I decided to release the PoC scripts ahead of my ShmooCon talk. Happy Hacking :)

Thank you to the amazing @GSGLabs team for building Cynthion and enabling the start of my FPGA journey. I'm not sure where this hackery will lead, but I have the Cynthion talking to an ADF7242 over SPI and SPORT, and I think some fun timing attacks are just around the corner :)

RT @embeddedsec: I’ll also be recapping my and @marcnewlin’s escapades in the Spectrum Collaboration Challenge on a panel about @DARPA comp….

You can also read flash over Bluetooth. Here's a PoC that demonstrates this on the Apple Magic Keyboard A2450.

Apple HID devices have this neat feature where you can read the contents of flash over USB. Here's a PoC for keyboards A1843, A2449, A2450, A2520, mouse A1657, and TV remote A2854. Happy Hacking :).

RT @antriksh_s: Happy to see @marcnewlin on @nullcon stage with his new bugs which got patched last week by Apple & Google ! .

RT @trufflesec: ⌨️ There's a keyboard button in Linux that can sometimes dump root memory when pressed. 😅 It's made worse with @marcnewli….

I didn't want Apple to feel left out, so I also found CVE-2024-23277, which is another Bluetooth keystroke-injection bug affecting macOS and iOS (fixed in macOS 14.4 and iOS 17.4).

RT @nullcon: We look forward to hearing more about your #research “ unauthenticated Bluetooth keystroke-injection vulnerabilities “ next w….

Google just patched another critical-severity Bluetooth bug I found in Android (CVE-2024-23717). This one is similar to CVE-2023-45866, only it exploits a different path in the pairing state-machine. More details and PoC coming next Friday at @NullCon :)

RT @iiiikarus: I've just tested @marcnewlin's Bluetooth attack against my Google Pixel 3a. It just works! Really scary stuff! . Even worse,….

Here are the slides from my ShmooCon talk:

More details about the Bluetooth bugs I am presenting at ShmooCon, including the Magic Keyboard bugs that landed this morning. Happy Hacking :)

Props to Microsoft for landing a fix ahead of my @ShmooCon talk, even though I disclosed to MS ~2 months after the other vendors. Bluetooth keystroke-injection PoCs drop at ~3pm ET on Saturday for macOS, iOS, Android and Linux (CVE-2023-45866), and Windows (CVE-2024-21306).

The Android fix for CVE-2023-45866 broke Fast Pair and Nearby Share (per a conversation I had with Google). I haven't attempted to characterize what they re-architected, but it's interesting to see the apparent move away from Nearby Share.

Here's what CVE-2023-45866 looks like on macOS 13.3 (fixed in 14.2).

CVE-2023-45866 has been around for a while. This is what it looks like when you time travel to 2013 and target a phone running Android 4.2.2.

So I got a new TV today, and it's awesome except that it supports BT forced pairing & keystroke injection (CVE-2023-45866). I think more affected devices will probably surface after I release PoC code at @shmoocon :).