Bluetooth Low Energy is one of the most exploding IoT technologies. BLE devices surround us more and more – not only as wearables, toothbrushes and sex toys, but also smart locks, medical devices and banking tokens. Alarming vulnerabilities of these devices have been exposed multiple times recently. And yet, the knowledge on how to comprehensively assess their security seems very uncommon. Not to mention best practices guidelines, which are practically absent. This is probably the most exhaustive and up to date training regarding BLE security – for both pentesters and developers. Compressing years of painful debugging and reversing into practical, useful checklists. Based on hands-on exercises on real devices (including multiple smart locks) as well as a deliberately vulnerable, training hackmelock.
NFC, on the other hand, has been around us for quite long. However, the vulnerabilities pointed out years ago, probably won’t be resolved in a near future. It is still surprisingly easy to clone most access control cards used for buildings today. Among other practical exercises performed on real installations, the attendees will reverse-engineer an example hotel access system, and as a result will be able to open all the doors in facility. A list of several hundred hotels affected included.
With prevalence of NFC smartphones, a new implementation of this technology is recently gaining attention: mobile contactless payments/access control, on Android known as Host Card Emulation. Using combination of cloud services and mobile security, it is now possible to embed credit card (or NFC key to a lock) in your phone. Is the technology as robust as advertised? How to check its security, and how to implement it correctly? Find out during practical exercises, including step by step guide on how to bypass security mechanisms and clone a contactless payment card.
Key Learning Objectives
- In-depth knowledge of Bluetooth Low Energy, common implementation pitfalls, device assessment process and best practices for implementation
- Ability to identify vulnerable access control systems, clone cards and reverse-engineer data stored on card
- Understanding mobile contactless payments technology, possible attacks, risks and countermeasures
- Basic familiarity with Linux command-line, Kali
- Scripting skills, pentesting experience, Android mobile applications security background will be an advantage, but is not crucial
- Contemporary laptop capable of running Kali Linux in virtual machine, and at least one USB port
- You can bring your own BLE device or access control card to check its security
Each student will receive:
- Course materials in PDFs (several hundred pages)
- All required additional files: source code, documentation, installation binaries, virtual machine images on a pendrive
Take-away hardware pack of 300 EUR value for hands-on exercises, consisting of:
- Rooted NFC- and BLE-capable Android smartphone with all the required applications; root-hiding and device characteristics spoofing frameworks configured
- Proxmark3 with latest firmware
- Multiple RFID/NFC tags for cracking and cloning, including “Chinese magic UID”, T5577, Ultralight, HID Prox, iClass, EV1, Mifare Classic with various content (bus ticket, hotel, e-wallet, …)
- NFC PN532 board (libnfc)
- Raspberry Pi 3 (+microSD card and 3 A power adapter), with assessment tools and Hackmelock installed for further hacking at home.
- Bluetooth Smart hardware sniffer (nRF, BtleJack) and development kit based on nrf51822 module
- ST-Link V2 SWD debugger for programming nRF boards
- 2 x Bluetooth Low Energy USB dongles
Each attendee will receive a hardware pack that includes among others Proxmark 3, a rooted Android smartphone and Raspberry Pi (detailed below). The hardware will allow for BLE analysis (sniffing, intercepting), cloning and cracking multiple kinds of proximity cards, analyse BLE or NFC mobile applications, and practice most of the training exercises later at home.
Time: 9.00am - 6.00pm
Agenda - Day 1
Bluetooth Smart (Low Energy)
Based among others on about 10 various smart locks, beacons, mobile PoS, banking token, numerous other devices; and tools developed by the trainer: GATTacker BLE MITM proxy and deliberately vulnerable Hackmelock (consisting of Android mobile application and lock device simulated on Raspberry Pi).
- What is Bluetooth Smart/Low Energy/4.0, how it is different from previous Bluetooth versions?
- Usage scenarios, prevalence in IoT devices
- Protocol basics
- Advertisements, connections
- Central vs peripheral device
- GATT – services, characteristics, descriptors, handles, reading, writing, notifications
- Security features – pairing/encryption, whitelisting, MAC randomization
- Security in practice: own crypto in application layer
- Hardware required for BLE assessment
- iBeacon, Eddystone, Physical Web
- Simulating beacons – using mobile phone, Linux scripts, other devices.
- How to get free beer by abusing beacon-based reward application
- “Encrypted” beacons
- Abusing weaknesses in beacon management control protocols
Other BLE advertisements
- Scanning for visible devices, hcitool, bleah, GATTacker, …
- Decoding data in advertisements
- Advertisement spoofing – Denial of Service, device impersonation
Sniffing BLE connections using RF layer hardware
- Ubertooth, nRF sniffer, BtleJack, other hardware
- Wireshark filters, tips&tricks
- Sniffing static cleartext password of a smart lock and other devices
HCI dump (Linux, Android) – setup, analysis, difference from RF-layer sniffing, replay/fuzzing possibilities
Attacking services exposed by devices
- Mapping device services and characteristics
- Interacting with devices that do not require pairing/authentication
- Abusing simple pairing (static PIN, just works)
- Example unlocked AT command interface via BLE service of a smart lock
- Fuzzing data written to device
Device spoofing, active MITM interception
- How to perform “man in the middle” attack on BLE connections
- Available tools: GATTacker, BtleJuice, BtleJack
- MAC address cloning, mobile OS GATT cache potential problems
- Analysing intercepted traffic
- Denial of Service attacks
- Hijacking active connections with BtleJack
- Intercept transmission
- Analyse authentication protocol weakness in example smart lock
- Perform replay using tools or mobile phone, and unlock the device
Mobile application analysis, attacks on proprietary authentication and protocols
- Decompile Android app, locate relevant source code fragments
- Understand proprietary BLE communication protocol – commands, data exchanged with device
- Based on example smart lock, discover protocol weakness, create exploit to open the lock without knowing current password or prior sniffing
- Exploit the vulnerability using just a mobile phone – nRF Connect macros
- Verify other vendor’s claims on “Latest PKI technology” and “military grade encryption”
Relay attacks – abusing automatic proximity features (e.g. smart lock auto-unlock).
Agenda – Day 2:
Advanced BLE MITM topics
- Hooks, data modification on the fly (example attack on mobile PoS)
- Command injection
- Upstream websocket proxy
- “Rolljam”-like attacks on single use keys
- When MITM attack does not work or is not possible – debugging, troubleshooting
Remote access share functions and their weaknesses – how to bypass timing restrictions.
Device DFU firmware update OTA services.
How to create own, independent server-side API for device – based on a real smart lock vendor, which disappeared and shut the servers, effectively rendering the device e-waste.
Bluetooth link-layer encrypted connections
- Intercepting pairing process and decoding Long Term Keys (crackLE)
- How to trick a victim into re-pairing
- Weaknesses in devices allowing for easier attacks
- How hard is it to hijack BLE devices from a hostile web site
Bluetooth Mesh, Bluetooth 5.0 – what these technologies change and what not in terms of BLE security.
BLE Hackmelock – open-source software emulated device with multiple challenges to practice at home.
BLE best practices and security checklist – for security professionals, pentesters, vendors and developers.
Comprising of hands-on exercises on a real access control installations, hotel system and mobile payment applications. Every time a student succeeds in bypassing access control system (e.g. cloning a card), a specially prepared box will automatically unlock, and allow to collect a delicious prize.
- RFID/NFC – where do I start?
- Frequencies, card types, usage scenarios
- How to recognize card type – quick walkthrough
- Equipment, and what can you do with it – mobile phone, card reader, simple boards, Chameleon Mini, Proxmark, other hardware
UID-based access control – practical exercises on example reader + door lock
- UID-based access control – still surprisingly popular
- UID lengths, formats
- Clone Mifare UID using “Chinese magic” card and provided hardware
- How to emulate contactless cards and unlock UID-based system using just a smartphone (Android, iOS), without any additional hardware
- How to clone a card by making its picture – decoding numbers printed on cards
- Cloning other ID-based cards – Low Frequency EM41XX, HID Prox, …
- Emulate card using Proxmark, Chameleon Mini
- Brute-force – is it possible in practice to guess other cards UID?
- Countermeasures against attacks
Wiegand – wired access control transmission standard
- Sniff the data transmitted from access control reader using Raspberry Pi GPIO
- Decode card UID from sniffed bytes, clone the card
- Replay card data on the wire to open lock
- Wiegand sniffers/repeaters: BLE-Key, ESP RFID Tool, others
- Data structure
- Reading, cloning, emulating
- Example data stored on hotel access card
Agenda – Day 3:
Mifare Classic & its weaknesses – practical exercises based on hotel door lock system, ski lift card, bus ticket
- Mifare Classic – data structure, access control, keys, encryption
- Default & leaked keys
- Reading & cloning card data using just a mobile phone
- Cracking keys – nested, darkside attacks
- Libnfc tools – mfoc, mfcuk, MiLazyCracker
- Cracking Mifare using Proxmark
- Attacks on EV1 “hardened” Mifare Classic
- Attacks with access to reader
Reverse-engineering data stored on card – based on a real hotel system
- Decoding access control data (room number, date) stored on card by an example hotel system
- Creating hotel “emergency card” to open all the hotel doors unconditionally
- Cloning ISO15693 UID on a “magic” card, unlocking smart lock
- Data of several example ski passes
Intercepting card data from distance – building antenna, possibilities and limits.
Other cards: Mifare Plus, DESFire, Ultralight C, EV1, EV2, HID iClass/iClass SE … – known attacks, cloning possibilities, default & leaked keys, security best practices.
- Protocols, commands, applications – ISO14443-4, 7816-4, APDU, AID, …
- Reading data from contactless payment cards
- Remote relay attacks and countermeasures
- Other attacks (e.g. magstripe downgrade, pre-play)
Mobile contactless payments & more
- Hardware Secure Element vs software Host Card Emulation
- Example vulnerable HCE access control system (unlocking door using your NFC phone) – analysis, bypassing security mechanisms, key extraction, spoofing other user’s credentials
- Mobile contactless payments SDK: MasterCard MCBP, Visa, other vendors
- Typical mobile contactless payments system architecture
- Most notable implementations: Android Pay, Samsung Pay, Apple Pay, few other example banks
- Security mechanisms: tokenisation, cloud services, encryption, tampering prevention, obfuscation, root/malware detection, …
- How to bypass security mechanisms and clone mobile contactless card
- How to intercept push notifications with card data replenishment
- HCE implementations from attackers perspective – pentester’s checklist, implementation best practices
Slawomir Jasek Head of Research, SecuRing
Speaker, trainer and IT security consultant with over 12 years of experience. He participated in many assessments of systems’ and applications’ security for leading financial companies and public institutions, including a few dozen e-banking systems. Also he developed secure embedded systems certified for use by national agencies. Slawomir has an MSc in automation&robotics. Currently leading research on various topics (including Bluetooth Low Energy, IoT, NFC, mobile payments, application security, cloud services, blockchain, …) in Polish software security company SecuRing. Beside research and training, he focuses on consulting and designing of secure solutions for various software and hardware projects, during all phases – starting from a scratch.
Speaker at BlackHat USA (new Bluetooth Smart Man-in-the-middle proxy tool), Appsec EU (insecurity of proprietary network protocols), HackInTheBox Amsterdam (Host Card Emulation mobile contactless payments), Confidence (IoT), Devoxx and other conferences for developers (SDLC, mobile application security). Trainer at Appsec EU, HackInParis (“smart lockpicking”), Deepsec (Hacking IoT), HackInTheBox (Bluetooth Smart workshop), Confidence (Break IoT); multiple internal trainings regarding mobile and IoT security.
Venue to be announced shortly.