Recently it seems our home/car/bicycle locks have started to follow a new trend: to include a BLE chip inside to make them “smart”.
Unlike smart toothbrushes, socks or kettles, locks guard our safety, and their security should be much more of a concern. Vendors promise “military-grade level of security”, “128-bit encryption” and “cryptographic key exchange protocol” using “latest PKI technology”. However, recent disclosures of multiple vulnerabilities in smart locks clearly contradict the assurances on the actual security provided, and raise the question of whether these devices have passed any independent security assessments at all!
Bring your Kali Linux installs with your own BLE dongle and/or Bluetooth sniffing hardware of choice, and we’ll go about hacking at least 7 various smart locks. You will learn how to intercept, analyze, find vulnerabilities in such devices. You will get familiar with available tools, including GATTacker Bluetooth Smart Man-in-the-Middle proxy presented at BH16 from its own creator.
Our live hacking session will cover among others:
- Lack of link-layer encryption and possible MITM scenarios
- Passive sniffing
- Static authentication password
- Replay attacks
- Command injection
- Denial of Service
- Cracking “own PKI”
- Other flaws of custom challenge-response authentication
- Abusing excessive services (e.g. module’s default AT-command interface).
- Sharing keys weaknesses
For takeaway, a specially prepared BLE Hackmelock device will also be introduced. The device can then be simulated on your Raspberry Pi, Linux or Mac and along with an enclosed Android application, provides for various levels of challenges to help you to further practice BLE hacking at home.
- Basic familiarity with Linux command-line, Wireshark, Kali.
- Scripting, programming skills, mobile application reversing experience will be an advantage.
Hardware and software:
You are welcome to take part in the workshop without having any additional hardware. You will receive all necessary code, files and instructions – to buy it later if needed, and then practice BLE hacking at home – by attacking Hackmelock emulated device. However, if you wish to take active part in the workshop, for best hands-on experience we suggest the hardware options below. If you are interested, we can prepare the chosen hardware option for you – please fill the form linked below.
Kali Linux. A few additional tools and files will be required on top of standard Kali Linux. Therefore we will share preconfigured images (VMware and Virtualbox). Please make sure to have virtualization software installed.
Android > 4.3 smartphone – not crucial, but helfpul for a few exercises.
Most exercises will require at least one (in many cases two) Bluetooth 4 adapters. It is quite probable your laptop has a compatible adapter built-in, however we cannot guarantee it will work properly for our purposes. Therefore we recommend CSR8510-based (most popular) USB dongles. You can easily buy them online, and probably also in local computer store. For your convenience we can provide you a set of 2 such dongles for 10 EUR (per set).
Some exercises will involve passive BLE RF sniffing. There are several hardware options. Most renowned is, costing around 120$, Ubertooth One (https://greatscottgadgets.com/ubertoothone). Another popular option is 30$ Adafruit LE sniffer (https://www.adafruit.com/product/2269). The workshop will be demoed using development board, which works exactly like the abovementioned Adafruit (is also based on nrf51822 module), but is a bit cheaper and more flexible: http://www.waveshare.com/NRF51822-Eval-Kit.htm The board can be used later also for other purposes – BLE prototyping and programming experiments. In contrast to Adafruit sniffer, it just needs to be flashed (using hardware SWD debugger, or Raspberry Pi – instructions will be provided) with sniffer firmware. We can prepare you such sniffer-flashed board for 20 EUR.
Some exercises will require having multiple VMs running at the same time, second laptop (e.g. cooperate with a colleague), or – a dedicated Raspberry Pi. For 100 EUR we can provide you a complete BLE beginners lab set, consisting of:
- 2x Bluetooth dongle,
- wireless sniffer
- Raspberry Pi 3 (+ microSD + 3.1A power adapter) configured with all necessary tools and Hackmelock installed
- pendrive with the VM images, tools and additional files
Location: IoT Village at Brucon, Westmalle University
Date: Thursday, 5.10.2017, 13:30 - 17:30