Bluetooth security has been a risky area due to multiple factors: its remotely accessible nature, the stack’s complexity and privileged execution context in the Android platform are a perfect combination that has been attracting the attention of security researchers for years. In this session the authors will talk about the offensive Bluetooth research aiming at identifying remotely exploitable vulnerabilities in AOSP’s. Bluetooth implementation with security mitigations enabled (e.g. hardened scudo allocator, etc). This presentation will feature an RCE demo, cover in detail our bug hunting and exploitation approaches and highlight results of our collaboration with the Android Bluetooth security team on hardening this attack surface.
We will give a short intro to a Bluetooth architecture as it is implemented in AOSP. To identify vulnerabilities in Bluetooth we used a wide arsenal of tools from both dynamic analysis and static analysis: fuzzing, variant analysis with CodeQL, code verification with KLEE. We will provide detailed analysis of the findings and discuss their exploitability on Android devices.Achieving remote code execution on the victim’s device using the identified vulnerabilities in Bluetooth stack is a challenging task thanks to its security mitigations.
The authors will demonstrate a RCE exploit via Bluetooth and explain how it works, touching on bypassing security mitigations such as the Scudo hardened heap allocator. This presentation examines two critical vulnerabilities, CVE-2023-35673 and CVE-2023-35681, which exploit MTU weaknesses in the Bluetooth Low Energy (BLE) GATT and EATT protocols. These vulnerabilities enable unauthenticated remote code execution in proximity. Additionally, we will discuss several other noteworthy vulnerabilities affecting different components of the Bluetooth stack.
We will conclude the presentation by discussing the hardening effort by the Android Bluetooth security team to render the attacks described in the presentation not exploitable.
Jeong Wook (Matt) Oh is a Security Researcher at Google Android Red Team. He focuses on finding and exploiting vulnerabilities in the Android ecosystem, GPU and Trusted Execution Environment. He was a speaker at various conferences like Black Hat USA, Defcon, BlueHat, Virus Bulletin, Recon, ZeroNights and CanSecWest.
Rishika Hooda is Technical Program Manager at Google on the Android Security & Privacy team. Working with the Android Security & Privacy team for 5+ years now leading various mission critical programs. In my current role, I am responsible for working with cross functional teams for red team engagements and helping with overall Android OS Hardening efforts.
Xuan Xing is manager of Android RedTeam at Google. For the past several years, Xuan focused on finding security vulnerabilities in various low level components of Android/Pixel devices. He is passionate about software fuzzing for security research. Xuan has been a speaker at multiple BlackHat USA, DefCon, and other security conferences.
