Earliest start date: February 2023
In the past, we looked into multiple Bluetooth stacks: iOS [3], macOS [2], Linux, and Android. However, Windows is still a partially blind spot.
What is there yet:
- A basic understanding of the Windows Bluetooth stack and existing debug tools to look into all packets.
- Reversing and documentation of the Windows Bluetooth stack.
This is a great base to get started with Bluetooth security analysis and reverse engineering on Windows. There are multiple tasks that would be interesting, which ones you choose depend on your skill level and if you want to work on a BSc or a MSc thesis.
- Hook the Windows kernel with WinDBG to not only log packets but also inject and modify packets.
- Write a fuzzer for the Windows Bluetooth stack.
- Implement or simulate known attacks on Bluetooth stacks to analyze how they were patched.
- Integrate this knowledge about the Bluetooth stack into InternalBlue [1], a Bluetooth firmware experimentation framework.
For further reference, see:
[1] InternalBlue Project on GitHub, https://github.com/seemoo-lab/internalblue
[2] B.Sc. Thesis about porting InternalBlue to macOS, https://github.com/seemoo-lab/internalblue/blob/master/doc/macos_bluetooth_stack_thesis_davide_toldo.pdf
[3] M.Sc. Thesis about fuzzing Bluetooth on iOS, https://github.com/seemoo-lab/toothpicker/blob/master/assets/toothpicker_thesis.pdf