The training has been prepared for remote hands-on participation. Each attendee will receive a hardware pack of 200 USD value, shipped in advance (please register as soon as possible!). The hardware includes among others a preconfigured Android smartphone, BLE sniffer, BLE dedicated training device and Raspberry Pi (details below). With the specially arranged setup, participants will be able to perform hands-on practical exercises not only during virtual session but also any time later.
Bluetooth Low Energy is one of the most commonly used and rapidly growing IoT technologies. We are immersed in surrounding BLE signals: starting with COVID-19 contact tracing apps, through beacons, wearables, TVs, home appliances, toothbrushes, sex toys up to smart locks, medical devices and banking tokens. Unfortunately the prevalence of technology does not come with its security, resulting in alarming vulnerabilities revealed day by day. And yet, the knowledge on how to comprehensively assess security of such devices still remains rather uncommon.
This is probably the most exhaustive and up to date training regarding BLE security. Multiple hands-on exercises cover BLE sniffing, MITM, relay, jamming, hijacking, cracking, proprietary protocols, logic vulnerabilities in many real devices (dozen smart locks, U2F or banking authentication tokens, mobile PoS). And what’s best: all the hardware required is included and shipped to you in advance! Most exercises will be performed on specially developed, included training BLE device to attack, but you will also have possibility to remotely hack real ones (like smart locks) – using BLE relay proxy via Internet. You will finish the training being able not only to fully assess and compromise BLE devices, but also with the equipment to do it.
Who should attend
- Pentesters, security professionals, researchers
- BLE device designers, developers
- Anyone interested
Key learning objectives
- In-depth knowledge of Bluetooth Low Energy,
- Common implementation pitfalls,
- Device assessment process
- Best practices for implementation
- Basic familiarity with Linux command-line; some pentesting experience will be helpful but not crucial.
- No previous knowledge of Bluetooth is required.
- It is recommended to try free BLE HackMe before the training – especially first few tasks that allow you to become familiar with the technology basics. HITB Cyberweek Slides: A practical introduction to BLE security without any special hardware (PDF, 16M), recording: https://www.youtube.com/watch?v=5bUoal6-sHs.
- Laptop capable of running Kali Linux in virtual machine (VirtualBox or VMWare), and at least two USB ports available for VM guest.
- Local wifi to connect included Raspberry Pi.
Each student will receive
- Course materials - about 1000 pages, step by step instructions and videos
- All required additional files: source code, documentation, installation binaries, virtual machine images
- Included hardware pack of about 200 USD value for hands-on exercises, consisting of:
- Preconfigured Android smartphone with all the required applications and possibility for BLE packets capture
- Raspberry Pi (+microSD card and power adapter), with assessment tools and “hackme”.
- 2x Bluetooth 4 development board: 1 acting as sniffer (nRF, Btlejack), 1 as dedicated BLE device to interact and attack
- Bluetooth 4/5 nRF52 development board in a form of USB dongle
- ST-Link V2 SWD debugger for programming nRF boards
- 2 x Bluetooth Low Energy USB dongles
- Bluetooth 5 USB dongle
What is Bluetooth Low Energy – introduction.
BLE advertisements - broadcasted packets
- Theory - BLE advertisement packets
- Scanning for nearby BLE devices’ advertisements using various tools: mobile applications, BlueZ command-line, other tools (bettercap, Mirage, GATTacker, …)
- BLE Beacons
- iBeacon, Eddystone,
- Spoofing/cloning beacons to get rewards, free beer, or activate connected underwear
- Tracking devices (key finders, …), crowdsourced location
- Apple, Microsoft devices BLE advertisements
- Find out nearby Apple devices and their state by their BLE broadcast packets
- How to recover phone number and Apple ID from iPhone BLE advertisements
- Is it possible to track specific Microsoft device using its BLE broadcasted signal?
- COVID-19 contact tracing / exposure notification BLE packets
- Other BLE advertisements - energy meters revealing current indication, sex toys revealing device model, …
- Bleedingbit - RCE chain via improper BLE advertisements parsing
Skills: understand BLE advertisement packets, ability to identify and spoof BLE devices, knowledge of using various BLE tools.
- Theory introduction: GATT specification, central vs peripheral device, services, characteristics, connections, …
- Connecting to your dedicated BLE device using various tools
- nRF Connect mobile application: read/write/notify, automation with macros.
- BlueZ command-line: gatttool
- other tools: Bettercap, GATTacker, …
- Taking control of simple insecure devices (BLE dildo, key finder, …)
Skills: understand BLE connections, ability to exchange data with devices using various tools, taking control over the simplest devices that do not implement any security.
- BLE RF layer theory introduction
- Radio modulation, channels, hopping, connection initiation
- Why so many devices do not encrypt link-layer
- Various sniffing hardware and software options
- Sniffing live raw BLE packets from the air using provided hardware and Wireshark
- Wireshark tips&tricks
- Capture your own connection from mobile app to your BLE device
- How to combine multiple sniffers for better reliability
- Sniffing demos: smart lock plain text password, banking token OTP
- Other hardware and open source sniffers: Ubertooth, Btlejack, Sniffle, SDR, …
Skills: understand BLE radio layer, ability to use sniffing software and hardware, capture and analyse BLE packets in Wireshark.
- BLE RF layer theory introduction
BLE HCI dump – reliably capture own packets
- Difference from RF layer sniffing
- Android: connect provided, preconfigured smartphone directly to Wireshark via adb TCP service for live capture of your BLE packets
- Linux command-line hcidump
BLE “Man in the Middle” / remote relay
- Conditions for MITM, attack scenarios, MAC address cloning
- BLE MITM – remote relay your BLE connection via WiFi and provided Raspberry Pi
- Intercept and relay via Internet BLE communication of remotely located devices: sample smart lock and BLE dildo
- Abusing proximity autounlock feature via remote relay
- Tampering BLE packets via MITM - demo using mobile Point of Sale to alter information displayed on terminal.
- Various BLE MITM tools: GATTacker, BtleJuice, Mirage
Skills: understand conditions for BLE MITM, remote relay, replay. Perform the attacks in practice.
BLE insecurity case studies
- Sample smart lock attack: decompile Android application, reverse-engineer BLE protocol commands, identify weakness in protocol, exploit in practice using mobile application
- Various attacks on proprietary authentication/encryption protocols based on real devices (including several smart locks).
- Abusing excessive BLE services, hardcoded credentials, remote access share functionality, cloud interface, …
BLE link-layer security
- BLE link layer security mechanisms - introduction, levels, pairing, bonding, why most devices do not implement it at all.
- Pair the provided smartphone with your dedicated BLE device, sniff the pairing process and crack it with CrackLE.
- Attacks possible on paired/bonded connections
- BLE MAC address randomization, “silent pairing” attacks recovering Identity Resolving Key (for example leveraging contact tracing apps).
- Abusing trust relationships of bonded devices - vulnerabilities in HID devices, Google Titan U2F token vulnerability technical analysis, attacks via other applications installed on the same mobile phone, …
Skills: understand BLE link layer security and pairing/bonding. Ability to sniff, debug, crack the encrypted connection.
Provided BLE development boards
- Technical details about provided BLE devboards (nrf51, nRF52)
- How to develop own firmware (or alter the training device) using free online service or standalone tools.
- Review of provided firmware images / source (nRF sniffer, Btlejack, dedicated BLE device to attack)
- Flashing firmware via provided ST-Link debugger (nRF51) or USB (nRF52)
Skills: Ability to flash various firmware images to provided devboards (sniffer, “smartockpicking” training device, btlejack, DFU target, …); alter/compile provided sources.
Btlejack, BLE jamming and hijacking
- Theory introduction: how to hijack BLE ongoing connections
- Btlejack in practice
- Flash btlejack firmware to your devices
- Btlejack as BLE sniffer
- Jam/intercept live active connections
Skills: Understand BLE jamming and hijacking, know how to use BtleJack.
- Introduction, security design consideration, sample implementations, possible attacks
BLE device firmware over the air update security
- Introduction, how the firmware update works, memory layout of BLE SoC
- Abuse insecure Over The Air firmware update in practice on provided Nordic Semiconductor SoC
- Create zip image to flash (calculate CRC, no signing needed)
- Update the firmware of device using nRF Connect mobile application
- vulnerabilities depending on nRF SDK version
- Insecure OTA firmware upgrade in Texas Instruments SoC (taking control over wireless routers, stealing Tesla keys, …)
Skills: Understand security vulnerabilities of firmware update process in most popular SoCs.
Bluetooth 5, Bluetooth Mesh - theory introduction, hardware, new features and PHY, sniffing, beating new channel hopping RNG, possible attacks, …
Other attacks on BLE devices
- Attacking BLE devices via RF side-channel analysis (e.g. leaking AES key).
- Vulnerabilities in BLE SDK (e.g. RCE in Nordic SoftDevice)
- SoC vulnerabilities (memory readout protection bypass, fault injection,…). Sample attack to try out in practice on provided nRF51 development board
Brief review of the multitude attacks on BLE protocol and its implementations as well as attack tools (Bleedingbit, Sweyntooth, BlueFrag, KNOB, BIAS, BLESA, BLURTooth, Frankenstein, JackBNimBLE, …)
Summary, best practices, references, “hackme” challenges…
What students say about this training
Well prepared training, due to the amount of tools and equipment also easy to continue at home.
Trainer did a good job in preparing all the labs. Really gorgeous.
The best thing with this course is the instructor and our ability to do all exercise back at home .
Great instructor, well maintained materials had a lot of experience.
I am amazed how well everything is prepared.
Great instructor, lot’s of information, topics and exercise to practise at home.
Can’t make it?
Can’t make it to this training? Interested in other date, content, location? A tailor-made training will come to you! Have a look at private trainings offer. Contact us for details, or fill a form to get a quote.