Bluetooth Low Energy - Full Stack Attack

Veronica Kovah, Xeno Kovah
December, 2024

Abstract

Request Private Training Quote (let us know how many students and where you’d like it to take place)

Upcoming public trainings

  • May 27th-29th 2025 (3-day subset with strategic skips) Santa Clara, California Hardwear.io

It’s pretty fun to hack things wirelessly. And hey, it turns out there’s literally billions of Bluetooth Low Energy (BLE) things sold per year, so let’s learn how to hack those! In recent years Bluetooth has turned from a forgotten attack surface into the vector by which vehicles (Teslas, freight trucks, etc), medical devices, home and hotel room locks, EV chargers, Windows PCs, Android phones, wifi access points, and more have been hacked!

In this class you will become an expert in all things BLE! You will be given a guided tour of the entire BLE protocol stack in a bottom up fashion. We will stop to admire and understand vulnerabilities applicable to the different stack levels, whether fundamental protocol-level vulnerabilities, or past implementation vulnerabilities. And we will learn by doing as we proceed through numerous labs at every level where we examine the interactions between a custom Android phone application, and a piece of hardware with custom firmware, which is typical of BLE usage.

Full class outline
  • Introduction
  • Physical Layer (PHY)
    • Introduction
    • Encoding/Decoding
  • Link Layer (LL)
    • Packet formats by PHY type
    • Basic advertisements introduction (ADV_IND)
    • Other basic advertisements (ADV_DIRECT_IND, ADV_NONCONN_IND, ADV_SCAN_IND)
    • Scanning (SCAN_REQ/RSP)
    • Connecting (CONNECT_IND)
    • LL data
    • LL control packets
    • Understanding LL vulnerabilities - Machine-in-the-Middle attacks
    • Understanding LL vulnerabilities - Relay attacks
    • Understanding LL vulnerabilities - “InjectaBLE”
    • Understanding LL vulnerabilities - Privacy attacks
    • LL memory safety threat model
  • Host Controller Interface (HCI)
    • Introduction
    • Transport layer
    • Packet formats
    • HCI logging
    • HCI memory safety threat model
  • Logical Link Control and Adaptation Protocol (L2CAP)
    • Introduction
    • Data channel
    • Signaling channel
    • L2CAP memory safety threat model
  • Generic Access Profile (GAP)
    • Overview
  • Security Manager Protocol (SMP)
    • Introduction
    • Legacy pairing
    • Understanding SMP vulnerabilities in the context of Legacy pairing - NINO
    • Understanding SMP vulnerabilities in the context of Legacy pairing - KNOB
    • Secure Connections pairing
    • Understanding SMP vulnerabilities in the context of Secure Connections pairing - KNOB
    • Understanding SMP vulnerabilities in the context of Secure Connections pairing - BlueMirror
    • Understanding SMP vulnerabilities in the context of Secure Connections pairing - Invalid Curve Attack
    • Understanding SMP vulnerabilities in the context of Secure Connections pairing - BLURtooth
    • Understanding SMP vulnerabilities in the context of Secure Connections pairing - Method Confusion
    • LE Security Mode 1
    • LE Security Mode 2
    • SMP memory safety threat model
  • Attribute Protocol (ATT)
    • Introduction
    • ATT PDUs
    • Handle enumeration
    • ATT memory safety threat model
  • Generic Attribute Profile (GATT)
    • Introduction
    • Services
    • Characteristics
    • Characteristic descriptors
    • GAP service
    • GATT permissions
    • Visualizing GATT via packet sniffing
    • Understanding GATT vulnerabilities - Access control failures
    • Understanding GATT vulnerabilities - Replay attacks
    • Understanding GATT vulnerabilities - Privacy
    • GATT memory safety threat model
  • Application-specific vulnerabilities
    • Introduction
    • Command injection
    • Application-layer encryption
    • Insecure firmware updates
    • Application-specific MitM
    • Application-specific replay attacks
  • Vulnerability assessment of the Ultra-Vulnerable-Peripheral (UVP) firmware
    • Deep-dive LL vulnerability example - “A 🐞 Has No Name” (CVE-2019-15948) by Veronica Kovah
    • Deep-dive HCI vulnerability example - “BadVibes” (CVE-2020-24490)
    • Deep-dive L2CAP vulnerability example - Zephyr RTOS CVE-2023-5055
    • Deep-dive GATT vulnerability example - Android CVE-2023-40129
    • Debugging firmware
    • Final class exercise - vulnerability hunting in firmware
Request Private Training Quote (let us know how many students and where you’d like it to take place)

Bluetooth Bluetooth Low Energy BLE LL HCI L2CAP SMP GAP ATT GATT Secure Development Source Code Auditing vulnerability assessment Vulnerability Prevention Vulnerability Detection Reverse Engineering Zephyr RTOS Bluetooth security Bluetooth security training Bluetooth security class
Veronica Kovah
Veronica Kovah
Founder & CEO

Hacking Bluetooth like it’s no big deal.

Xeno Kovah
Xeno Kovah
Dark Mentor Level X

Hacking firmware like it’s no big deal.