Silicon Labs is a chip manufacturer known for producing chips with various network-focused features such as Bluetooth and Zigbee. These chips are the base of a large number of connected objects, and compromising them means compromising all of these connected objects insofar as they use the vulnerable functionality. Our investigation led us to examine Silicon Labs’ open-source SDK, specifically the Gecko SDK, which boasts a state-of-the-art of secure over-the-air (OTA) update capabilities. While looking at the code that is handling the parsing of the firmware update, we discovered a vulnerability which can be used in combination with a weakness in the update mechanism to gain persistent code execution on the device, bypassing Secure Boot enforcement and firmware signature verification.

Our presentation will begin by delving into the inner workings of OTA firmware upgrades. We will subsequently delve into the specifics of the vulnerability we pinpointed, particularly outlining our discovery process employing fuzzing techniques. To conclude, we will delve further into the realm of exploiting embedded systems. We’ll conclude this talk by looking to go deeper inside the exploit world on embeded systems, which mechanism make harder an exploitation and how we can handle this.

Lastly, we will showcase our successful bypass of the Secure Boot mechanism.

Speaker: Sami Babigeon