
BleedingBit: The hidden attack surface within BLE chips [pdf] - keyme
https://go.armis.com/hubfs/BLEEDINGBIT%20-%20Technical%20White%20Paper.pdf
======
SlowRobotAhead
Crap... CTRL+F Nordic .... Whew! Seems like this is mainly in relation to the
Ti CC26xx series. I'm using the Nordic right now and the only time it's
mentioned here is the Over The Air update service.

For that that might not know, Ti the approach that some others (not Nordic)
does where they give you an ARM Cortex M4 to put your code on and have another
Cortex M0 that runs the ROM based BLE Stack. This drove me away from many of
the Ti offerings because while you can't mess them up, the BLE Stack is
typically not upgradable. With the launch of BLE 5 and it's mainly software
upgrades it was important to us to have that ability. So here is an issue with
the shared que between the two chips - I'm not sure if this will be patch-able
all applications.

The hack to get console on the Aruba device is pretty cool.

~~~
snaky
Do you really think there is no such things (unpublished) in the Nordic BLE
stack?

~~~
a1369209993
There are _definitely_ (unpublished, and possibly unfound) vulnerabilities in
the Nordic stack. The point (IIUC) is that the Nordic stack can be fixed once
those vulnerabilities are known. The TI stack, on the other hand, is in ROM;
if^Wwhen it's broken, it's broken forever. (And that appears to have happened
just now.)

~~~
skaevola
I can't speak to the CC26xx series specifically, but normally deeply embedded
cores running a ROM stack like that have some additional SRAM which can be
loaded at boot for firmware patches.

------
tjoff
This is also yet another reason as to why ditching the headphone jack on
phones is so brain-dead.

Bluetooth seems to be quite hard to secure (or am I mistaken?), is there any
decent (simpler) alternative available or on the horizon that could become
ubiquitius?

~~~
new299
Phones without headphone jacks have digital wired interfaces to which
headphones can also be connected.

~~~
tjoff
Sure, but that's not a worthy solution to a portable device.

------
Uhrheber
Why do bugs nowadays have to have a name and a website?

Are they security researchers or posers?

~~~
avian
Security researcher A opens a bug report on a tracker and writes a technical
description and it sits there for five years and it gets zero replies and
nobody cares.

Security researcher B hires a designer, makes a logo, catchy name and a
website and it gets upvotes on HN and Reddit and media picks it up and the
whole world gets a day-worth of drama from it, emergency meetings are held and
things get fixed.

------
rkagerer
Can anyone offer a TLDR summary? Any good open-source atacks out there?

