image image

Thomas-Roth

Bluetooth Low Energy - Full Stack Attack


Trainer: Veronica & Xeno Kovah

Date: 27th to 29th May 2025

Time: 9:00am to 5:30pm PDT

Venue: Santa Clara Marriott

Training Level: Basic


Please note: the training ticket does not include access to the conference. Similarly, the conference ticket does not grant access to the trainings. If you have any questions, reach out to us.

Training Objectives:

It's pretty fun to hack things wirelessly! And hey, it turns out there's literally *billions* of Bluetooth Low Energy (BLE) things sold per year, so let's learn how to hack those!

In this class you will become an expert in all things BLE! You will be given a guided tour of the entire BLE protocol stack in a bottom up fashion. We will stop to admire and understand vulnerabilities applicable to the different stack levels, whether fundamental protocol-level vulnerabilities, or past implementation vulnerabilities. And we will learn by doing as we proceed through numerous labs at every level where we examine the interactions between a custom Android phone application, and a piece of hardware with custom firmware, which is typical of BLE usage.

What to Expect? | Key Learning Objectives:

  • Cover all the most important Bluetooth Low Energy protocols and profiles at every level of the stack
  • Understand the security model of BLE in depth
  • Understand past work including both protocol and implementation vulnerabilities, and what is and isn't still relevant to today's devices

Training Detailed Description:

Day 1

Introduction

  • Physical Layer (PHY)
    • Introduction
    • Encoding/Decoding
  • Link Layer (LL)
    • Packet formats by PHY type
    • Basic advertisements introduction (ADV_IND)
    • Other basic advertisements (ADV_DIRECT_IND, ADV_NONCONN_IND, ADV_SCAN_IND)
    • Scanning (SCAN_REQ/RSP)
    • Connecting (CONNECT_IND)
    • LL data
    • LL control
    • Understanding LL vulnerabilities: Machine-in-the-Middle attacks
    • Understanding LL vulnerabilities: Relay attacks
    • Understanding LL vulnerabilities: "InjectaBLE"
    • Understanding LL vulnerabilities: Privacy attacks
    • LL memory safety threat model
  • Host Controller Interface (HCI)
    • HCI introduction
    • HCI transport layer
    • HCI packet formats
    • HCI logging
    • HCI memory safety threat model
  • Logical Link Control and Adaptation Protocol (L2CAP)
    • L2CAP introduction
    • L2CAP data channel
    • L2CAP signaling channel
    • L2CAP memory safety threat model
  • Generic Access Profile (GAP)
    • GAP introduction
  • Security Manager Protocol (SMP)
    • SMP introduction
    • Legacy pairing
    • Understanding SMP vulnerabilities in the context of Legacy pairing: NiNo
    • Understanding SMP vulnerabilities in the context of Legacy pairing: KNOB
    • Secure Connections pairing
    • Understanding SMP vulnerabilities in the context of Secure Connections pairing: KNOB
    • Understanding SMP vulnerabilities in the context of Secure Connections pairing: BlueMirror
    • Understanding SMP vulnerabilities in the context of Secure Connections pairing: Invalid Curve Attack
    • Understanding SMP vulnerabilities in the context of Secure Connections pairing: BLURtooth
    • Understanding SMP vulnerabilities in the context of Secure Connections pairing: Method Confusion
    • LE Security Mode 1
    • LE Security Mode 2
    • SMP memory safety threat model
  • ATTribute Protocol (ATT)
    • ATT introduction
    • ATT PDUs
    • ATT handle enumeration
    • ATT memory safety threat model
  • Generic ATTribute Profile (GATT)
    • GATT introduction
    • Visualizing GATT via packet sniffing
    • Visualizing GATT via MitM tools: GATTacker
    • Understanding GATT vulnerabilities: Access control failures
    • Understanding GATT vulnerabilities: Replay attacks
    • Understanding GATT vulnerabilities: Privacy
    • GATT memory safety threat model
  • Application-specific vulnerabilities
    • Introduction
    • Command injection
    • Application-layer encryption
    • Insecure firmware updates
    • Application-specific MitM
    • Application-specific replay attacks
  • Who Should Attend? | Target Audience:

    • People who want to learn about Bluetooth Low Energy in general
    • Defensive security engineers wanting to understand the risks which Bluetooth systems are subject to
    • Vulnerability hunters looking for new areas of exploration
    • Reverse engineers looking for new areas of exploration

    What to Bring? | Software and Hardware Requirements:

    Your own laptop with VMware installed, capable of running an x86-based Ubuntu VM (which will have all the Bluetooth tools and firmware compilation environment pre-installed.)


    What to Bring? | Prerequisite Knowledge and Skills:

    Student must be comfortable reading C code if they want to modify or fix the Ultra Vulnerable Peripheral


    Resources Provided at the Training | Deliverables:

    The instructors will provide an Android phone, Bluetooth dongle for running a custom firmware, and various other Bluetooth dongles for sniffing and spoofing traffic, and a USB hub for plugging everything in. If you're paranoid about "BadUSB" attacks, you should bring a laptop that you're going to wipe afterwards, because we're going to be plugging in a *lot* of USB hardware to aid in learning about Bluetooth!


    ABOUT THE TRAINERS

    Veronica, is a researcher who has created and released multiple over-the-air arbitrary code execution exploits which target Bluetooth chip firmware. She presented these attacks at BlackHat USA 2020. In 2018 she founded the security consultancy Dark Mentor LLC. She has previously worked at companies like Tesla on vehicular security and NSA as an adjunct instructor and Capability Development Specialist developing CNE tools for embedded systems. She is currently using her background in reverse engineering and exploitation to specialize in the security analysis of Bluetooth systems.


    Xeno Kovah began leading Windows kernel-mode rootkit detection and defense research projects at MITRE in 2009, before moving into research on BIOS security in 2011. His team's first public talks started appearing in 2013, which led to a flurry of presentations on BIOS-level vulnerabilities up through 2014. In 2015 he co-founded LegbaCore. And after presenting a firmware worm that could spread between Macs via Apple's EFI-based BIOS and Thunderbolt Ethernet adapters, he ended up working for Apple. There he worked on securing all the lesser-known firmwares on Macs and peripherals - everything from 3rd party GPUs to SecureBoot for monitors! He worked on the x86-side of the T2 SecureBoot architecture, and his final project was leading the M1 SecureBoot architecture - being directly responsible for designing a system that could provide iOS-level security, while still allowing customer choice to trust arbitrary non-Apple code such as Linux bootloaders. He left Apple in Dec 2020 after the M1 Macs shipped, so he could work full time on OpenSecurityTraining2.