No results match your search criteria.
Reset filter
2022
In progress
Android Wireless Subsystem Security
Supervisor:
Jiska Classen
Earliest start date: February 2023
Wireless interfaces are an attack surface for zero-click remote code execution vulnerabilities. Typically, an attacker would try to find a parsing issue within a wireless chip or in a low-level wireless stack component within the operating system, and then escalate further. Thus, it is of importance to research these interfaces.
Android is available for many platforms with different hardware. Vendors add custom hardware adaption layers for compatibility with Android. However, these interfacing layers are vendor-specific and proprietary. Detailed knowledge about interfaces between components enables security research [1] and building tooling to customize wireless chips and stacks [2, 3]. Due to the proprietary nature of these interfaces, many of them remain undocumented. We have a couple of yet to be researched wireless interfaces, as well as researched interfaces that would profit from developing better tooling.
We offer experience within the Google ecosystem as well as OEMs (Samsung, etc.), including reverse-engineering tips for firmware and user-space daemons. Additionally, due to supervising a lot of theses in this area, we have a collection of example thesis about how to reverse engineer and fuzz such interfaces. We also have rooted up-to-date Android smartphones. For your own safety and security, these are designated research devices and not meant for private usage. When researching a new interface, it is common to uncover new vulnerabilities, which you will report within Google's vulnerability reward program or the OEM's program, and you might be rewarded a bug bounty. We also encourage and financially support you presenting your results at a scientific or security conference.
Please contact us for more details and choosing a task that suits a thesis. A B.Sc. thesis would usually advance tooling for something previously reverse engineered (see [1]), and a M.Sc. thesis is about reverse-engineering an interface and developing tools (see [2]). The precise topic will be tailored to your previous experience. It is recommended to have a reverse-engineering background, e.g., previous participation in CTFs. Depending on the topic, either a strong programming background is required (develop an open-source tool for an Android interface) or a good understanding of software/hardware security is mandatory (fuzzing a protocol, implementing a firmware attack, …).
We are currently getting many requests for this topic area. Please only contact us if you plan to start your thesis by February 2023 or later, or if you have sufficient background knowledge to work on a topic on your own (e.g., are already familiar with Android hacking and don't need an introduction).
[1] ARIstoteles: iOS Baseband Interface Protocol Analysis
[2] InternalBlue - A Bluetooth Experimentation Framework Based on Mobile Device Reverse Engineering
[3] Teaching Your Wireless Card New Tricks: Smartphone Performance and Security Enhancements Through Wi-Fi Firmware Modifications.
2022
In progress
Bluetooth Security Analysis on Windows
Supervisor:
Jiska Classen
Earliest start date: February 2023
In the past, we looked into multiple Bluetooth stacks: iOS [3], macOS [2], Linux, and Android. However, Windows is still a partially blind spot.
What is there yet:
A basic understanding of the Windows Bluetooth stack and existing debug tools to look into all packets.
Reversing and documentation of the Windows Bluetooth stack.
This is a great base to get started with Bluetooth security analysis and reverse engineering on Windows. There are multiple tasks that would be interesting, which ones you choose depend on your skill level and if you want to work on a BSc or a MSc thesis.
Hook the Windows kernel with WinDBG to not only log packets but also inject and modify packets.
Write a fuzzer for the Windows Bluetooth stack.
Implement or simulate known attacks on Bluetooth stacks to analyze how they were patched.
Integrate this knowledge about the Bluetooth stack into InternalBlue [1], a Bluetooth firmware experimentation framework.
For further reference, see:
[1] InternalBlue Project on GitHub, https://github.com/seemoo-lab/internalblue
[2] B.Sc. Thesis about porting InternalBlue to macOS, https://github.com/seemoo-lab/internalblue/blob/master/doc/macos_bluetooth_stack_thesis_davide_toldo.pdf
[3] M.Sc. Thesis about fuzzing Bluetooth on iOS, https://github.com/seemoo-lab/toothpicker/blob/master/assets/toothpicker_thesis.pdf
2021
In progress
Glitching Wireless Chips
Supervisor:
Jiska Classen
Glitching is a method that allows bypassing security checks in firmware running on chips. Dropping voltage or inducing an electromagnetic field for a very short moment causes the chip to behave differently. For example, the chip might skip a check in the secure bootloader, allowing an attacker to run arbitrary firmware. This is of special interest for wireless security research. Instead of re-implementing protocols on software-defined radios, we can modify existing firmware to test very specific security assumptions in an otherwise unmodified environment.
We have a lab with various equipment suitable for glitching, such as oscilloscopes, the ChipWhisperer and the ChipShouter. Thus, the thesis will require you to do at least some parts of the work onsite. However, we also have some ChipWhisperer Nanos etc., in case you want to do parts of the work from home.
Required background knowledge is either electrical engineering or IT security. Can be done as both, either B.Sc. thesis or M.Sc. thesis, depending on the amount/complexity of chips.
2021
In progress
iPhone Baseband
Supervisor:
Jiska Classen
2021
In progress
iOS CommCenter Protocol Analysis
Supervisor:
Jiska Classen
2021
In progress
iOS CommCenter Fuzzing
Supervisor:
Jiska Classen
2021
In progress
iOS Bluetooth Security
Supervisor:
Jiska Classen
2021
Completed
Very Pwnable Network: Reverse Engineering and Vulnerability Analysis of AnyConnect for Linux
Supervisor:
Jiska Classen
2021
In progress
Responsible Disclosure im IoT-Sektor
Supervisor:
Jiska Classen
2021
In progress
Practical Analysis of Friendly Jamming to Augment the Security of Industrial Remote Control Systems
Supervisor:
Jiska Classen
2021
In progress
Improving State Coverage in Bluetooth Fuzzing
Supervisor:
Jiska Classen
2021
Completed
Attacks on Wireless Coexistence
Supervisor:
Jiska Classen
2021
In progress
AnyConnect and VPN Security on iOS
Supervisor:
Jiska Classen
2021
Completed
A Full-Band Bluetooth Sniffer for a Software-Defined Radio
Supervisor:
Bastian Bloessl
Jiska Classen
2020
Completed
Keylogging Side-Channel Attacks on Bluetooth Timestamps: A Timing Analysis of Keystrokes on Apple Magic Keyboards
Supervisor:
Matthias Gazzari
Jiska Classen
In the past several timing attacks have been applied to recover sensitive input on keyboards. If these kind of attacks could be migrated to the wireless communication of keyboards, this would make the use of wireless keyboards less secure. In this thesis we apply a timing attack on the Bluetooth communication of the Apple Magic Keyboard by recording the time between consecutive Bluetooth packets and recover the typing with a Hidden Markov Model (HMM). With this attack we are able to shrink the search space of random passwords by a factor of 5 to 10, which considerably speeds up exhaustive search.
2020
Completed
VPN in a Mobile Environment: Security, Privacy, and Usability
Supervisor:
Jiska Classen
2020
Completed
ToothPicker: Enabling Over-the-Air and In-Process Fuzzing Within Apple's Bluetooth Ecosystem
Supervisor:
Jiska Classen
2020
Completed
Remote Code Patching Framework for a TETRA Base Station
Supervisor:
Jiska Classen
2020
Completed
Practical Security Analysis of IoT Ecosystems
Supervisor:
Jiska Classen
2020
Completed
Practical Bluetooth RNG Analysis
Supervisor:
Jiska Classen
2020
Completed
Polypyus: Firmware History Based Binary Diffing
Supervisor:
Jiska Classen
2020
Completed
Fuzzing a TETRA Base Station via Binary Patching
Supervisor:
Jiska Classen
2020
Completed
Bluetooth Low Energy Sniffing
Supervisor:
Bastian Bloessl
Jiska Classen
2020
Completed
Applicability of IoT Security Frameworks as Guidelines for Penetration Testing
Supervisor:
Jiska Classen
Max Maass
2020
Completed
Analyzing the macOS Bluetooth Stack
Supervisor:
Jiska Classen
2019
In progress
Communicating Privacy and Security issues
Supervisor:
Jiska Classen
2019
In progress
TETRA Base Station Binary Patching
Supervisor:
Jiska Classen
2019
Completed
Intercom Security
Supervisor:
Lars Almon
Jiska Classen
Intercom security analysis.
2019
In progress
Bluetooth Entropy
Supervisor:
Jiska Classen
2019
In progress
Bluetooth Controller Emulation and Fuzzing
Supervisor:
Jiska Classen
2019
Completed
Secure Device Pairing Using Short-Range Acoustic Communication
Supervisor:
Flor Maria Alvarez Zurita
Jiska Classen
2019
Completed
PowerPC Binary Patching and dissecting of TETRA Base Station
Supervisor:
Jiska Classen
2019
Completed
Fuzzing the Linux Bluetooth Stack
Supervisor:
Jiska Classen
2019
Completed
Dynamic Bluetooth Firmware Analysis
Supervisor:
Jiska Classen
2019
Completed
Analyzing Firmware and Cloud Security of a Premium IoT Ecosystem
Supervisor:
Fabian Ullrich
Jiska Classen
2019
Completed
A researcher’s guide to the Fitbit Ionic smartwatch
Supervisor:
Jiska Classen
Daniel Wegemer
2019
Completed
A Study on Proprietary Communication Protocols Used in TETRA Hardware Components
Supervisor:
Jiska Classen
2018
Completed
Sicherheit funkferngesteuerter Rangierlokomotiven
Supervisor:
Jiska Classen
2018
Completed
Security Analysis and Firmware Modification of Fitbit Fitness Trackers
Supervisor:
Jiska Classen
2018
Completed
InternalBlue - A Bluetooth Experimentation Framework Based on Mobile Device Reverse Engineering
Supervisor:
Matthias Schulz
Jiska Classen
2018
Completed
Angriffsanalyse einer TETRA-Basisstation
Supervisor:
Jiska Classen
2018
Completed
Analysing and Evaluating Interface, Communication, and Web Security in Productive IoT Ecosystems
Supervisor:
Jiska Classen
Max Maass
2017
Completed
TETRA Security Analysis by Fuzzing
Supervisor:
Jiska Classen
2017
Completed
Improving a Linux Device Driver for Visible Light Communication
Supervisor:
Jiska Classen
2017
Completed
Implementierung des unteren MAC-Layers für die OpenVLC Hardware
Supervisor:
Jiska Classen
2017
Completed
Implementation of a Physical Layer for Visible Light Communication using the OpenVLC platform
Supervisor:
Jiska Classen
2017
Completed
Detecting WiFi Covert Channels
Supervisor:
Jiska Classen
2017
Completed
Design and Evaluation of a Hybrid SDR Testbed For Visible Light Communication and Wi-Fi
Supervisor:
Jiska Classen
2017
Completed
Absicherung von SCADA-Protokollen
Supervisor:
Jiska Classen
2016
Completed
TETRA Fuzzing
Supervisor:
Jiska Classen
2016
Completed
Location Privacy of Digital Trunked Radio
Supervisor:
Jiska Classen
Robin Klose