3-DAY TRAINING 6: Out Of The Blue: Attacking BLE, NFC, HCE and More
DURATION: 3 DAYS
CAPACITY: 20 pax
SEATS AVAILABLE: 8
EUR2699 (early bird)
Early bird registration rate ends on the 12th of January
Each attendee will receive a hardware pack worth about EUR300 (detailed below). The hardware will allow for BLE analysis (sniffing, intercepting), and also cloning and cracking multiple kinds of proximity cards.
Bluetooth Low Energy is one of the most exploding IoT technologies. BLE devices surround us more and more – not only as wearables, toothbrushes and sex toys, but also smart locks, medical devices and banking tokens. Alarming vulnerabilities of these devices have been exposed multiple times recently. And yet, the knowledge on how to comprehesively assess their security seems very uncommon. Not to mention best practices guidelines, which are practically absent. This is probably the most exhaustive and up to date training regarding BLE security – for both pentesters and developers. Compressing years of painful debugging and reversing into practical, useful checklists. Based on hands-on exercises on real devices (including multiple smart locks) as well as a deliberately vulnerable, training hackmelock.
NFC, on the other hand, has been around us for quite long. However, the vulnerabilities pointed out years ago, probably won’t be resolved in a near future. It is still surprisingly easy to clone most access control cards used for buildings today. Among other practical exercises performed on real installations, the attendees will reverse an example hotel access system, and as a result will be able to open all the doors in facility.
With prevalence of NFC smartphones, a new implementation of this technology is recently gaining attention: mobile contactless payments/access control. Using combination of cloud services and mobile security, it is now possible to embed credit card (or NFC key to a lock) in your phone. Is the technology as robust as advertised? How to check its security, and how to implement it correctly? Find out during practical exercises, including step by step guide on how to bypass security mechanisms and clone a contactless payment card.
Who Should Attend
Pentesters, security professionals, red teamers, researchers
BLE Device designers, developers
Mobile contactless payments integrators, managers, security team members
Key Learning Objectives
In-depth knowledge of Bluetooth Low Energy, common implementation pitfalls, device assessment process and best practices for implementation
Ability to identify vulnerable access control systems, clone cards and reverse-engineer data stored on card
Understanding mobile contactless payments technology, possible attacks, risks and countermeasures
Basic familiarity with Linux command-line, Kali
Scripting skills, pentesting experience, Android mobile applications security background will be an advantage, but is not crucial
Hardware / Software Requirements
Contemporary laptop capable of running Kali Linux in virtual machine, and at least one USB port
Android > 4.3 smartphone with NFC support. In case you would like to emulate access control cards or clone mobile contactless payments on your device, root access will be required. If you don’t have such phone, please inform in advance – a few will be available for students.
You can bring your own BLE device or access control card to check its security
Each student will receive:
Course materials in PDFs (several hundred pages)
All required additional files: source code, documentation, installation binaries, virtual machine images on a pendrive
Take-away hardware pack for hands-on exercises consisting of:
Bluetooth Smart hardware sniffer and development kit based on nrf51822 module
2 Bluetooth Low Energy USB dongles
Raspberry Pi 3 (+microSD card and 3.1A power adapter), with assessment tools and Hackmelock installed for further hacking at home.
Proxmark3 v2 with special cards (“Chinese magic UID”, T5577) which allow for cloning Mifare Classic, HID Prox and EM cards
Bluetooth Smart (Low Energy)
Based on at least 7 various smart locks, beacons, mobile PoS, banking token, various other devices, and tools developed by the trainer: GATTacker BLE MITM proxy and deliberately vulnerable Hackmelock (consisting of Android mobile application and lock device simulated on Raspberry Pi).
What is Bluetooth Smart/Low Energy/4.0, how it is different from previous Bluetooth versions?
hooks, data modification on the fly (example attack on mobile PoS)
upstream websocket proxy
when MITM attack does not work or is not possible – debugging, troubleshooting
Remote access share functions and their weaknesses – how to bypass timing restrictions.
Device DFU firmware update OTA services.
How to create own, independent server-side API for device – based on a real smart lock vendor, which disappeared and shut the servers, effectively rendering the device e-waste.
Bluetooth link-layer encrypted connections
intercepting pairing process and decoding Long Term Keys (crackLE)
how to trick a victim into re-pairing
weaknesses in devices allowing for easier attacks
how hard is it to hijack BLE devices from a hostile web site
Bluetooth Mesh, Bluetooth 5.0 – what these technologies change and what not in terms of BLE security.
BLE Hackmelock – open-source software emulated device with multiple challenges to practice at home.
BLE best practices and security checklist – for security professionals, pentesters, vendors and developers.
Comprising of hands-on exercises on a real access control installations and mobile payment applications. Every time a student succeeds in bypassing access control system (e.g. cloning a card), a specially prepared box will automatically unlock, and allow to collect a delicious prize.
RFID/NFC – where do I start?
frequencies, card types, usage scenarios
how to recognize card type – quick walkthrough
equipment, and what can you do with it – mobile phone, card reader, simple boards, Chameleon Mini, Proxmark, other hardware
UID-based access control – practical exercises on example reader + door lock
UID-based access control – still surprisingly popular
UID lengths, formats
clone Mifare UID using “Chinese magic” card and provided hardware
how to emulate contactless cards and unlock UID-based system using just a smartphone (Android, iOS), without any additional hardware
how to clone a card by making its picture – decoding numbers printed on cards
cloning other ID-based cards – Low Frequency EM41XX, HID Prox, …
emulate card using Proxmark, Chameleon Mini
brute-force – is it possible in practice to guess other cards UID?
countermeasures against attacks
Wiegand – wired access control transmission standard
sniff the data transmitted from access control reader using Raspberry Pi GPIO
decode card UID from sniffed bytes, clone the card
replay card data on the wire to open lock
BLEKey – Wiegand sniffer/repeater
reading, cloning, emulating
example data stored on hotel access card
Mifare Classic & its weaknesses – practical exercises based on hotel door lock system, ski lift card, bus ticket
Mifare Classic – data structure, access control, keys, encryption
default & leaked keys
reading & cloning card data using just a mobile phone
cracking keys – nested, darkside attacks
libnfc tools – mfoc, mfcuk, MiLazyCracker
cracking Mifare using Proxmark
attacks with access to reader
Reverse-engineering data stored on card
decoding access control data (room number, date) stored on card by an example hotel system
creating hotel „emergency card” to open all the hotel doors unconditionally
Intercepting card data from distance – building antenna, possibilities and limits.
Other cards: Mifare Plus, DESFire, Ultralight C, EV1, EV2, HID iClass/iClass SE … – known attacks, cloning possibilities, default & leaked keys, security best practices.