{"guid":"7f4f44d8-89ea-5a84-8014-090b6ea88f3c","title":"From fault injection to RCE: Analyzing a Bluetooth tracker","subtitle":null,"slug":"38c3-from-fault-injection-to-rce-analyzing-a-bluetooth-tracker","link":"https://events.ccc.de/congress/2024/hub/event/from-fault-injection-to-rce-analyzing-a-bluetooth-tracker/","description":"The Chipolo ONE is a Bluetooth tracker built around the Dialog (now Renesas)\nDA14580 chip. This talk will present the research made on this device, from\nextracting the firmware from the locked down chip using fault injection up to\ngetting remote code execution over Bluetooth.\nThe talk will also present the disclosure process and how the vendor reacted to\nan unpatchable vulnerability on their product.\n\nThis talk will present the journey through the analysis of the Chipolo ONE\nBluetooth tracker. As for lots of IoT devices, this analysis mixes both hardware\nand software attacks so this talk will be packed with lots of techniques that\ncan be applied to other devices as well:\n\n - Using fault injection to bypass the debug locking mechanism on a chip that has\n   apparently never been broken before.\n - Reverse engineering an unknown firmware with Ghidra, a PDF and parts of a SDK\n - Analyzing weak cryptographic algorithms to be able to authenticate to any\n   device\n - Finding a buffer overflow and achieve code execution over Bluetooth\n - Disclosing an unpatchable vulnerability to the vendor\n\nLicensed to the public under http://creativecommons.org/licenses/by/4.0","original_language":"eng","persons":["Nicolas Oberli"],"tags":["38c3","178","2024","Security","Saal ZIGZAG"],"view_count":1996,"promoted":false,"date":"2024-12-27T17:15:00.000+01:00","release_date":"2024-12-29T00:00:00.000+01:00","updated_at":"2026-04-14T01:15:04.120+02:00","length":1898,"duration":1898,"thumb_url":"https://static.media.ccc.de/media/congress/2024/178-7f4f44d8-89ea-5a84-8014-090b6ea88f3c.jpg","poster_url":"https://static.media.ccc.de/media/congress/2024/178-7f4f44d8-89ea-5a84-8014-090b6ea88f3c_preview.jpg","timeline_url":"https://static.media.ccc.de/media/congress/2024/178-7f4f44d8-89ea-5a84-8014-090b6ea88f3c.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/congress/2024/178-7f4f44d8-89ea-5a84-8014-090b6ea88f3c.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/38c3-from-fault-injection-to-rce-analyzing-a-bluetooth-tracker","url":"https://media.ccc.de/public/events/7f4f44d8-89ea-5a84-8014-090b6ea88f3c","conference_title":"38C3: Illegal Instructions","conference_url":"https://media.ccc.de/public/conferences/38c3","related":[],"recordings":[{"size":null,"length":null,"mime_type":"text/vtt","language":"-","filename":"7f4f44d8-89ea-5a84-8014-090b6ea88f3c--.vtt","state":"todo","folder":"","high_quality":true,"width":null,"height":null,"updated_at":"2025-05-25T20:45:00.897+02:00","recording_url":"https://cdn.media.ccc.de/congress/2024/7f4f44d8-89ea-5a84-8014-090b6ea88f3c--.vtt","url":"https://media.ccc.de/public/recordings/87616","event_url":"https://media.ccc.de/public/events/7f4f44d8-89ea-5a84-8014-090b6ea88f3c","conference_url":"https://media.ccc.de/public/conferences/38c3"},{"size":28,"length":1898,"mime_type":"audio/mpeg","language":"deu","filename":"38c3-178-deu-From_fault_injection_to_RCE_Analyzing_a_Bluetooth_tracker_mp3-2.mp3","state":"new","folder":"mp3-translated","high_quality":false,"width":0,"height":0,"updated_at":"2024-12-29T15:21:56.370+01:00","recording_url":"https://cdn.media.ccc.de/congress/2024/mp3-translated/38c3-178-deu-From_fault_injection_to_RCE_Analyzing_a_Bluetooth_tracker_mp3-2.mp3","url":"https://media.ccc.de/public/recordings/82731","event_url":"https://media.ccc.de/public/events/7f4f44d8-89ea-5a84-8014-090b6ea88f3c","conference_url":"https://media.ccc.de/public/conferences/38c3"},{"size":null,"length":null,"mime_type":"text/vtt","language":"eng","filename":"7f4f44d8-89ea-5a84-8014-090b6ea88f3c-eng.vtt","state":"todo","folder":"","high_quality":true,"width":null,"height":null,"updated_at":"2025-01-18T17:54:53.730+01:00","recording_url":"https://cdn.media.ccc.de/congress/2024/7f4f44d8-89ea-5a84-8014-090b6ea88f3c-eng.vtt","url":"https://media.ccc.de/public/recordings/84647","event_url":"https://media.ccc.de/public/events/7f4f44d8-89ea-5a84-8014-090b6ea88f3c","conference_url":"https://media.ccc.de/public/conferences/38c3"},{"size":126,"length":1898,"mime_type":"video/webm","language":"eng-deu-fra","filename":"38c3-178-eng-deu-fra-From_fault_injection_to_RCE_Analyzing_a_Bluetooth_tracker_webm-sd.webm","state":"new","folder":"webm-sd","high_quality":false,"width":720,"height":576,"updated_at":"2025-01-28T01:28:24.424+01:00","recording_url":"https://cdn.media.ccc.de/congress/2024/webm-sd/38c3-178-eng-deu-fra-From_fault_injection_to_RCE_Analyzing_a_Bluetooth_tracker_webm-sd.webm","url":"https://media.ccc.de/public/recordings/82749","event_url":"https://media.ccc.de/public/events/7f4f44d8-89ea-5a84-8014-090b6ea88f3c","conference_url":"https://media.ccc.de/public/conferences/38c3"},{"size":222,"length":1898,"mime_type":"video/webm","language":"eng-deu-fra","filename":"38c3-178-eng-deu-fra-From_fault_injection_to_RCE_Analyzing_a_Bluetooth_tracker_webm-hd.webm","state":"new","folder":"webm-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-01-28T01:42:50.897+01:00","recording_url":"https://cdn.media.ccc.de/congress/2024/webm-hd/38c3-178-eng-deu-fra-From_fault_injection_to_RCE_Analyzing_a_Bluetooth_tracker_webm-hd.webm","url":"https://media.ccc.de/public/recordings/82748","event_url":"https://media.ccc.de/public/events/7f4f44d8-89ea-5a84-8014-090b6ea88f3c","conference_url":"https://media.ccc.de/public/conferences/38c3"},{"size":117,"length":1898,"mime_type":"video/mp4","language":"eng-deu-fra","filename":"38c3-178-eng-deu-fra-From_fault_injection_to_RCE_Analyzing_a_Bluetooth_tracker_sd.mp4","state":"new","folder":"h264-sd","high_quality":false,"width":720,"height":576,"updated_at":"2024-12-29T15:27:17.334+01:00","recording_url":"https://cdn.media.ccc.de/congress/2024/h264-sd/38c3-178-eng-deu-fra-From_fault_injection_to_RCE_Analyzing_a_Bluetooth_tracker_sd.mp4","url":"https://media.ccc.de/public/recordings/82732","event_url":"https://media.ccc.de/public/events/7f4f44d8-89ea-5a84-8014-090b6ea88f3c","conference_url":"https://media.ccc.de/public/conferences/38c3"},{"size":28,"length":1898,"mime_type":"audio/mpeg","language":"eng","filename":"38c3-178-eng-From_fault_injection_to_RCE_Analyzing_a_Bluetooth_tracker_mp3.mp3","state":"new","folder":"mp3","high_quality":false,"width":0,"height":0,"updated_at":"2025-01-28T00:34:43.747+01:00","recording_url":"https://cdn.media.ccc.de/congress/2024/mp3/38c3-178-eng-From_fault_injection_to_RCE_Analyzing_a_Bluetooth_tracker_mp3.mp3","url":"https://media.ccc.de/public/recordings/82730","event_url":"https://media.ccc.de/public/events/7f4f44d8-89ea-5a84-8014-090b6ea88f3c","conference_url":"https://media.ccc.de/public/conferences/38c3"},{"size":20,"length":1898,"mime_type":"audio/opus","language":"eng","filename":"38c3-178-eng-From_fault_injection_to_RCE_Analyzing_a_Bluetooth_tracker_opus.opus","state":"new","folder":"opus","high_quality":false,"width":0,"height":0,"updated_at":"2025-01-28T00:33:08.587+01:00","recording_url":"https://cdn.media.ccc.de/congress/2024/opus/38c3-178-eng-From_fault_injection_to_RCE_Analyzing_a_Bluetooth_tracker_opus.opus","url":"https://media.ccc.de/public/recordings/82729","event_url":"https://media.ccc.de/public/events/7f4f44d8-89ea-5a84-8014-090b6ea88f3c","conference_url":"https://media.ccc.de/public/conferences/38c3"},{"size":18,"length":1898,"mime_type":"audio/opus","language":"deu","filename":"38c3-178-deu-From_fault_injection_to_RCE_Analyzing_a_Bluetooth_tracker_opus-2.opus","state":"new","folder":"opus-translation","high_quality":false,"width":0,"height":0,"updated_at":"2024-12-29T15:21:44.681+01:00","recording_url":"https://cdn.media.ccc.de/congress/2024/opus-translation/38c3-178-deu-From_fault_injection_to_RCE_Analyzing_a_Bluetooth_tracker_opus-2.opus","url":"https://media.ccc.de/public/recordings/82728","event_url":"https://media.ccc.de/public/events/7f4f44d8-89ea-5a84-8014-090b6ea88f3c","conference_url":"https://media.ccc.de/public/conferences/38c3"},{"size":334,"length":1898,"mime_type":"video/mp4","language":"eng-deu-fra","filename":"38c3-178-eng-deu-fra-From_fault_injection_to_RCE_Analyzing_a_Bluetooth_tracker_hd.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2024-12-29T15:20:54.786+01:00","recording_url":"https://cdn.media.ccc.de/congress/2024/h264-hd/38c3-178-eng-deu-fra-From_fault_injection_to_RCE_Analyzing_a_Bluetooth_tracker_hd.mp4","url":"https://media.ccc.de/public/recordings/82727","event_url":"https://media.ccc.de/public/events/7f4f44d8-89ea-5a84-8014-090b6ea88f3c","conference_url":"https://media.ccc.de/public/conferences/38c3"},{"size":273,"length":1898,"mime_type":"video/mp4","language":"fra","filename":"38c3-178-fra-From_fault_injection_to_RCE_Analyzing_a_Bluetooth_tracker.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2024-12-29T15:20:47.522+01:00","recording_url":"https://cdn.media.ccc.de/congress/2024/h264-hd/38c3-178-fra-From_fault_injection_to_RCE_Analyzing_a_Bluetooth_tracker.mp4","url":"https://media.ccc.de/public/recordings/82726","event_url":"https://media.ccc.de/public/events/7f4f44d8-89ea-5a84-8014-090b6ea88f3c","conference_url":"https://media.ccc.de/public/conferences/38c3"},{"size":273,"length":1898,"mime_type":"video/mp4","language":"deu","filename":"38c3-178-deu-From_fault_injection_to_RCE_Analyzing_a_Bluetooth_tracker.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2024-12-29T15:20:41.239+01:00","recording_url":"https://cdn.media.ccc.de/congress/2024/h264-hd/38c3-178-deu-From_fault_injection_to_RCE_Analyzing_a_Bluetooth_tracker.mp4","url":"https://media.ccc.de/public/recordings/82725","event_url":"https://media.ccc.de/public/events/7f4f44d8-89ea-5a84-8014-090b6ea88f3c","conference_url":"https://media.ccc.de/public/conferences/38c3"},{"size":274,"length":1898,"mime_type":"video/mp4","language":"eng","filename":"38c3-178-eng-From_fault_injection_to_RCE_Analyzing_a_Bluetooth_tracker.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2024-12-29T15:20:35.113+01:00","recording_url":"https://cdn.media.ccc.de/congress/2024/h264-hd/38c3-178-eng-From_fault_injection_to_RCE_Analyzing_a_Bluetooth_tracker.mp4","url":"https://media.ccc.de/public/recordings/82724","event_url":"https://media.ccc.de/public/events/7f4f44d8-89ea-5a84-8014-090b6ea88f3c","conference_url":"https://media.ccc.de/public/conferences/38c3"}]}