HackInTheBox Amsterdam

Blue Picking: Hacking Bluetooth Smart Locks (2h workshop)

Amsterdam

HITB Conference

Recently it seems our home/car/bicycle locks have started to follow a new trend: to include a BLE chip inside to make them “smart”.

Unlike smart toothbrushes, socks or kettles, locks guard our safety, and their security should be much more of a concern. Vendors promise “military-grade level of security”, “128-bit encryption” and “cryptographic key exchange protocol” using “latest PKI technology”. However, recent disclosures of multiple vulnerabilities in smart locks clearly contradict the assurances on the actual security provided, and raise the question of whether these devices have passed any independent security assessments at all!

Bring your Kali Linux installs with your own BLE dongle and/or Bluetooth sniffing hardware of choice, and we’ll go about hacking at least 7 various smart locks. You will learn how to intercept, analyze, find vulnerabilities in such devices. You will get familiar with available tools, including GATTacker Bluetooth Smart Man-in-the-Middle proxy presented at BH16 from its own creator.

Our live hacking session will cover among others:

  • Lack of link-layer encryption and possible MITM scenarios
  • Passive sniffing
  • Static authentication password
  • Spoofing
  • Replay attacks
  • Command injection
  • Denial of Service
  • Cracking “own PKI”
  • Other flaws of custom challenge-response authentication
  • Abusing excessive services (e.g. module’s default AT-command interface).
  • Sharing keys weaknesses

For takeaway, a specially prepared BLE Hackmelock device will also be introduced. The device can then be simulated on your Raspberry Pi, Linux or Mac and along with an enclosed Android application, provides for various levels of challenges to help you to further practice BLE hacking at home.

PRE-REQUISITES

  • Basic familiarity with Linux command-line, Wireshark, Kali.
  • Scripting, programming skills, mobile application reversing experience will be an advantage.

Hardware and software:

You can take part in the workshop without having any additional hardware. You will receive all necessary code, files and instructions – to buy it later if needed, and then practice BLE hacking at home – by attacking Hackmelock emulated device. However, if you wish to take active part in the workshop, for best hands-on experience we suggest the hardware options below. If you are interested, we can prepare the chosen hardware option for you – please fill the form linked below.

  • Kali Linux. A few additional tools and files will be required on top of standard Kali Linux. Therefore we will share preconfigured images to download before the conference (link will be provided here). For your convenience we can also provide you pendrive with the VMs, all necessary files, source code and slides – for 10 EUR.

  • Android > 4.3 smartphone – not crucial. Needed mostly for Hackmelock exercises (possible to do later at home).

  • Most exercises will require at least one (in many cases two) Bluetooth 4 adapters. It is quite probable your laptop has a compatible adapter built-in, however we cannot guarantee it will work properly for our purposes. Therefore we recommend CSR8510-based (most popular) USB dongles. We can provide you a set of 2 such dongles for 15 EUR.

  • Some exercises will involve passive BLE RF sniffing. There are several hardware options. Most renowned is, costing around 120$, Ubertooth One (https://greatscottgadgets.com/ubertoothone). Another popular option is 30$ Adafruit LE sniffer (https://www.adafruit.com/product/2269). The workshop will be demoed using development board, which works exactly like the abovementioned Adafruit (is also based on nrf51822 module), but is a bit cheaper and more flexible: http://www.waveshare.com/NRF51822-Eval-Kit.htm The board can be used later also for other purposes – BLE prototyping and programming experiments. In contrast to Adafruit sniffer, it just needs to be flashed (using hardware SWD debugger, or Raspberry Pi – instructions will be provided) with sniffer firmware. We can prepare you such sniffer-flashed board for 20 EUR.

  • Some exercises will require having multiple VMs running at the same time, second laptop (e.g. cooperate with a colleague), or – a dedicated Raspberry Pi..

We can provide you a set of 2x Bluetooth dongles, wireless sniffer and Raspberry Pi 3 configured with all necessary tools and Hackmelock – for 100 EUR. This set will give you the best hands-on experience and a BLE hacking beginners lab – ready-to-use later at home.

Location: Track 3 / HITB Labs Date: April 14, 2017 Time: 2:00 pm - 4:00 pm

Conference site:

http://conference.hitb.org/hitbsecconf2017ams/sessions/hitb-lab-blue-picking-hacking-bluetooth-smart-locks/

Download slides

comments powered by Disqus