This unique hands-on course combining BLE and NFC security trainings aims to provide solid understanding of security aspects for both technologies, along with practical skills and included hardware tools for hands-on exercises.

Several editions are scheduled for 2022 - both traditional (in-person) and online, suitable for various time zones around the world.

Overview

Both Bluetooth Low Energy and NFC/RFID are wireless technologies extensively used not only in IoT gadgets and toys but also in high-risk devices: access control systems, smart locks, medical, payment and banking appliances. With the growing numbers of such devices, security becomes more and more important, along with the constantly growing demand for specialists in this area.

This unique hands-on course combining BLE and NFC security trainings aims to meet this demand, providing solid understanding of security aspects for both technologies, along with practical skills and included hardware tools for hands-on exercises.

Sign up for just a single topic (2 days BLE or 2 days NFC), or sign up for both in a bundle, and get a discount!

Who should attend

• Pentesters, security professionals, researchers
• BLE, NFC/RFID device designers, developers
• Anyone interested

Key learning objectives

• Solid understanding of Bluetooth Low Energy, including latest versions (5).
• Common implementation pitfalls.
• Device assessment process.
• Solid understanding of NFC/RFID.
• Ability to perform in practice typical attacks: cloning, cracking, remote relays.
• Point out common implementation pitfalls in both legacy and modern systems.
• Analyse security of mobile access solutions.

Prerequisite knowledge

• Basic familiarity with Linux command-line; some pentesting experience will be helpful but not crucial.
• No previous knowledge of Bluetooth or NFC is required.
• It is recommended to try free BLE HackMe before the training – especially first few tasks that allow you to become familiar with the technology basics. HITB Cyberweek Slides: A practical introduction to BLE security without any special hardware (PDF, 16M), recording: https://www.youtube.com/watch?v=5bUoal6-sHs.

Hardware/software requirements

• Laptop capable of running Kali Linux in virtual machine (VirtualBox or VMWare), and at least two USB ports available for VM guest.
• Android smartphone with at least Bluetooth 4 support (basically all the phones with Android > 5.0). Bluetooth 5 support will be an advantage (most current phones) and with NFC support (most current phones, with a few small exceptions of [incompatible devices](https://github.com/ikarus23/MifareClassicTool /blob/master/INCOMPATIBLE_DEVICES.md). Root option will be an advantage, but not crucial. This will be provided to you in your Training Pack if you subscribe for 4-day “combo” training. In case you don’t have Android phone, please contact us in advance to organize it.

Each student will receive

• Course materials - about 2000 pages, step by step instructions for hands-on exercises
• All required additional files: source code, documentation, installation binaries, virtual machine images
• Included hardware pack for hands-on exercises, consisting of:
  • Preconfigured Android smartphone with all the required applications and possibility for BLE packets capture and NFC simulation (available in “combo” 4 day subscription)
  • Raspberry Pi (+microSD card and power adapter), with assessment tools and “hackme”.
  • Bluetooth 4 and 5 development boards
  • Dedicated Bluetooth device
  • BLE USB dongles
  • Proxmark 3 with latest firmware
  • Various sample tags (including “magic” ones)
  • NFC PN532 board

What students say about this training

Well prepared training, due to the amount of tools and equipment also easy to continue at home.

Trainer did a good job in preparing all the labs. Really gorgeous.

The best thing with this course is the instructor and our ability to do all exercise back at home .

Great instructor, well maintained materials had a lot of experience.

I am amazed how well everything is prepared.

Great instructor, lot’s of information, topics and exercise to practise at home.

Detailed agenda

Day 1 - Bluetooth Low Energy

1. What is Bluetooth Low Energy, how it differs from previous Bluetooth versions – introduction.

2. BLE advertisements, broadcasted packets

   • Theory - BLE advertisement packets
   • Scanning for nearby BLE devices’ advertisements: smartphone, command-line, scripts, other tools.
   • BLE Beacons
     • iBeacon, Eddystone
     • Spoofing/cloning beacons to get rewards, free beer, or activate connected underwear
   • Tracking devices and crowdsourced location (key finders, Apple AirTags, …).
   • Apple, Microsoft devices BLE advertisements.
   • COVID-19 contact tracing / exposure notification BLE packets.
   • Other BLE advertisements - energy meters revealing current indication, sex toys revealing device model, …
   • Bleedingbit - RCE chain via improper BLE advertisements parsing.

3. BLE connections

   • Theory introduction: GATT specification, central vs peripheral device, services, characteristics, connections, …
   • Connecting to your dedicated BLE device using various tools
     • nRF Connect mobile application: read/write/notify, automation with macros.
     • BlueZ command-line
     • other tools
   • Taking control of simple, insecure devices (BLE dildo, key finder, …)

4. Sniffing BLE

   • BLE RF layer theory introduction
     • Radio modulation, channels, hopping, connection initiation
     • Why so many devices do not encrypt link-layer
     • Various sniffing hardware and software options
   • Sniffing live raw BLE packets from the air using provided hardware and Wireshark
     • Wireshark tips&tricks
     • Capture your own connection from mobile app to your BLE device
     • How to combine multiple sniffers for better reliability
   • Sniffing demos: smart lock plain text password, banking token OTP
   • Overview of various hardware and open source sniffers: nRF Sniffer, Ubertooth, Btlejack, Sniffle, SDR, …

5. BLE HCI dump – reliably capture own packets

   • Difference from RF layer sniffing
   • Investigate BLE packets intercepted on Android phone in Wireshark
   • Linux command-line hcidump

6. BLE “Machine in the Middle” / remote relay

   • Conditions for MITM, attack scenarios, MAC address cloning
   • BLE MITM / remote relay in practice (local, via Internet), various tools (GATTacker, BtleJuice, Mirage).
   • Abusing proximity autounlock feature via remote relay.
   • Tampering BLE packets via MITM - demo using mobile Point of Sale to alter information displayed on terminal.

DAY 2 - Bluetooth Low Energy continued

7. BLE insecurity case studies

   • Sample smart lock attack: decompile Android application, reverse-engineer BLE protocol commands, identify weakness in protocol, exploit in practice using mobile application
   • Various attacks on proprietary authentication/encryption protocols based on real devices (including several smart locks).
   • Abusing excessive BLE services, hard-coded credentials, remote access share functionality, cloud interface, …

8. BLE link-layer security

   • BLE link layer security mechanisms - introduction, levels, pairing, bonding, why most devices do not implement it at all.
   • Pair smartphone with your dedicated BLE device, sniff the pairing process and crack it.
   • Attacks possible on paired/bonded connections.
   • BLE MAC address randomization, “silent pairing” attacks recovering Identity Resolving Key (for example leveraging contact tracing apps).
   • Abusing trust relationships of bonded devices - vulnerabilities in HID devices, Google Titan U2F token vulnerability technical analysis, attacks via other applications installed on the same mobile phone, …

9. Provided BLE development boards

   • Technical details about provided BLE devboards.
   • How to develop own firmware or adjust included training device source code.
   • Review of provided firmware images / source (sniffer, attack tools, dedicated BLE device).
   • Flashing firmware on the devkits.

10. BLE jamming and hijacking

    • Theory introduction: how to hijack BLE ongoing connections
    • Btlejack, ButteRFly – possible attacks, tools usage.

11. Web Bluetooth

    • Introduction, security design consideration, sample implementations, possible attacks
    • Interact with your BLE device via browser - run sample Web Bluetooth javascript code.

12. BLE device firmware over the air update security

    • Introduction, how the firmware update works, memory layout of BLE SoC.
    • Abuse insecure Over The Air firmware update on provided Nordic Semiconductor SoC.
    • Insecure OTA firmware upgrade in Texas Instruments SoC (taking control over wireless routers, stealing Tesla keys, …).

13. Bluetooth 5 and beyond

    • Introduction, new features, why so many devices claim to be Bluetooth 5 but are not really.
    • New physical layers: 2M, long range coded PHY.
    • New channel hopping RNG.
    • Sniffing BLE5 – current hardware, software support.

14. Bluetooth Mesh

    • Introduction, network topology, BLE4 advertisements as a transport layer, mandatory encryption.
    • Flashing sample Bluetooth Mesh device firmware on a supplied devkit.
    • Provisioning the devices in practice into your own Mesh network
    • Known vulnerabilities and possible weaknesses of Mesh implementations.

15. Other attacks on BLE devices

    • Attacking BLE devices via RF side-channel analysis (e.g. leaking AES key).
    • Vulnerabilities in BLE SDK (e.g. RCE in Nordic SoftDevice)
    • SoC vulnerabilities (memory readout protection bypass, fault injection,…). Sample attack to try out in practice on provided nRF51 development board

16. Brief review of the multitude attacks on BLE protocol and its implementations as well as attack tools (Bleedingbit, Sweyntooth, BlueFrag, KNOB, BIAS, BLESA, BLURTooth, Frankenstein, JackBNimBLE, InjectaBLE, …)

17. Summary, best practices, references, “hackme” challenges…

Day 3 (or day 1): NFC/RFID

Day 3 (or day 1): NFC/RFID

1. Short introduction
   • RFID/NFC – where do I start?
   • Frequencies, card types, usage scenarios.
   • How to recognize card type – quick walkthrough.
   • Equipment, and what can you do with it – mobile phone, card reader, simple boards, Chameleon Mini, Proxmark, other hardware.
2. UID-based access control
   • Introduction - simple, still surprisingly common technologies
   • Communication between a reader and tag.
   • What is stored on the tag?
   • Low Frequency EM410X (“unique”), HID Prox, …, High Frequecy Mifare UID
   • Cloning card’s UID – cloners, Proxmark, Chameleon, mobile phone, …
   • Simulating (Proxmark, Chameleon, mobile phone,…), brute-forcing.
   • Interpreting markings on the tag, decoding UID from the picture.
   • Sample vulnerability of simple access control reader that allows to unlock it without the need to have a valid card.
   • Countermeasures against attacks
3. Wiegand – typical transmission between the reader and access controller
   • Theory introduction, signal DATA0, DATA1
   • Wiegand sniffers, implants, transmitters – hardware, open source software
   • Decoding card UID from sniffed bytes, clone the card
   • Replay card data on the wire to open lock
4. Mifare Ultralight, NTAG
   • Data structure.
   • Reading, cloning, emulating.
   • Example data stored on a hotel guest card.
   • Ultralight EV1, C.
5. Mifare Classic & its weaknesses – practical exercises based on hotel door lock system, ski lift card, bus ticket
   • Mifare Classic – data structure, access control, keys, encryption.
   • Default, leaked keys.
   • Reading and cloning card data using just a mobile phone.
   • Cracking keys using various attacks and tools (Proxmark, libnfc, Chameleon).
   • Attacks on EV1 “hardened” Mifare Classic.
   • Online attacks against the reader.

Day 4 (or day 2) - NFC/RFID continued

6. Reverse-engineering data stored on a sample hotel system guest card
   • Decoding access control data (room number, date) stored on the hotel guest card.
   • Creating hotel “emergency card” to open all the hotel doors unconditionally, having only sample guest card.
7. Mifare DESFire
   • Introduction, data format, access modes.
   • Creating sample tag for DESFire access control system.
   • Publicly known attacks (misconfiguration, implementation issues) in smart locks, access control, ticketing systems.
8. ISO15693/iCode
   • Cloning ISO15693 UID on a “magic UID” card, unlocking smart lock.
   • Data of several example ski passes.
9. HID iClass
   • Cloning “legacy” / “standard security” iClass.
   • Attacks on iClass Elite.
   • Downgrade attacks.
10. Remote relay attacks against NFC/ISO1443

• Introduction: research, tools, possibilities and limitations.
• Practical remote relay of iClass SEOS and DESFire access control.

11. Sample Hitag2 access contol – sniffing password mode, simulating tags
12. Host Card Emulation – smartphone as NFC tag

• Hardware Secure Element vs software Host Card Emulation
• Protocols, commands, applications – ISO14443-4, 7816-4, APDU, AID, …
• Example vulnerable HCE access control system (unlocking door using your NFC phone) – sample vulnerabilities.
• NFC communication analysis: sniffing using Proxmark, dumping on the phone.

13. Intercepting card data from distance – antennas, possibilities and limits.

Register here:

https://sectrain.hitb.org/courses/hands-on-hacking-for-ble-nfc-rfid-4-day-combo-hitb2022ams/

Can’t make it?

Can’t make it to this training? Interested in other date, content, location? A tailor-made training will come to you! Have a look at private trainings offer. Contact us for details, or fill a form to get a quote.