Virtual Hands-On Hacking for BLE

$2,299.00

Duration

2 days

Delivery Method

virtual

Level

beginner

Seats Available

20

Duration

2 days

Delivery Method

virtual

Level

beginner

REGISTRATION CLOSED

Please contact hitbsectrain@hitb.org if you’d like to attend this training


This 2-day BLE course is part of a 4-day BLE & NFC/RFID course.


– To join the 2-day NFC/RFID course instead, click here.
– To join both BLE and NFC/RFID with a combo discount for 4 days, click here.
– To join only this 2-day BLE class, read further below.
– Want to attend this class virtually instead in June? Sign-up here

 

REGISTRATION CLOSED

DATE: 9-10 May 2022

TIME: 09:00 to 17:00 CEST/GMT+2

Date Day Time Duration
09 May Monday 0900-17:00 CEST/GMT+2 8 Hours
10 May Tuesday 0900-17:00 CEST/GMT+2 8 Hours

 

Bluetooth Low Energy is one of the most common and rapidly growing IoT technologies. We are immersed in surrounding BLE signals: starting with recent COVID-19 contact tracing, through beacons, wearables, TVs, home appliances, toothbrushes, sex toys, up to smart locks, medical devices and banking tokens.

Unfortunately the prevalence of technology does not come with security. Alarming vulnerabilities are revealed day by day – not only in individual devices’ implementations, but also generic: in the Bluetooth specification itself. And yet, the knowledge on how to comprehensively assess security of such devices still remains uncommon.

This training aims to fill this gap, with the best possible methodology – a hands-on approach. Both training days are filled with multiple practical exercises covering BLE sniffing, MITM, relay, jamming, hijacking, cracking, and exploiting vulnerabilities of many real devices (dozens of smart locks, U2F and banking authentication tokens, mobile PoS, …). And what’s best: the hardware for practical exercises (sniffer, simulated devices, adapters, …) – are included, which allows you to repeat the labs later. You will finish the training being able not only to fully assess and compromise BLE devices, but also with the equipment to do it.

Each student will receive
  • Course materials – about 1000 pages, step by step instructions for hands-on exercies.
  • All required additional files: source code, documentation, installation binaries, virtual machine images.
  • Included hardware pack for hands-on exercises, consisting of Bluetooth 4/5 development boards, dedicated BLE device, hardware sniffer, USB dongles.
  • Don’t have an Android phone? Sign up for both 2-day trainings (click here), and we’ll hook you up with an Android phone with Bluetooth 4 and NFC support!

 

 

 

Agenda
Day 1

1. What is Bluetooth Low Energy, how it differs from previous Bluetooth versions – introduction.

2. BLE advertisements, broadcasted packets
a) Theory – BLE advertisement packets
b) Scanning for nearby BLE devices’ advertisements: smartphone, command-line, scripts, other tools.
c) BLE Beacons

  •  iBeacon, Eddystone
  •  Spoofing/cloning beacons to get rewards, free beer, or activate connected underwear

 

d) Tracking devices and crowdsourced location (key finders, Apple AirTags, …).
e) Apple, Microsoft devices BLE advertisements.
f) COVID-19 contact tracing / exposure notification BLE packets.
g) Other BLE advertisements – energy meters revealing current indication, sex toys revealing device model, …
h) Bleedingbit – RCE chain via improper BLE advertisements parsing.

3. BLE connections
a) Theory introduction: GATT specification, central vs peripheral device, services, characteristics, connections, …
b) Connecting to your dedicated BLE device using various tools

  • nRF Connect mobile application: read/write/notify, automation with macros.
  • BlueZ command-line
  • other tools

 

c) Taking control of simple, insecure devices (BLE dildo, key finder, …)

4. Sniffing BLE
a) BLE RF layer theory introduction

  • Radio modulation, channels, hopping, connection initiation
  • Why so many devices do not encrypt link-layer
  • Various sniffing hardware and software options

 

b) Sniffing live raw BLE packets from the air using provided hardware and Wireshark

  • Wireshark tips&tricks
  • Capture your own connection from mobile app to your BLE device
  •  How to combine multiple sniffers for better reliability

 

c) Sniffing demos: smart lock plain text password, banking token OTP
d) Overview of various hardware and open source sniffers: nRF Sniffer, Ubertooth, Btlejack, Sniffle, SDR, …

5. BLE HCI dump – reliably capture own packets
a) Difference from RF layer sniffing
b) Investigate BLE packets intercepted on Android phone in Wireshark
c) Linux command-line hcidump

6. BLE “Machine in the Middle” / remote relay
d) Conditions for MITM, attack scenarios, MAC address cloning
e) BLE MITM / remote relay in practice (local, via Internet), various tools (GATTacker, BtleJuice, Mirage).
f) Abusing proximity autounlock feature via remote relay.
g) Tampering BLE packets via MITM – demo using mobile Point of Sale to alter information displayed on terminal.

 

Day 2

7. BLE insecurity case studies
a) Sample smart lock attack: decompile Android application, reverse-engineer BLE protocol commands, identify weakness in protocol, exploit in practice using mobile application
b) Various attacks on proprietary authentication/encryption protocols based on real devices (including several smart locks).
c) Abusing excessive BLE services, hard-coded credentials, remote access share functionality, cloud interface, …

8. BLE link-layer security
a) BLE link layer security mechanisms – introduction, levels, pairing, bonding, why most devices do not implement it at all.
b) Pair the provided smartphone with your dedicated BLE device, sniff the pairing process and crack it.
c) Attacks possible on paired/bonded connections.
d) BLE MAC address randomization, “silent pairing” attacks recovering Identity Resolving Key (for example leveraging contact tracing apps).
e) Abusing trust relationships of bonded devices – vulnerabilities in HID devices, Google Titan U2F token vulnerability technical analysis, attacks via other applications installed on the same mobile phone, …

9. Provided BLE development boards
a) Technical details about provided BLE devboards.
b) How to develop own firmware or adjust included training device source code.
c) Review of provided firmware images / source (sniffer, attack tools, dedicated BLE device).
d) Flashing firmware on the devkits.

10. BLE jamming and hijacking
a) Theory introduction: how to hijack BLE ongoing connections
b) Btlejack, ButteRFly – possible attacks, tools usage.

11. Web Bluetooth
a) Introduction, security design consideration, sample implementations, possible attacks
b) Interact with your BLE device via browser – run sample Web Bluetooth javascript code.

12. BLE device firmware over the air update security
a) Introduction, how the firmware update works, memory layout of BLE SoC.
b) Abuse insecure Over The Air firmware update on provided Nordic Semiconductor SoC.
c) Insecure OTA firmware upgrade in Texas Instruments SoC (taking control over wireless routers, stealing Tesla keys, …).

13. Bluetooth 5 and beyond
a) Introduction, new features, why so many devices claim to be Bluetooth 5 but are not really.
b) New physical layers: 2M, long range coded PHY.
c) New channel hopping RNG.
d) Sniffing BLE5 – current hardware, software support.

14. Bluetooth Mesh
a) Introduction, network topology, BLE4 advertisements as a transport layer, mandatory encryption.
b) Flashing sample Bluetooth Mesh device firmware on a supplied devkit.
c) Provisioning the devices in practice into your own Mesh network
d) Known vulnerabilities and possible weaknesses of Mesh implementations.

15. Other attacks on BLE devices
a) Attacking BLE devices via RF side-channel analysis (e.g. leaking AES key).
b) Vulnerabilities in BLE SDK (e.g. RCE in Nordic SoftDevice)
c) SoC vulnerabilities (memory readout protection bypass, fault injection,…). Sample attack to try out in practice on provided nRF51 development board

16. Brief review of the multitude attacks on BLE protocol and its implementations as well as attack tools (Bleedingbit, Sweyntooth, BlueFrag, KNOB, BIAS, BLESA, BLURTooth, Frankenstein, JackBNimBLE, InjectaBLE, …)

17. Summary, best practices, references, “hackme” challenges…

 


This 2-day BLE course is part of a 4-day BLE & NFC/RFID course.


– To join the 2-day NFC/RFID course instead, click here.
– To join both BLE and NFC/RFID with a combo discount for 4 days, click here.
– Want to attend this class virtually instead in June? Sign-up here

Agenda

  • Day 1

    1. What is Bluetooth Low Energy, how it differs from previous Bluetooth versions – introduction. 2. BLE advertisements, broadcasted packets a) Theory - BLE advertisement packets b) Scanning for nearby BLE devices’ advertisements: smartphone, command-line, scripts, other tools. c) BLE Beacons - iBeacon, Eddystone - Spoofing/cloning beacons to get rewards, free beer, or activate connected underwear d) Tracking devices and crowdsourced location (key finders, Apple AirTags, …). e) Apple, Microsoft devices BLE advertisements. f) COVID-19 contact tracing / exposure notification BLE packets. g) Other BLE advertisements - energy meters revealing current indication, sex toys revealing device model, … h) Bleedingbit - RCE chain via improper BLE advertisements parsing. 3. BLE connections a) Theory introduction: GATT specification, central vs peripheral device, services, characteristics, connections, … b) Connecting to your dedicated BLE device using various tools - nRF Connect mobile application: read/write/notify, automation with macros. - BlueZ command-line - other tools c) Taking control of simple, insecure devices (BLE dildo, key finder, ...) 4. Sniffing BLE a) BLE RF layer theory introduction - Radio modulation, channels, hopping, connection initiation - Why so many devices do not encrypt link-layer - Various sniffing hardware and software options b) Sniffing live raw BLE packets from the air using provided hardware and Wireshark - Wireshark tips&tricks - Capture your own connection from mobile app to your BLE device - How to combine multiple sniffers for better reliability c) Sniffing demos: smart lock plain text password, banking token OTP d) Overview of various hardware and open source sniffers: nRF Sniffer, Ubertooth, Btlejack, Sniffle, SDR, … 5. BLE HCI dump – reliably capture own packets a) Difference from RF layer sniffing b) Investigate BLE packets intercepted on Android phone in Wireshark c) Linux command-line hcidump 6. BLE “Machine in the Middle” / remote relay d) Conditions for MITM, attack scenarios, MAC address cloning e) BLE MITM / remote relay in practice (local, via Internet), various tools (GATTacker, BtleJuice, Mirage). f) Abusing proximity autounlock feature via remote relay. g) Tampering BLE packets via MITM - demo using mobile Point of Sale to alter information displayed on terminal.

  • Day 2

    7. BLE insecurity case studies a) Sample smart lock attack: decompile Android application, reverse-engineer BLE protocol commands, identify weakness in protocol, exploit in practice using mobile application b) Various attacks on proprietary authentication/encryption protocols based on real devices (including several smart locks). c) Abusing excessive BLE services, hard-coded credentials, remote access share functionality, cloud interface, ... 8. BLE link-layer security a) BLE link layer security mechanisms - introduction, levels, pairing, bonding, why most devices do not implement it at all. b) Pair the provided smartphone with your dedicated BLE device, sniff the pairing process and crack it. c) Attacks possible on paired/bonded connections. d) BLE MAC address randomization, “silent pairing” attacks recovering Identity Resolving Key (for example leveraging contact tracing apps). e) Abusing trust relationships of bonded devices - vulnerabilities in HID devices, Google Titan U2F token vulnerability technical analysis, attacks via other applications installed on the same mobile phone, ... 9. Provided BLE development boards a) Technical details about provided BLE devboards. b) How to develop own firmware or adjust included training device source code. c) Review of provided firmware images / source (sniffer, attack tools, dedicated BLE device). d) Flashing firmware on the devkits. 10. BLE jamming and hijacking a) Theory introduction: how to hijack BLE ongoing connections b) Btlejack, ButteRFly – possible attacks, tools usage. 11. Web Bluetooth a) Introduction, security design consideration, sample implementations, possible attacks b) Interact with your BLE device via browser - run sample Web Bluetooth javascript code. 12. BLE device firmware over the air update security a) Introduction, how the firmware update works, memory layout of BLE SoC. b) Abuse insecure Over The Air firmware update on provided Nordic Semiconductor SoC. c) Insecure OTA firmware upgrade in Texas Instruments SoC (taking control over wireless routers, stealing Tesla keys, …). 13. Bluetooth 5 and beyond a) Introduction, new features, why so many devices claim to be Bluetooth 5 but are not really. b) New physical layers: 2M, long range coded PHY. c) New channel hopping RNG. d) Sniffing BLE5 – current hardware, software support. 14. Bluetooth Mesh a) Introduction, network topology, BLE4 advertisements as a transport layer, mandatory encryption. b) Flashing sample Bluetooth Mesh device firmware on a supplied devkit. c) Provisioning the devices in practice into your own Mesh network d) Known vulnerabilities and possible weaknesses of Mesh implementations. 15. Other attacks on BLE devices a) Attacking BLE devices via RF side-channel analysis (e.g. leaking AES key). b) Vulnerabilities in BLE SDK (e.g. RCE in Nordic SoftDevice) c) SoC vulnerabilities (memory readout protection bypass, fault injection,…). Sample attack to try out in practice on provided nRF51 development board 16. Brief review of the multitude attacks on BLE protocol and its implementations as well as attack tools (Bleedingbit, Sweyntooth, BlueFrag, KNOB, BIAS, BLESA, BLURTooth, Frankenstein, JackBNimBLE, InjectaBLE, …) 17. Summary, best practices, references, “hackme” challenges…

Why You Should Take This Course

Both training days are filled with multiple practical exercises covering BLE sniffing, MITM, relay, jamming, hijacking, cracking, and exploiting vulnerabilities of many real devices (dozens of smart locks, U2F and banking authentication tokens, mobile PoS, …). You will finish the training being able not only to fully assess and compromise BLE devices, but also with the equipment to do it.

Who Should Attend

  • Pentesters, security professionals, researchers.
  • BLE device designers, developers.
  • Anyone interested.

Key Learning Objectives

  • Solid understanding of Bluetooth Low Energy, including latest versions (5).

  • Common implementation pitfalls.

  • Device assessment process.
  • Prerequisite Knowledge

    Hardware / Software Requirements

    • Laptop capable of running Kali Linux in virtual machine (VirtualBox or VMWare), and at least two USB ports available for VM guest.
    • Android smartphone with at least Bluetooth 4 support (basically all the phones with Android > 5.0). Bluetooth 5 support will be an advantage (most current phones).
    • Don’t have an Android phone? Sign up for both 2-day trainings (click here), and we’ll hook you up with an Android phone with Bluetooth 4 and NFC support!

    Your Instructor

    Trainer, speaker, pentester and IT security consultant with over 15 years of experience. Participated in countless assessments of systems’ and applications’ security for leading financial companies, public institutions and cutting edge tech startups. Has an MSc in automation&robotics, developed secure embedded systems certified for use by national agencies.  Currently Slawomir researches security of new technologies (especially Bluetooth Low Energy and NFC/RFID) and provides relevant trainings – based among others on electronic locks and access control systems (www.smartlockpicking.com). Beside research and training, he focuses on consulting and designing of secure solutions for various software and hardware projects, during all phases – starting from a scratch.

    Previously gave talks, workshops or trainings at HackInTheBox Amsterdam, BlackHat USA, HITB Cyberweek, HackInParis, multiple Appsec EU, Deepsec, BruCON, Confidence, Devoxx and many other events.

    Training score :

    Instructor: 90%
    Course material: 91%

    “Well prepared training, due to the amount of tools and equipment also easy to continue at home.”

    “Trainer did a good job in preparing all the labs. Really gorgeous.”

    “The best thing with this course is the instructor and our ability to do all exercise back at home.”

    “Great instructor, well maintained materials had a lot of experience.”

    ” I am amazed how well everything is prepared.”

     “Great instructor, lot’s of information, topics and exercise to practise at home.”