DEMO: Extracting Physical-Layer BLE Advertisement Information from Broadcom and Cypress Chips

TL;DR

This paper demonstrates a tool that reverse-engineers BLE advertisement features on Broadcom and Cypress chips, potentially enhancing contact tracing and exposure notifications across billions of devices.

Contribution

It reveals how to extract physical-layer BLE advertisement information from widely used chips, enabling improved contact tracing capabilities.

Findings

Firmware allows extraction of physical-layer BLE info

Applicable to hundreds of millions of devices

Potential to enhance exposure notification systems

Abstract

Multiple initiatives propose utilizing Bluetooth Low Energy (BLE) advertisements for contact tracing and SARS-CoV-2 exposure notifications. This demo shows a research tool to analyze BLE advertisements; if universally enabled by the vendors, the uncovered features could improve exposure notifications for everyone. We reverse-engineer the firmware-internal implementation of BLE advertisements on Broadcom and Cypress chips and show how to extract further physical-layer information at the receiver. The analyzed firmware works on hundreds of millions of devices, such as all iPhones, the European Samsung Galaxy S series, and Raspberry Pis.