Hardwear.io 2023 Netherlands

Security Assessment of Bluetooth Low Energy devices

The Hague, Netherlands


Bluetooth Low Energy is one of the most common and rapidly growing IoT technologies. We are immersed in surrounding BLE signals: phones, beacons, wearables, TVs, home appliances, toothbrushes, sex toys, light bulbs, smart locks, electric scooters, cars, medical devices, crypto wallets, 2FA, banking tokens, payment terminals - to name just a few. Unfortunately the prevalence of technology does not come with security. Alarming vulnerabilities are revealed day by day – not only in individual devices’ implementations, but also generic: in the Bluetooth specification itself. And yet, the knowledge on how to comprehensively assess security of such devices still remains uncommon. This training aims to fill this gap, with the best possible - hands-on approach.

We will start with introduction to the technology - you will get familiar on how BLE works in practice by controlling your dedicated training device. We will follow with various possible attacks and tools hands-on: sniffing, fingerprinting, MITM, relay, jamming, hijacking, cracking, exploiting application layer vulnerabilities, … Having this background we will apply the knowledge to perform security assessment of example devices: starting with threat modeling, through analysis and attack scenarios preparation, up to performing the tests and finishing with a report.

And what’s best: the hardware for practical exercises, along with dedicated training firmware source code - is included, and allows you to repeat (or adjust if needed) the labs later. You will finish the training being able not only to fully assess and compromise BLE devices, but also with the equipment to do it.

Training agenda

Bluetooth Low Energy – introduction

  • What is Bluetooth Low Energy, how it differs from previous Bluetooth versions
  • BLE advertisements – beacons, tracking, operating systems, other…
  • BLE connections – GATT, services, characteristics

Intercepting and attacking BLE communication

  • Sniffing BLE – theory introduction, overview of various options, practical exercises using included hardware (nRF, SniffLE, …)
  • BLE HCI dump – reliably capture own packets to Wireshark on Linux, Android and iPhone
  • BLE “Machine in the Middle” / remote relay using various tools (GATTacker, BtleJuice, Mirage).
  • BLE jamming and hijacking

Security mechanisms, libraries, specifications and their vulnerabilities

  • BLE link-layer security – intercepting and cracking insecure pairing process
  • Attacks on BDADDR address randomization, “silent pairing”
  • Abusing trust relationships of bonded devices
  • Attacks via other applications installed on the same mobile phone
  • Supply chain, SDKs
  • Various attacks on BLE protocol and its implementations
  • Secure firmware update
  • Bluetooth 5 and beyond
  • Web Bluetooth
  • Bluetooth Mesh

Developer’s perspective

  • BLE device development process, SoCs, tools, SDKs, stacks, …
  • Flashing, testing, debugging
  • Our included BLE development boards
  • Dedicated training firmware source code

Security assessment of BLE devices

  • Introduction, purpose, scope, blackbox vs whitebox, cooperation with vendors, …
  • Holistic approach to devices’ security – BLE as only a piece of the whole puzzle
  • Security assessment process overview: information gathering, threat modeling, analysis / reversing, attack scenarios preparation and execution, reporting…
  • BLE insecurity case studies – smart locks, cars, security tokens, payment terminals…
  • Test environment setup: running firmware on a devkit, simulating device, implementing communication protocol, preparing custom scripts…
  • Designing and performing attacks in practice on example devices


  • Professional report contents
  • Best practices for outlining the findings
  • Example reports and vulnerabilities descriptions

Who should attend?

  • Pentesters, security professionals, researchers.
  • BLE device designers, developers.
  • Anyone interested.

Software and Hardware Requirements

  • Laptop capable of running Linux x86-64 in virtual machine (VirtualBox+Extension Pack or VMWare), and at least two USB type A ports available for VM guest.
  • Android smartphone with Bluetooth 5 support will be helpful, but not obligatory (phones will be provided for attendees).
  • Optionally: your own BLE devices you would like to test

Prerequisite Knowledge and Skills

  • Basic familiarity with Linux command-line;some pentesting experience will be helpful but not crucial.
  • No previous knowledge of Bluetooth is required.
  • It is recommended to try free BLE HackMe https://smartlockpicking.com/ble_hackme/ before the training – especially first few tasks that allow you to become familiar with the technology basics.

Resources Provided at the Training

  • Course materials – about 1500 pages covering theory and step by step instructions for hands-on exercies.
  • All required additional files: source code, documentation, installation binaries, virtual machine images.
  • Included hardware pack for hands-on exercises, consisting among others of Bluetooth 4/5 development boards, dedicated BLE device, hardware sniffers, USB dongles…


Register to the conference here:


Can’t make it?

Can’t make it to this training? Interested in other date, content, location? A tailor-made training will come to you (both onsite and online possible). Have a look at private trainings offer. Contact us for details, or fill a form to get a quote.

comments powered by Disqus