4-DAY TRAINING 3 – Bluer Oceans: Attacking BLE, NFC, HCE and more
THIS CLASS IS NOW BEING HELD ONLINE FOLLOWING SINGAPORE TIMEZONE (CET +6)
DURATION: 4 DAYS
CAPACITY: 15 pax
SEATS AVAILABLE: 15
*The training has been updated for remote hands-on participation. Each attendee will receive a hardware pack worth over 300 USD shipped to you in advance (please register as soon as possible!). The hardware includes among others Proxmark 3, Chameleon Tiny, a rooted Android smartphone, BLE sniffer, BLE dedicated training device and Raspberry Pi (details below). With the specially arranged setup (simulated, working exactly like real NFC and BLE devices), participants will be able to perform hands-on practical exercises remotely – BLE analysis (sniffing, intercepting), cloning and cracking multiple kinds of proximity cards, analysing BLE or NFC mobile applications – not only during training but also any time later.
Bluetooth Low Energy is one of the most exploding IoT technologies. BLE devices surround us more and more – not only as recent COVID-19 spread prevention apps that utilize BLE for contact tracing, but also tons of wearables, toothbrushes, sex toys, smart locks, medical devices and banking tokens. Alarming vulnerabilities of these devices have been exposed multiple times recently. And yet, the knowledge on how to comprehesively assess their security seems very uncommon. This is probably the most exhaustive and up to date training regarding BLE security – for both pentesters and developers. Based on hands-on exercises with dedicated BLE training device flashed to a BLE devkit (working just like real device), and a deliberately vulnerable, training hackmelock.
RFID/NFC, on the other hand, has been around us for quite long. However, the vulnerabilities pointed out years ago, probably won’t be resolved in a near future. It is still surprisingly easy to clone most access control cards used today. Among other practical exercises performed on provided cards and simulated NFC devices, the attendees will reverse-engineer an example hotel access system, and as a result will be able to open all the doors in facility. A list of several hundred affected hotels included.
With prevalence of NFC smartphones, a new implementation of this technology is recently gaining attention: mobile contactless payments/access control, on Android known as Host Card Emulation. Using combination of cloud services and mobile security, it is now possible to embed not only credit card, but also NFC key to a lock in your phone. Is the technology as robust as advertised? How to check its security, and how to implement it correctly? Find out during practical exercises!
Who Should Attend
Pentesters, security professionals, red teamers, researchers
BLE/NFC device designers, developers
Key Learning Objectives
In-depth knowledge of Bluetooth Low Energy, common implementation pitfalls, device assessment process and best practices for implementation
Ability to identify vulnerable access control systems, clone cards and reverse-engineer data stored on card
Basic familiarity with Linux command-line
Scripting skills, pentesting experience, Android mobile applications security background will be an advantage but is not crucial
Hardware / Software Requirements
Contemporary laptop capable of running Kali Linux in virtual machine (VirtualBox or VMWare), and at least two USB ports available for VM guest.
Wifi or Ethernet port to connect included Raspberry Pi
Fast Internet (at least 30Mbps or better)
Each student will receive:
Course materials in PDFs (over 2000 pages)
All required additional files: source code, documentation, installation binaries, virtual machine images on a pendrive
Included hardware pack of over 300 USD value for hands-on exercises, consisting of:
Rooted NFC- and BLE-capable Android smartphone with all the required applications
Proxmark3 with latest firmware
RF Field detector
Multiple RFID/NFC tags for cracking and cloning, including “Chinese magic UID”, T5577, Ultralight, HID Prox, iClass, EV1, ISO15693, Mifare Classic with various content (bus ticket, hotel, e-wallet, …)
NFC PN532 board (libnfc)
Raspberry Pi (+microSD card and 3 A power adapter), with assessment tools and Hackmelock installed .
2x Bluetooth Low Energy development board: 1 acting as sniffer (nRF, Btlejack), 1 as dedicated BLE device to interact and attack
ST-Link V2 SWD debugger for programming nRF boards
2 x Bluetooth Low Energy USB dongles
Agenda – Day 1
Bluetooth Smart (Low Energy)
What is Bluetooth Smart/Low Energy/4.0, how it is different from previous Bluetooth versions?
Usage scenarios, prevalence in IoT devices
required hardware for BLE assessment
Scanning for visible devices – mobile applications, hcitool, bleah, bettercap, Mirage, GATTacker, …
Beacons: iBeacon, Eddystone, Physical Web
Simulating beacons – using mobile phone, Linux scripts, other devices.
How to get free beer by abusing beacon-based reward application
Smart underwear using beacons
“Encrypted” beacons, abusing weaknesses in beacon management control protocols
Coronavirus spread-prevention contact tracing mobile applications
BLE advertisements of Microsoft and Apple devices (user tracking, decoding of current status/phone number)
Advertisement spoofing – Denial of Service, device impersonation