It's pretty fun to hack things wirelessly. And hey, it turns out there's literally *billions* of Bluetooth Low Energy (BLE) things sold per year, so let's learn how to hack those!

Bluetooth Low Energy - Full Stack Attack // Veronica Kovah and Xeno Kovah

In-Person | March 18-21 | 4 Days

BOOK NOW

ABSTRACT

It's pretty fun to hack things wirelessly. And hey, it turns out there's literally billions of Bluetooth Low Energy (BLE) things sold per year, so let's learn how to hack those!

In this class you will become an expert in all things BLE! You will be given a guided tour of the entire BLE protocol stack in a bottom up fashion. We will stop to admire and understand vulnerabilities applicable to the different stack levels, whether fundamental protocol-level vulnerabilities, or past implementation vulnerabilities. And we will learn by doing as we proceed through numerous labs at every level where we examine the interactions between a custom Android phone application, and a piece of hardware with custom firmware, which is typical of BLE usage.

Bluetooth Low Energy - Full Stack Attack // Veronica Kovah and Xeno Kovah

In-Person | March 18-21 | 4 Days

BOOK NOW

INTENDED AUDIENCE

• People who want to learn about Bluetooth Low Energy in general
• Defensive security engineers wanting to understand the risks which Bluetooth systems are subject to
• Vulnerability hunters looking for new areas of exploration
• Reverse engineers looking for new areas of exploration

KEY LEARNING OBJECTIVES

• Cover all the most important Bluetooth Low Energy protocols and profiles at every level of the stack
• Understand the security model of BLE in depth
• Understand past work including both protocol and implementation vulnerabilities, and what is and isn't still relevant to today's devices
• Learn how to reverse engineering the provided custom firmware Ultra-Vulnerable-Peripheral devices, to find the same sort of vulnerabilities

COURSE DETAILS

Introduction

Physical Layer (PHY)

• Introduction
• Encoding/Decoding

Link Layer (LL)

• Packet formats by PHY type
• Basic advertisements introduction (ADV_IND)
• Other basic advertisements (ADV_DIRECT_IND, ADV_NONCONN_IND, ADV_SCAN_IND)
• Scanning (SCAN_REQ/RSP)
• Connecting (CONNECT_IND)
• LL data
• LL control
• Understanding LL vulnerabilities: Machine-in-the-Middle attacks
• Understanding LL vulnerabilities: Relay attacks
• Understanding LL vulnerabilities: "InjectaBLE"
• Understanding LL vulnerabilities: Privacy attacks
• LL memory safety threat model

Host Controller Interface (HCI)

• HCI introduction
• HCI transport layer
• HCI packet formats
• HCI logging
• HCI memory safety threat model

Logical Link Control and Adaptation Protocol (L2CAP)

• L2CAP introduction
• L2CAP data channel
• L2CAP signaling channel
• L2CAP memory safety threat model

Generic Access Profile (GAP)

• GAP introduction

Security Manager Protocol (SMP)

• SMP introduction
• Legacy pairing
• Understanding SMP vulnerabilities in the context of Legacy pairing: NiNo
• Understanding SMP vulnerabilities in the context of Legacy pairing: KNOB
• Secure Connections pairing
• Understanding SMP vulnerabilities in the context of Secure Connections pairing: KNOB
• Understanding SMP vulnerabilities in the context of Secure Connections pairing: BlueMirror
• Understanding SMP vulnerabilities in the context of Secure Connections pairing: Invalid Curve Attack
• Understanding SMP vulnerabilities in the context of Secure Connections pairing: BLURtooth
• Understanding SMP vulnerabilities in the context of Secure Connections pairing: Method Confusion
• LE Security Mode 1
• LE Security Mode 2
• SMP memory safety threat model

ATTribute Protocol (ATT)

• ATT introduction
• ATT PDUs
• ATT handle enumeration
• ATT memory safety threat model

Generic ATTribute Profile (GATT)

• GATT introduction
• Visualizing GATT via packet sniffing
• Visualizing GATT via MitM tools: GATTacker
• Understanding GATT vulnerabilities: Access control failures
• Understanding GATT vulnerabilities: Replay attacks
• Understanding GATT vulnerabilities: Privacy
• GATT memory safety threat model

Application-specific vulnerabilities

• Introduction
• Command injection
• Application-layer encryption
• Insecure firmware updates
• Application-specific MitM
• Application-specific replay attacks

Vulnerability assessment of the Ultra-Vulnerable-Peripheral firmware

• Understanding LL vulnerabilities: "A 🐞 Has No Name"
• Understanding HCI vulnerabilities: "BadVibes"
• Understanding L2CAP vulnerabilities: TBD CVE, most likely CVE-2021-3434
• Understanding GATT vulnerabilities: TBD CVE, most likely CVE-2023-40129
• Dumping firmware
• Debugging firmware
• Vulnerability hunting in firmware

Conclusion

Knowledge Prequisites

• Student must be comfortable reading C code.
• To participate in the final day of reverse engineering exercises, knowledge of ARM assembly is highly recommended. Alternative exercises will be provided for those who don't know ARM assembly.

Hardware Requirements

• A PC or a Mac capable of running at least 2 Ubuntu Linux VMs at a time with at least 2GB of dedicated RAM per VM.

Software Requirements

• Administrator privileges to install virtualization software on your machine.
• A PC with VMWare Workstation or an Mac with VMWare Fusion (the free "Player" versions are fine) already installed.
• A link to software setup guide will be sent before class

YOUR INSTRUCTORS: Veronica Kovah and Xeno Kovah

Veronica is a researcher who has created and released multiple over-the-air arbitrary code execution exploits which target Bluetooth chip firmware. She presented these attacks at BlackHat USA 2020. In 2018 she founded the security consultancy Dark Mentor LLC. She has previously worked at companies like Tesla on vehicular security and NSA as an adjunct instructor and Capability Development Specialist developing CNE tools for embedded systems. She is currently using her background in reverse engineering and exploitation to specialize in the security analysis of Bluetooth systems.

@VeronicaKovah

Xeno began leading Windows kernel-mode rootkit detection and defense research projects at MITRE in 2009, before moving into research on BIOS security in 2011. His team's first public talks started appearing in 2013, which led to a flurry of presentations on BIOS-level vulnerabilities up through 2014. In 2015 he co-founded LegbaCore. And after presenting a firmware worm that could spread between Macs via Apple's EFI-based BIOS and Thunderbolt Ethernet adapters, he ended up working for Apple. There he worked on securing all the lesser-known firmwares on Macs and peripherals - everything from 3rd party GPUs to SecureBoot for monitors! He worked on the x86-side of the T2 SecureBoot architecture, and his final project was leading the M1 SecureBoot architecture - being directly responsible for designing a system that could provide iOS-level security, while still allowing customer choice to trust arbitrary non-Apple code such as Linux bootloaders. He left Apple in Dec 2020 after the M1 Macs shipped, so he could work full time on OpenSecurityTraining2.