Please note: the training ticket does not include access to the conference. Similarly, the conference ticket does not grant access to the trainings. If you have any questions, reach out to us.

Training Objectives:

Bluetooth Low Energy is one of the most common and rapidly growing IoT technologies. We are immersed in surrounding BLE signals: beacons, wearables, TVs, home appliances, toothbrushes, sex toys, light bulbs, smart locks, electric scooters, cars, medical devices, crypto wallets, 2FA, banking tokens, payment terminals - to name just a few. Unfortunately the prevalence of technology does not come with security. Alarming vulnerabilities are revealed day by day – not only in individual devices’ implementations, but also generic: in the Bluetooth specification itself. And yet, the knowledge on how to comprehensively assess security of such devices still remains uncommon. This training aims to fill this gap, with the best possible - hands-on approach.

We will start with introduction to the technology - you will get familiar on how BLE works in practice by controlling your dedicated training device. We will follow with various possible attacks and tools hands-on: sniffing, fingerprinting, MITM, relay, jamming, hijacking, cracking, exploiting application layer vulnerabilities, ... Having this background we will apply the knowledge to perform security assessment of example devices: starting with threat modeling, through analysis and attack scenarios preparation, up to performing the tests and finishing with a report.

And what's best: the hardware for practical exercises, along with dedicated training firmware source code - is included, and allows you to repeat (or adjust if needed) the labs later. You will finish the training being able not only to fully assess and compromise BLE devices, but also with the equipment to do it.

What to Expect? | Key Learning Objectives:

• Solid understanding of Bluetooth Low Energy
• Common implementation pitfalls.
• Device assessment process.

Training Detailed Description:

Bluetooth Low Energy – introduction

• What is Bluetooth Low Energy, how it differs from previous Bluetooth versions
• BLE advertisements – beacons, tracking, operating systems, other...
• BLE connections – GATT, services, characteristics

Intercepting and attacking BLE communication

• Sniffing BLE – theory introduction, overview of various options, practical exercises using included hardware (nRF, SniffLE, ...)
• BLE HCI dump – reliably capture own packets to Wireshark on Linux, Android and iPhone
• BLE “Machine in the Middle” / remote relay using various tools (GATTacker, BtleJuice, Mirage).
• BLE jamming and hijacking

Security mechanisms, libraries, specifications and their vulnerabilities

• BLE link-layer security – intercepting and cracking insecure pairing process
• Attacks on BDADDR address randomization, “silent pairing”
• Abusing trust relationships of bonded devices
• Attacks via other applications installed on the same mobile phone
• Supply chain, SDKs
• Various attacks on BLE protocol and its implementations
• Secure firmware update
• Bluetooth 5 and beyond
• Web Bluetooth
• Bluetooth Mesh

Security assessment of BLE devices

• Introduction, purpose, scope, blackbox vs whitebox, cooperation with vendors, ...
• Holistic approach to devices’ security – BLE as only a piece of the whole puzzle
• Security assessment process overview: information gathering, threat modeling, analysis / reversing, attack scenarios preparation and execution, reporting...
• BLE insecurity case studies – smart locks, cars, security tokens, payment terminals...
• Test environment setup: running firmware on a devkit, simulating device, implementing communication protocol, preparing custom scripts...
• Designing and performing attacks in practice on example devices

Reporting

• Professional report contents
• Best practices for outlining the findings
• Example reports and vulnerabilities descriptions

Who Should Attend? | Target Audience:

• Pentesters, security professionals, researchers.
• BLE device designers, developers.
• Anyone interested.

What to Bring? | Software and Hardware Requirements:

• Laptop capable of running Linux x86-64 in virtual machine (VirtualBox or VMWare), and at least two USB type A ports available for VM guest.
• Android smartphone with Bluetooth 5 support will be helpful, but not obligatory (phones will be provided for participants).
• Optionally: your own BLE devices you would like to test

What to Bring? | Prerequisite Knowledge and Skills:

• Basic familiarity with Linux command-line;some pentesting experience will be helpful but not crucial.
• No previous knowledge of Bluetooth is required.
• It is recommended to try free BLE HackMe https://smartlockpicking.com/ble_hackme/ before the training – especially first few tasks that allow you to become familiar with the technology basics.

Resources Provided at the Training | Deliverables:

• Course materials – about 1500 pages, step by step instructions for hands-on exercies.
• All required additional files: source code, documentation, installation binaries, virtual machine images.
• Included hardware pack for hands-on exercises, consisting of Bluetooth 4/5 development boards, dedicated BLE device, hardware sniffer, USB dongles.

ABOUT THE TRAINERS

Speaker, trainer and IT security consultant with 20 years of experience. MSc in automatics&robotics, developed secure embedded systems certified to use by national agencies. As a pentester participated in dozens assessments of systems' and applications' security for leading financial companies, public institutions and cutting edge startups. Currently focuses on security research of various new technologies (especially Bluetooth Low Energy and NFC/RFID) and provides training in regards to security of devices - based among others on contemporary electronic access control systems and smart locks. Besides training and research provides security assessments and consultation on secure design for various software and hardware projects – preferably starting from design idea.

Despite long time ago lost count of the number of BLE devices he owns, still impulsively acquires more and more and enjoys reversing and breaking them.

Loves sharing his knowledge via trainings, workshops, talks and open source hackme’s (http://www.smartlockpicking.com/) – at BlackHat, HackInTheBox, Hardwear.io, HackInParis, Deepsec, Appsec EU, BruCon, Confidence, and many others, including private on-demand sessions.