Bluetooth Low Energy (BLE) and NFC/RFID are widely used wireless technologies that power a broad range of devices, from IoT gadgets and toys to high-stakes systems like access control systems, smart locks, medical equipment, and payment solutions. With the rapid growth in the number of such devices, securing them has become a critical priority, driving a surging demand for specialists in this field. This unique hands-on course meets this demand by providing a thorough overview of the security of BLE and NFC technologies, along with practical, real-world skills that are immediately applicable.

Following the introductory session on overall IoT security risks and possible attacks, the course dives into hands-on exploration of Bluetooth Low Energy (BLE). Using the included training device, participants will gain practical experience with the technology, quickly being able to take control over myriad of devices that do not implement any security mechanisms at all. Building on this foundation, we will passively intercept BLE communication using radio-layer sniffer. An alternative (in most cases better approach) will also be introduced: dumping Bluetooth packets directly on a smartphone. The course further explores advanced BLE attack techniques and tools, such as: scripting, fuzzing, wireless remote relay/machine-in-the-middle, cracking insecure pairing configurations, and breaking BLE proprietary communication protocols. Accompanying topics will cover also introduction to Bluetooth 5 and 6, Auracast, quick overview of BLE related vulnerabilities, spamming, jamming, injecting and hijacking connections, firmware over the air, and device development/flashing (including adjusting our dedicated training firmware).

For those eager to deepen their expertise, the course offers homework options with the included hardware kit and detailed step-by-step instructions: analyze and compromise a remotely controlled car and a “perfect security” smart lock.

For NFC/RFID systems, it is still surprisingly easy to compromise many commonly used access control badges, hotel keys and tickets. During hands-on exercises, participants will clone, crack, simulate, and brute-force both “Low Frequency” (125kHz RFID) and “High Frequency” (NFC) systems using dedicated hardware (provided and yours to keep) or, in some cases, just a standard smartphone. We’ll also exploit reader vulnerabilities to unlock doors without a valid card and hack a sample hotel system to create an “emergency” card granting access to all the doors - using nothing more than a guest card and a phone. This training not only raises awareness about the vulnerabilities of legacy systems but also offers insights into modern technologies considered more secure. Participants will explore implementation flaws, perform remote relay attacks, and execute downgrade attacks on advanced access control systems, including the latest HID SEOS and DESFire installations.

You’ll leave the course not just trained but equipped with a hardware kit that enables you to revisit and practice the hands-on exercises at your own pace while also empowering you to assess and exploit security vulnerabilities in real-world systems.

Topics covered

General introduction to devices' security

Understand risks and possible attacks, gain foundational perspective on how each component contributes to the overall security chain:

• Threat modeling
• Physical security
• Electronic components
• MCU read out protections, debug interfaces
• Internal communication
• Firmware
• Identification and authentication (pin pads, biometrics, RFID, …)
• Wireless communication
• Gateways, bridges
• Mobile apps, cloud interfaces

Bluetooth Low Energy

Bluetooth Low Energy – overview, how it works

• What is Bluetooth Low Energy, how it differs from previous Bluetooth versions – introduction.
• BLE advertisements, broadcasted packets: device presence, beacons, trackers, …
• BLE connections: GATT specification, central vs peripheral device, services, characteristics, …
• Scripting, taking control of simple, insecure devices

Analysing and attacking BLE communication

• Sniffing BLE: RF layer introduction, various sniffing hardware and software options, sniffing in practice using provided hardware and Wireshark
• BLE HCI dump – reliably capture own packets: Linux, Android, iOS…
• BLE “Machine in the Middle” / remote relay
• Fuzzing, breaking proprietary communication protocols
• Link layer security, pairing, bonding
• Spamming, jamming, hijacking connections
• Firmware Over the Air
• Vulnerabilities in BLE implementations and specification
• What’s next: Bluetooth 5, 6, Auracast and LE audio

Optional challenges Optional practical challenges are available for students who are more interested or advanced. Can be completed during the class if time allows, or as a homework after the session. The example target devices (remotely controlled car, smart lock) are simulated in provided hardware kits. For each device:

• Threat modeling, possible attacks
• Intercepting the communication between the device and mobile application
• Attempts to replay the packets.
• Analysis, breaking encryption and proprietary communication protocols
• Creating dedicated scripts to compromise the target.
• Disrupt the device, cause Denial of Service
• Document and report the findings.

RFID/NFC

RFID/NFC security overview

• Introduction: frequencies, card types, usage scenarios.
• Equipment, and what can you do with it – mobile phone, card reader, simple boards, Chameleon, Proxmark, Flipper Zero, other hardware.
• Hands-on intruduction to included Proxmark 3

Simple UID-based access control

• Introduction - simple, still surprisingly common technologies
• Low Frequency EM410X (“unique”), HID Prox, …, High Frequency Mifare UID
• Cloning card’s UID – cloners, Proxmark, Flipper, smartphone, …
• Interpreting markings on the tag, decoding UID from the picture.
• Sample vulnerability of simple access control reader that allows to unlock it without the need to have a valid card.

Wiegand – typical transmission between the reader and access controller

Mifare Classic and its weaknesses

• Theory – data structure, access control, keys, encryption.
• Practical attacks and tools needed depending on configuration.

Reverse-engineering and exploiting a sample hotel system

• Decoding access control data (room number, date) stored on the hotel guest card.
• Creating hotel “emergency card” to open all the hotel doors unconditionally, having only a sample guest card.
• Other popular hotel systems: known vulnerabilities.

Mifare Ultralight – cloning common hotel keys using phone, flipper, …

Summary of attacks against current technologies

• DESfire: misconfiguration, implementation issues in smart locks, access control, ticketing systems, exploiting in practice on a sample reader.
• HID iClass and SEOS – cloning “legacy”, downgrade, attacks against SAM.
• NFC remote relays.

Who should attend

• Red teamers, pentesters, researchers, consultants, information security officers, managers.
• BLE, NFC/RFID device designers, developers.
• Anyone interested.

Key learning objectives

• Understanding Bluetooth Low Energy and NFC/RFID security challenges and common implementation pitfalls.
• Ability to perform typical attacks in practice.
• Security assessment process.

Prerequisite knowledge

• No prior Bluetooth or NFC/RFID knowledge needed.
• Basic familiarity with Linux command line, python scripting, pentesting experience will be an advantage, but are not required.

Hardware/software requirements

• Laptop: Windows, Linux or MacOS (preferably x86-64, but Arm Apple Silicon also experimentally supported) capable of running virtual machine, 40GB disk space, 2x USB type A port (or USB hub). Administrative privileges may be required to allow connecting external USB devices to VM (some corporate laptops may have this feature disabled).
• Smartphone, preferably Android (not necessarily latest, up to ~8 years old). Several phones will be provided for students during the session.

Each student will receive

• Course materials in PDFs
• All required additional files: source code, documentation, installation binaries, virtual machine images
• Take-away hardware pack of over 100$ value for hands-on exercises:
  • nRF52 devkit (nRF sniffer / attack tool)
  • ESP32 with training firmware (sample BLE device)
  • Bluetooth Low Energy USB dongles
  • Proxmark 3 RFID “swiss army knife” with sample cards

Register here:

https://ootb.net/trainings/bluetooth-low-energy-and-nfc-rfid-security-essentials