Today at #36c3, 5:10pm (GMT+1), Jiska will present "All wireless communication stacks are equally broken". Live stream and recordings available on streaming.media.ccc.de/36c3/halla. Covers results of Cybersecurity | TU Darmstadt ATHENE LOEWE emergenCITY

36C3: Vertraue keinem Bluetooth-Gerät – schon gar nicht im vernetzten Auto heise.de/newsticker/mel… #36c3 #36C3

While you are all about hacking and breaking things, we built some cool wireless stuff with InternalBlue and NexMon, which we will present at #EWSN2020, February 17-19, Lyon, France. Happy to meet and chat if you are around, either at the conference or in Lyon.

Jiska finally defended her PhD today. If you are into Bluetooth Firmware hacking, read her thesis ;-)

Qualcomm QCACLD with monitor mode is served. Brings sniffer capabilities to a bunch of Android devices. I'll update the paper as we go this week, but now, ENJOY! Aircrack-ng Kali Linux NexMon digi.no The Hacker News github.com/kimocoder/qual…

Jan just released Frankenstein, the Broadcom/Cypress Bluetooth firmware emulator that enables fuzzing and further kinds of debugging. It works within a fully-functional Linux BlueZ stack and features virtual modem input. (1/2) github.com/seemoo-lab/fra…

Since people were asking how it works internally, here is Jan's final presentation, which covers the most important aspects why ARM Thumb2 disassembly was problematic and how the binary-only approach works. (9/8) github.com/seemoo-lab/pol…

It's online! Bluetooth RCE == Wi-Fi RCE. Say hello to Spectra, the concept of breaking wireless chip separation as they share the same spectrum. #BlackHat blackhat.com/us-20/briefing…

Take a look at github.com/reinhardh/dna_… to decode the first episode of biohackers encoded in DNA on de.biohackersnetflix.com

Who has a Galaxy S21 and could give me access to the BCM4389 WiFi 6e firmware files? And maybe remotely to the device to dump the chip's ROM?

We reverse-engineered Apple's Find My network for tracking offline #Bluetooth devices. Corresponding paper at PETS. Create your own #AirTags today: github.com/seemoo-lab/ope…

Happy Easter! Today I published our monitor mode and frame injection patches for the BCM4375 Wi-Fi chips installed in Samsung Galaxy S10 and S20 smartphones. I am still looking for access to a Galaxy S21 to analyze its firmware. nexmon.org #nexmon

Very nice that you finally found the shared memory regions between Wi-Fi and Bluetooth chip. As nexmon just patches the Wi-Fi firmware before loading it, we could try to load a patched Wi-Fi firmware using the Bluetooth chip and then reset the Wi-Fi chip to start it.

The remaining ACM WiSec tutorials are online: open-sourcing research projects by Milan (@[email protected]), firmware reverse engineering with Ghidra by stacksmashing, firmware rehosting with avatar2 by nSinus-R (@[email protected]) and details on a 5G testbed by Jennifer Gabriel (5G Lab Germany & ComNets Chair at TUD).

The paper is online – reverse engineered details on WiFi password sharing and Handoff on Apple devices. usenix.org/system/files/s…

We published a pre-print paper about AirGuard. How does the app work? How does it perform against the iOS tracking detection and what can we learn from the anonymous data shared by the user? arxiv.org/abs/2202.11813

We just won the ACM WiSec best paper award for our paper about AirGuard 🥳