image image

Slawomir Jasek

Security assessment of Bluetooth Low Energy devices


Trainer: Slawomir Jasek

Date: 28th to 30th May 2024

Time: 9:00am to 5:00pm PDT

Venue: Santa Clara Marriott

Training Level: Basic to Intermediate


Training Objectives:

Bluetooth Low Energy is one of the most common and rapidly growing IoT technologies. We are immersed in surrounding BLE signals: phones, beacons, wearables, TVs, home appliances, toothbrushes, sex toys, light bulbs, smart locks, electric scooters, cars, medical devices, crypto wallets, 2FA, banking tokens, payment terminals - to name just a few. Unfortunately the prevalence of technology does not come with security. Alarming vulnerabilities are revealed day by day – not only in individual devices’ implementations, but also generic: in the Bluetooth specification itself. And yet, the knowledge on how to comprehensively assess security of such devices still remains uncommon. This training aims to fill this gap, with the best possible - hands-on approach.

We will start with introduction to the technology - you will get familiar on how BLE works in practice by controlling your dedicated training device. We will follow with various possible attacks and tools hands-on: sniffing, fingerprinting, MITM, relay, jamming, hijacking, cracking, exploiting application layer vulnerabilities, ... Having this background we will apply the knowledge to perform security assessment of example devices: starting with threat modeling, through analysis and attack scenarios preparation, up to performing the tests and finishing with a report.

And what's best: the hardware for practical exercises, along with dedicated training firmware source code - is included, and allows you to repeat (or adjust if needed) the labs later. You will finish the training being able not only to fully assess and compromise BLE devices, but also with the equipment to do it.


What to Expect? | Key Learning Objectives:

  • Solid understanding of Bluetooth Low Energy
  • Common implementation pitfalls.
  • Device assessment process.

Training Detailed Description:

Bluetooth Low Energy – introduction
  • What is Bluetooth Low Energy, how it differs from previous Bluetooth versions
  • BLE advertisements – beacons, tracking, operating systems, other...
  • BLE connections – GATT, services, characteristics
Intercepting and attacking BLE communication
  • Sniffing BLE – theory introduction, overview of various options, practical exercises using included hardware (nRF, SniffLE, ...)
  • BLE HCI dump – reliably capture own packets to Wireshark on Linux, Android and iPhone
  • BLE “Machine in the Middle” / remote relay using various tools (GATTacker, BtleJuice, Mirage).
  • BLE jamming and hijacking
Security mechanisms, libraries, specifications and their vulnerabilities
  • BLE link-layer security – intercepting and cracking insecure pairing process
  • Attacks on BDADDR address randomization, “silent pairing”
  • Abusing trust relationships of bonded devices
  • Attacks via other applications installed on the same mobile phone
  • Supply chain, SDKs
  • Various attacks on BLE protocol and its implementations
  • Secure firmware update
    • What's coming next in mainstream and niche Bluetooth applications?
      • Bluetooth 5 and beyond: extended advertisements, long range, ...
      • LE audio (auracast)
      • Bluetooth Mesh
      • Web Bluetooth
      Developer’s perspective
      • BLE device development process, SoCs, tools, SDKs, stacks, ...
      • Flashing, testing, debugging
      • Our included BLE development boards
      • Dedicated training firmware source code
      Security assessment of BLE devices
      • Introduction, purpose, scope, blackbox vs whitebox, cooperation with vendors, ...
      • Holistic approach to devices’ security – BLE as only a piece of the whole puzzle
      • Security assessment process overview: information gathering, threat modeling, analysis / reversing, attack scenarios preparation and execution, reporting...
      • BLE insecurity case studies – smart locks, cars, security tokens, payment terminals...
      • Test environment setup: running firmware on a devkit, simulating device, implementing communication protocol, preparing custom scripts...
      • Designing and performing attacks in practice on example devices
      Security assessment reporting
      • Professional report contents
      • Best practices for outlining the findings
      • Example reports and vulnerabilities descriptions

      Who Should Attend? | Target Audience:

      • Pentesters, security professionals, researchers.
      • BLE device designers, developers.
      • Anyone interested.

      What to Bring? | Software and Hardware Requirements:

      • Laptop capable of running Linux x86-64 in virtual machine (VirtualBox+Extension Pack or VMWare), and at least two USB type A ports available for VM guest.
      • Android smartphone with Bluetooth 5 support will be helpful, but not obligatory (phones will be provided for attendees).
      • Optionally: your own BLE devices you would like to test

      What to Bring? | Prerequisite Knowledge and Skills:

      Basic familiarity with Linux command-line;some pentesting experience will be helpful but not crucial.


      before the training – especially first few tasks that allow you to become familiar with the technology basics.


      Resources Provided at the Training | Deliverables:

      • Course materials – about 1500 pages covering theory and step by step instructions for hands-on exercies.
      • All required additional files: source code, documentation, installation binaries, virtual machine images.
      • Included hardware pack for hands-on exercises, consisting among others of Bluetooth 4/5 development boards, dedicated BLE device, hardware sniffers, USB dongles...

      ABOUT THE TRAINERS

      Slawomir Jasek is speaker, trainer and IT security consultant with 20 years of experience. MSc in automatics&robotics, developed secure embedded systems certified to use by national agencies. As a pentester participated in dozens assessments of systems' and applications' security for leading financial companies, public institutions and cutting edge startups. Currently focuses on security research of various new technologies (especially Bluetooth Low Energy and NFC/RFID) and provides training in regards to security of devices - based among others on contemporary electronic access control systems and smart locks. Besides training and research provides security assessments and consultation on secure design for various software and hardware projects – preferably starting from design idea.

      Despite long time ago lost count of the number of BLE devices he owns, still impulsively acquires more and more and enjoys reversing and breaking them.

      Loves sharing his knowledge via trainings, workshops, talks and open source hackme’s (http://www.smartlockpicking.com/) – at BlackHat, HackInTheBox, Hardwear.io, HackInParis, Deepsec, Appsec EU, BruCon, Confidence, and many others, including private on-demand sessions.