the Chipolo ONE
Bluetooth tracker. As for lots of IoT devices, this analysis mixes both hardware
and software attacks so this talk will be packed with lots of techniques that
can be applied to other devices as well:
- Using fault injection to bypass the debug locking mechanism on a chip that has
apparently never been broken before. - Reverse engineering an unknown firmware with Ghidra, a PDF and parts of a SDK
- Analyzing weak cryptographic algorithms to be able to authenticate to any
device - Finding a buffer overflow and achieve code execution over Bluetooth
- Disclosing an unpatchable vulnerability to the vendor
Nicolas is a hardware hacker based in Switzerland. His research focuses on embedded devices and communication protocols. In his spare time, he now spends more time designing CTF challenges than solving them. He is also one of the main developers of the Hydrabus hardware hacking tool and part of the BlackAlps security conference organization committee.