Finding bugs in Bluetooth
Work within the Secure Mobile Networking Lab (SEEMOO)
Software
Published vulnerabilities
- CVE-2020-6616 (Broadcom): Missing HRNG and non-random PRNG
- CVE-2020-0022 (Android): RCE in L2CAP fragmentation aka BlueFrag, follow-up work after a Master thesis
- CVE-2019-18614 (Broadcom): Host device buffer misconfiguration allowing RCE
- CVE-2019-15063 (Broadcom): Coexistence lock causing a reboot on various iOS and Android devices
- CVE-2019-13916 (Broadcom): Bug in BLE PDU parsing allowing RCE
- CVE-2019-11516 (Broadcom): Bug in EIR parsing allowing RCE
- CVE-2019-6994 (Broadcom): LMP start_encryption_request without paired devices causes a crash
- CVE-2018-19860 (Broadcom): Escalation from LMP to HCI, allowing limited RCE
Greetings to other Bluetooth security researchers
- BIAS attack, 2020, almost KNOBv2
- macOS 0-clicks, 2020, by 360 Alpha Lab
- KNOB attack, 2019, on Classic Bluetooth encryption establishment
- BadBluetooth attack, 2019, confusion between peripheral types on Android
- ECDH attack, 2018, on Classic Bluetooth and BLE pairing
- BlueBorne, 2017, RCE and information disclosure on various operating systems
- BLE, 2013-2015, sniffing, injection, and encryption issues
- NiNo, 2007, an attack on the pairing by faking no input no output capabilities
- Cracking the Bluetooth PIN, 2005
And a few more awesome wireless hacks
- Keen Lab, Tesla Model S Wi-Fi exploit, 2020
- Xiling Gong, Qualcomm Wi-Fi exploit, 2019
- Guy, Intel LTE baseband exploit, 2019
- Quarkslab, Broadcom Wi-Fi exploit, 2019
- Denis Selianin, Marvell Avastar Wi-Fi exploit, 2018
- Broadpwn Wi-Fi exploit by Nitay Artenstein, 2017
- Project Zero full-stack Broadcom Wi-Fi exploit, 2017