Share this page!

Jiska 🌹🍟 Profile picture
Twitter logo
27 Dec 20, 4 tweets, 3 min read
Fuzzed the phone in the iPhone, aka CommCenter, via Apple Remote Invocation (ARI) and Qualcomm MSM Interface (QMI). The #rC3 talk is scheduled for tomorrow 1:40PM. Very visual fuzzer, so the talk will be easy to follow for fuzzing and security newcomers.

rc3.world/rc3/public_fah…
Since the stream currently has some issues, the slides are here: docs.google.com/presentation/d…
We're recording a Q&A and you can still ask questions! Sorry for the technical issues, @c3voc is partially down.
Still some issues with the official media.ccc.de platform, so I put my #rC3 talk "Fuzzing the Phone in the iPhone" on YouTube. Yes, I just opened a new YouTube channel for this ;)
Image

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Jiska 🌹🍟

Jiska 🌹🍟 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @naehrdine

Jiska 🌹🍟 Profile picture
26 Apr 20
We just released Polypyus, a binary-only diffing tool programmed by @freebejan that runs independent from Ghidra and IDA and integrates into the workflow of other diffing tools. (1/n)
github.com/seemoo-lab/pol…
This was a long journey starting with @dennismantz who reverse-engineered the Nexus 5 Bluetooth firmware. It doesn't have any strings or symbols, but he located threads, HCI handlers & enabled firmware patching with InternalBlue mid 2018. (2/n)
I continued reverse-engineering based on the specification to locate SSP and LMP handlers. Even though I just found CVE-2018-19860 (without looking for parsing issues), all recent specification-compliant attacks are in there: ECDH, KNOB, BIAS. (3/n)
Read 9 tweets
Jiska 🌹🍟 Profile picture
10 Apr 20
Because several people were asking about #Bluetooth, I'll make a thread. But I might ignore further questions, especially regarding over-the-air exploits. #DP3T

• BLE advertisements have a longer range than 2m, but are way more accurate than LTE cell towers.
(1/n)
• BLE advertisement distance measurement accuracy depends a lot on the chips, meaning that they will work well within the Apple ecosystem, but probably not so well on some Androids. (2/n)
• The Singapore app solves this by maintaining active BLE/GATT connections, which provides better measurements, but drains battery power.

• On iOS, the BLE/GATT handler has been extensively tested for security issues and is definitely one of the better ones by now. (3/n)
Read 11 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @naehrdine has new unrolls!

Check out other threads from @naehrdine!

Read all threads by @naehrdine