Magal Baz and Octavian Guzu

Defense Through Offense: Microcontroller Security in Meta’s First Generation of Smart Glasses

Abstract

The emergence of smart glasses, a novel category of tech devices, has been gaining traction over the past three years. These devices, typically capable of recording video and audio, playing music, and facilitating phone calls, pose a unique privacy threat. As wearable devices, they are designed to witness and record our daily experiences. Despite this, public security exposure in this area remains minimal.

As Meta released its 1st-gen smart glasses, we asked ourselves, "What would it take for someone to exploit a pair of smart glasses, and what would such an exploit look like?"

In this talk, we will discuss how we discovered a first-party vulnerability in Meta's first generation of smart glasses Bluetooth stack and how we weaponized it to gain remote code execution. We will present the unusual exploit vector that targeted the FreeRTOS scheduler runtime, and demonstrate how exploiting a microcontroller can provide an attacker with a significant level of access, even without escalating into the main system-on-chip.

Finally, we will talk about the mitigation strategies implemented as a result of this exercise. We learned that microcontroller environment security posture can be dramatically improved with relatively simpler measures, such as leveraging the Memory Protection Unit available in modern ARM microcontrollers. Similarly, we gained valuable insight on how to expand automated testing and whitehat engagement into the domain of microcontroller and firmware security, in order to raise the security bar moving forward.

BIO

Magal is a security researcher, passionate about embedded security and everything low-level.

Octav is a Security Engineer working for Meta's Product Security team in London, UK. Initially, his work was to detect bugs and raise the security bar of Reality Labs devices. He has then moved to work on Meta's family of apps, where he's currently tacking the security challenges of Messenger.