T5: bluetooth low energy security

Training Details

3-DAY TRAINING, 1-3 JUNE @ MEERVAART AMSTERDAM
TICKET PRICE: €1900 EX BTW + €150 HARDWARE KIT

Bluetooth Low Energy (BLE) is a widely used wireless technology that powers a broad range of devices, from IoT gadgets and toys to high-stakes systems like cars, crypto wallets, smart locks and medical equipment. With the rapid growth in the number of such devices, securing them has become a critical priority, driving a surging demand for specialists in this field. This unique hands-on course meets this demand by providing a thorough insight into the BLE security, along with practical, real-world skills that are immediately applicable.

Following a short theory introduction, the course dives into hands-on exploration of Bluetooth Low Energy. Using the included training device, participants will gain practical experience with the technology, quickly being able to take control over myriad of devices that do not implement any security mechanisms at all. Building on this foundation, we will passively intercept BLE communication using radio-layer sniffer. An alternative (in most cases better approach) will also be introduced: dumping Bluetooth packets directly on a smartphone (or Android running on Raspberry Pi).

The course further explores BLE attack techniques and tools, such as: scripting, simulating, fuzzing, wireless remote relay/machine-in-the-middle, cracking insecure pairing configurations, and breaking BLE proprietary communication protocols. Accompanying topics will cover also spamming, jamming, injecting and hijacking connections, firmware over the air, introduction to Bluetooth 5 and 6, Channel Sounding, Auracast, quick overview of BLE related vulnerabilities, and device development/flashing (including adjusting our dedicated training firmware).

The training concludes with application of the knowledge against practical scenarios, including among others robots, smart locks, keyboards and headsets. You’ll leave the course not just trained but equipped with a hardware kit that enables you to revisit and practice the hands-on exercises at your own pace while also empowering you to assess and exploit security vulnerabilities in real-world systems.

Hardware kit

The hardware kit contains the following:

• Raspberry Pi with Android (preinstalled apps, root, live view Bluetooth packets) and Linux OS (preinstalled tools)
• Bluetooth sniffer
• “BMO”: ESP32-based gadget simulating various Bluetooth devices for training (source code included)
• Bluetooth Low Energy USB dongles

Training Outline

General introduction to devices’ security - understand risks and possible attacks, gain foundational perspective on how each component contributes to the overall security chain

• Threat modeling
• Physical security
• Electronic components
• MCU read out protections, debug interfaces
• Internal communication
• Firmware
• Identification and authentication (pin pads, biometrics, RFID, ...)
• Wireless communication
• Gateways, bridges
• Mobile apps, cloud interfaces

Bluetooth Low Energy – overview, how it works

• What is Bluetooth Low Energy, how it differs from previous Bluetooth versions – introduction
• LE stack, layers and specifications, GAP, GATT, ...
• BLE advertisements, broadcasted packets: device presence, beacons, trackers, ...
• BLE connections: central vs peripheral device, services, characteristics, ...
• Scripting, simulating, taking control of simple, insecure devices

Analysing and attacking BLE communication

• Sniffing BLE: RF layer introduction, various sniffing hardware and software options, sniffing in practice using provided hardware and Wireshark
• BLE HCI dump – reliably capture own packets: Linux, Android, iOS...
• BLE “Machine in the Middle” / remote relay
• Fuzzing, breaking proprietary communication protocols
• Link layer security, pairing, bonding
• Spamming, jamming, hijacking connections
• Firmware Over the Air
• Vulnerabilities in BLE implementations and specification
• What’s next: Bluetooth 5, 6, Auracast and LE audio, Channel Sounding

Use the acquired knowledge against practical, real-world scenarios, including among others: robotic dog with shooting turret, remotely controlled car, “perfect security” smart lock, BLE keyboards, Google Titan security token and Sony headset.

For each device:

• Threat modeling, possible attacks
• Intercepting the communication between the device and mobile application
• Attempts to replay the packets
• Analysis, breaking encryption and proprietary communication protocols
• Creating dedicated scripts to compromise the target
• Disrupt the device, cause Denial of Service
• Document and report the findings

Prerequisites

Optionally follow BLE HackMe: https://smartlockpicking.com/ble_hackme/

Hardware & Software requirements

• Laptop: Windows, Linux or MacOS (preferably x86-64, but Arm Apple Silicon also experimentally supported) capable of running virtual machine, 40GB disk space, 2x USB type A port (or USB hub). Administrative privileges may be required to allow connecting external USB devices to VM (some corporate laptops may have this feature disabled).
• Optional but recommended: smartphone, preferably Android (not necessarily latest, up to ~8 years old). Several phones will be provided for students during the session. We will also use Android running on provided Raspberry Pi.
• You can bring your own BLE devices, access control badges etc. Having enough time we may be able to inspect their security.
• VirtualBox or VMWare, VNC