Post B1qInift6Jo1tmivjs by jcoglan@mastodon.social
 (DIR) More posts by jcoglan@mastodon.social
 (DIR) Post #B1qIncK2iclcCISOrA by jcoglan@mastodon.social
       2025-12-29T21:03:46Z
       
       1 likes, 1 repeats
       
       amazing how many talks at c3, defcon et al boil down to "we looked at the protocol format and it's as though nobody ever thought to do this before"
       
 (DIR) Post #B1qInift6Jo1tmivjs by jcoglan@mastodon.social
       2025-12-29T21:04:58Z
       
       1 likes, 0 repeats
       
       talk: so the bluetooth frame includes a flag to say if it's a firmware updateme: I see
       
 (DIR) Post #B1qInvKO3ZKd8rlRWy by jcoglan@mastodon.social
       2025-12-29T21:06:04Z
       
       0 likes, 0 repeats
       
       bluetooth lets you read/write arbitrary device memory?! https://www.youtube.com/watch?v=TK5Tz4Bt94Y
       
 (DIR) Post #B1qIo1yfKj7FlWeh96 by jcoglan@mastodon.social
       2025-12-29T21:26:15Z
       
       1 likes, 0 repeats
       
       so you can exploit bluetooth to hijack call control on headphones and use that to take over a whatsapp accountfrom there you hijack amazon, which offers whatsapp as an auth channelgreat demo of why all this big tech platforms using one another as auth channels was a terrible idea
       
 (DIR) Post #B1qIo8Dm7Sld87lqWu by jcoglan@mastodon.social
       2025-12-29T21:27:35Z
       
       0 likes, 0 repeats
       
       oauth's idea to let you grant access to a resource was fine. escalating that to having said resource be your identity was not
       
 (DIR) Post #B1qIoEGTeKUfsF55Zg by jcoglan@mastodon.social
       2025-12-29T21:29:18Z
       
       0 likes, 0 repeats
       
       also loads of services adopting phone numbers (and associated channels like whatsapp) as credentials, when they often have not verified them at all, is absolutely wild