- 25&26th Sep 2019
- by Nalla Muthu S by Mounish. P
WS - 9
Dissecting and Exploiting BLE Devices 101
Workshop Objective:
Dissecting and exploiting BLE device 101 is built for anyone who wants to get started with BLE security testing, understating the BLE internals, and the packet format of Bluetooth Low Energy devices which helps the attendees to understand, enumerate and exploit the BLE smart devices.
During the class, attendees will practically analyse the packet in real time and understand the stack layers, packet format, type of request, security modes etc.,. With the gained knowledge attendees will practically exploit the well known BLE devices.
Post session the attendees will have an idea on various tools, enumerate, analyse the packet and identify vulnerability in the BLE smart devices.
Course Content (ToC):
- Bluetooth Course Outline:
- Introduction to Bluetooth Low Energy
- Dissection of BLE Communication
- BLE Security Features
- BLE Exploitation
- BLE Kick Start
- Bluetooth History
- BLE vs ZIGBEE vs WIFI
- LMP Version
- Classic vs Smart Ready vs Smart
- Understanding BLE stack (With Demo)
- Physical Layer - Channel, Frequency
- Layer to Link
- Introduction to Link Layer
- Link Layer Packet Format
- Advertisement PDU - Directed, Undirected
- Enumerating Advertisement PDU - Demo
- BLE Scanning PDU - Active, Passive
- Enumerating Scanning PDU - Demo
- Connection,Initiating PDU
- L2CAP
- SMP - All about Security
- Introduction to SMP
- BLE Security - 4.1 vs 4.2
- Security Features - Encryption, Integrity, Privacy
- BLE Pairing Methods
- Pairing Process - Demo
- Dissection of Pairing Packet
- BLE Security Modes
- GATT
- GATT - Services, Characteristic, Profiles
- Packet Analysis
- Analysing BLE Devices
- Introduction to HCI tools and discover devices
- Interacting with BLE device - Bluetoothctl
- Enumerating of BLE device - open source script and tools
- Exploring gattool
- Read / write device using gatttool
- Writing custom value to handle - DEMO / Analyse
- Analysing the HCI log from host machine
- Exploiting BLE Devices
- GATTACKER - Introduction
- Gattacker - Capture / Modify / Replay Packet
- BTLE Juice - Introduction
- MITM using BTLE Juice - DEMO
- BLE exploitation with Python script
- Python Library and Setup for Bluetooth
- Understanding pygatt/publuez functions
- Exploit Device using Automation
- Conclusion
- Q & A
- Additional discussion
- Different type of approach and secure implementation technique
- Will share our experience on previous BLE Pen-testing
Pre-requisite
- Basic Understanding of BLE concepts
- Knowledge on Linux OS and commands
- Basic Knowledge of Programming – python
Pre-requisite Material
- Laptop with at least 25 GB Free space and 8 GB of RAM
- Administrator level privilege
- External USB access
- Virtualisation software - Virtualbox/ VMware
WHAT STUDENTS WILL BE PROVIDED WITH
- Course material and slides
- VM with Tools required for BLE testing
- Hardware to use in class - smart watch, smart bulb, beacon, baggage tracker, etc.
Who should attend:
- Security Enthusiasts
- IoT security Pen-testers
- Web/mobile application pentesters
- Embedded Developers • Security Architects
What to expect:
- Hands-On lab
- Getting familiar with BLE packet format and stack
- Getting familiar with BLE security and the mitigations
- This workshop will help you kick start pen-testing BLE devices
- Use the knowledge gained in the training to sharpen your skills on BLE security
What not to expect:
- Becoming an BLE security expert in a day.
OTHER REQUIREMENTS:
- Multiple bike buster for laptop and devices
- Both trainee and trainer need internet access
Speaker Profile:
Nalla Muthu S , Senior Cyber Security Analyst, Honeywell
Nalla Muthu is a security enthusiastic, who strongly believes in understanding the basic concept rather than exploiting. He have an immense knowledge on security testing, he has more than 5 year of experience in the field of cyber security with a solid knowledge on web application, Mobile,Thick client, Reverse Engineering, Bluetooth security testing and the secure implementation technique. He has good knowledge in python which helped him to come up with lot of automation scripts related to security testing for Web, Thick Client, firmware, Mobile and Bluetooth. He hold OSWP, OSCP and OSCE certification from offensive security. He is an active speaker at NULLCON, Chennai and wrote a blog on exploiting android service and broadcast receivers in medium. He share his personal cyber security research knowledge on https://just2secure.blogspot.com/
Mounish P , Cyber Security Analyst, Honeywell
Mounish is an Electronic engineer, with a solid background in this field, associated with many personal and professional experiments in the field of micro-controller. After time in the electronics industry as an embedded system engineer he made a career move towards hardware and IoT security. He has researched extensively on serial interfacing techniques, exploiting communication protocols such as ZIGBEE, ZWAVE and BLE. He wrote a blog on exploiting BLE smart bulb and tools related to BLE which can be found in Github. He is an active speaker at local IoT chapters and Embedded device development meetups.