Practical Bluetooth Low Energy Security

Course Details

Training Level: Beginner

Price

Early Bird: USD2,899.00 (Use Code: SS2023TEB. Ends 30th June, 2359H)
Normal: USD3,330.00

Course Abstract

Bluetooth Low Energy is one of the most common and rapidly growing IoT technologies. We are immersed in surrounding BLE signals: COVID contact tracing, beacons, wearables, TVs, home appliances, toothbrushes, sex toys, light bulbs, smart locks, electric scooters, cars, medical devices, crypto wallets, 2FA, banking tokens, ATMs – to name just a few. Unfortunately the prevalence of technology does not come with security. Alarming vulnerabilities are revealed day by day – not only in individual devices’ implementations, but also generic: in the Bluetooth specification itself. And yet, the knowledge on how to comprehensively assess security of such devices still remains uncommon. This training aims to fill this gap, with the best possible – hands-on approach. 

We will start with introduction to the technology – you will get familiar on how BLE works in practice by controlling your dedicated training device. We will follow with various possible attacks and tools hands-on: sniffing, MITM, relay, jamming, hijacking, cracking, exploiting application layer vulnerabilities, … Having this background you will be able to proceed with a security assessment process of example devices – starting with threat modelling, through analysis and attack scenarios preparation, up to performing the tests. The training will be heavily packed with example vulnerabilities of real devices, including banking security token, Google Titan 2FA dongle, Tesla mobile key, wireless keyboards, payment terminal and a dozen of smart locks. You will learn how to fingerprint and track devices, how to crack the encryption, abuse the devices’ trust relationships, perform malicious firmware upgrade or intercept ongoing connections. We will also cover the latest Bluetooth 5 and Mesh technologies. Besides offensive perspective, you will learn how to protect from the attacks and what are the best practices for secure implementation. 

And what’s best: the hardware for practical exercises, along with dedicated training firmware source code – is included, and allows you to repeat (or adjust if needed) the labs later. You will finish the training being able not only to fully assess and compromise BLE devices, but also with the equipment to do it.

Course Outline

1. What is Bluetooth Low Energy, how it differs from previous Bluetooth versions – introduction.

2. BLE advertisements, broadcasted packets
a) Theory – BLE advertisement packets
b) Scanning for nearby BLE devices’ advertisements: smartphone, command-line, scripts, other tools.
c) BLE Beacons
– iBeacon, Eddystone
– Spoofing/cloning beacons to get rewards, free beer, or activate connected underwear
d) Tracking devices and crowdsourced location (key finders, Apple AirTags, …).
e) Apple, Microsoft devices BLE advertisements.
f) COVID-19 contact tracing / exposure notification BLE packets.
g) Other BLE advertisements – energy meters revealing current indication, sex toys revealing device model, …
h) Bleedingbit – RCE chain via improper BLE advertisements parsing.

3. BLE connections
a) Theory introduction: GATT specification, central vs peripheral device, services, characteristics, connections, …
b) Connecting to your dedicated BLE device using various tools
– nRF Connect mobile application: read/write/notify, automation with macros.
– BlueZ command-line
– other toolsc) Taking control of simple, insecure devices (BLE dildo, key finder, …)

4. Sniffing BLE
a) BLE RF layer theory introduction
– Radio modulation, channels, hopping, connection initiation
– Why so many devices do not encrypt link-layer
– Various sniffing hardware and software options
b) Sniffing live raw BLE packets from the air using provided hardware and Wireshark
– Wireshark tips&tricks
– Capture your own connection from mobile app to your BLE device
– How to combine multiple sniffers for better reliability
c) Sniffing demos: smart lock plain text password, banking token OTP
d) Overview of various hardware and open source sniffers: nRF Sniffer, Ubertooth, Btlejack, Sniffle, SDR, …

5. BLE HCI dump – reliably capture own packets
a) Difference from RF layer sniffing
b) Investigate BLE packets intercepted on Android phone in Wireshark
c) Linux command-line hcidump

6. BLE “Machine in the Middle” / remote relay
d) Conditions for MITM, attack scenarios, MAC address cloning
e) BLE MITM / remote relay in practice (local, via Internet), various tools (GATTacker, BtleJuice, Mirage).
f) Abusing proximity autounlock feature via remote relay.
g) Tampering BLE packets via MITM – demo using mobile Point of Sale to alter information displayed on terminal.

7. BLE insecurity case studies
a) Sample smart lock attack: decompile Android application, reverse-engineer BLE protocol commands, identify weakness in protocol, exploit in practice using mobile application
b) Various attacks on proprietary authentication/encryption protocols based on real devices (including several smart locks).
c) Abusing excessive BLE services, hard-coded credentials, remote access share functionality, cloud interface, …

8. BLE link-layer security
a) BLE link layer security mechanisms – introduction, levels, pairing, bonding, why most devices do not implement it at all.
b) Pair the provided smartphone with your dedicated BLE device, sniff the pairing process and crack it.
c) Attacks possible on paired/bonded connections.
d) BLE MAC address randomization, “silent pairing” attacks recovering Identity Resolving Key (for example leveraging contact tracing apps).
e) Abusing trust relationships of bonded devices – vulnerabilities in HID devices, Google Titan U2F token vulnerability technical analysis, attacks via other applications installed on the same mobile phone, …

9. Provided BLE development boards
a) Technical details about provided BLE devboards.
b) How to develop own firmware or adjust included training device source code.
c) Review of provided firmware images / source (sniffer, attack tools, dedicated BLE device).
d) Flashing firmware on the devkits.

10. BLE jamming and hijacking
a) Theory introduction: how to hijack BLE ongoing connections
b) Btlejack, ButteRFly – possible attacks, tools usage.

11. Web Bluetooth
a) Introduction, security design consideration, sample implementations, possible attacks
b) Interact with your BLE device via browser – run sample Web Bluetooth javascript code.

12. BLE device firmware over the air update security
a) Introduction, how the firmware update works, memory layout of BLE SoC.
b) Abuse insecure Over The Air firmware update on provided Nordic Semiconductor SoC.
c) Insecure OTA firmware upgrade in Texas Instruments SoC (taking control over wireless routers, stealing Tesla keys, …).

13. Bluetooth 5 and beyond
a) Introduction, new features, why so many devices claim to be Bluetooth 5 but are not really.
b) New physical layers: 2M, long range coded PHY.
c) New channel hopping RNG.
d) Sniffing BLE5 – current hardware, software support.

14. Bluetooth Mesh
a) Introduction, network topology, BLE4 advertisements as a transport layer, mandatory encryption.
b) Flashing sample Bluetooth Mesh device firmware on a supplied devkit.
c) Provisioning the devices in practice into your own Mesh network
d) Known vulnerabilities and possible weaknesses of Mesh implementations.

15. Other attacks on BLE devices
a) Attacking BLE devices via RF side-channel analysis (e.g. leaking AES key).
b) Vulnerabilities in BLE SDK (e.g. RCE in Nordic SoftDevice)
c) SoC vulnerabilities (memory readout protection bypass, fault injection,…). Sample attack to try out in practice on provided nRF51 development board

16. Brief review of the multitude attacks on BLE protocol and its implementations as well as attack tools (Bleedingbit, Sweyntooth, BlueFrag, KNOB, BIAS, BLESA, BLURTooth, Frankenstein, JackBNimBLE, InjectaBLE, …)

17. Summary, best practices, references, “hackme” challenges…

18. Short introduction
a) RFID/NFC – where do I start?
b) Frequencies, card types, usage scenarios.
c) How to recognize card type – quick walkthrough.
d) Equipment, and what can you do with it – mobile phone, card reader, simple boards, Chameleon Mini, Proxmark, other hardware.

19. UID-based access control
a) Introduction – simple, still surprisingly common technologies
b) Communication between a reader and tag.
c) What is stored on the tag?
d) Low Frequency EM410X (“unique”), HID Prox, …, High Frequecy Mifare UID
e) Cloning card’s UID – cloners, Proxmark, Chameleon, mobile phone, …
f) Simulating (Proxmark, Chameleon, mobile phone,…), brute-forcing.
g) Interpreting markings on the tag, decoding UID from the picture.
h) Sample vulnerability of simple access control reader that allows to unlock it without the need to have a valid card.
i) Countermeasures against attacks

20. Wiegand – typical transmission between the reader and access controller
a) Theory introduction, signal DATA0, DATA1
b) Wiegand sniffers, implants, transmitters – hardware, open source software
c) Decoding card UID from sniffed bytes, clone the card
d) Replay card data on the wire to open lock

21. Mifare Ultralight, NTAG
a) Data structure.
b) Reading, cloning, emulating.
c) Example data stored on a hotel guest card.
d) Ultralight EV1, C.22. Mifare Classic & its weaknesses – practical exercises based on hotel door lock system, ski lift card, bus ticket
a) Mifare Classic – data structure, access control, keys, encryption.
b) Default, leaked keys.
c) Reading and cloning card data using just a mobile phone.
d) Cracking keys using various attacks and tools (Proxmark, libnfc, Chameleon).
e) Attacks on EV1 “hardened” Mifare Classic.
f) Online attacks against the reader.

Who should attend?

  • Pentesters, security professionals, researchers.
  • BLE device designers, developers.
  • Anyone interested.

Key Learning Objectives

  • Solid understanding of Bluetooth Low Energy
  • Common implementation pitfalls.
  • Device assessment process.
  • Various attacks and tools

Prerequisites

  • Basic familiarity with Linux command-line; some pentesting experience will be helpful but not crucial.
  • No previous knowledge of Bluetooth is required.
  • It is recommended (but optional) to try free BLE HackMe https://smartlockpicking.com/ble_hackme/ before the training – especially first few tasks that allow you to become familiar with the technology basics.

What to bring?

  • Laptop capable of running x86-64 virtual machine (VirtualBox or VMWare), and at least two USB type A ports (or USB hub) available for VM guest.
  • Android smartphone with Bluetooth 5 support will be helpful, but not obligatory (phones will be provided for participants).
  • Optionally: your own BLE devices you would like to test.

What participants will get

  • Course materials, step by step instructions for hands-on exercies.
  • All required additional files: source code, documentation, installation binaries, virtual machine images.
  • Included hardware pack for hands-on exercises, consisting of Bluetooth 4/5 development boards, dedicated BLE device, hardware sniffers, USB dongles, …

Trainer Profile

Slawomir Jasek

Speaker, trainer and IT security consultant with 20 years of experience. MSc in automatics & robotics, developed secure embedded systems certified to use by national agencies. As a pentester participated in dozens of assessments of systems’ and applications’ security for leading financial companies, public institutions and cutting edge startups. Currently focuses on security research of various new technologies (especially Bluetooth Low Energy and NFC/RFID) and provides training in regards to security of devices – based among others on contemporary electronic access control systems and smart locks. Besides training and research, he also provides security assessments and consultation on secure design for various software and hardware projects – preferably starting from design ideas. 

Despite having long lost count of the number of BLE devices he owns, he still impulsively acquires more and more and enjoys reversing and breaking them. 

Slawomir oves sharing his knowledge via trainings, workshops, talks and open source hackme’s (www.smartlockpicking.com) – at BlackHat, HackInTheBox, Hardwear.io, HackInParis, Deepsec, Appsec EU, BruCon, Confidence, and many others, including private on-demand sessions.

Scroll to top