Bluetooth Low Energy - Full Stack Attack

Abstract

Upcoming public trainings

• March 18th-21st 2025 (4-day) Austin, Texas RingZer0
• May 27th-29th 2025 (3-day, excludes final day) Santa Clara, California Hardwear.io

It’s pretty fun to hack things wirelessly. And hey, it turns out there’s literally billions of Bluetooth Low Energy (BLE) things sold per year, so let’s learn how to hack those!

In this class you will become an expert in all things BLE! You will be given a guided tour of the entire BLE protocol stack in a bottom up fashion. We will stop to admire and understand vulnerabilities applicable to the different stack levels, whether fundamental protocol-level vulnerabilities, or past implementation vulnerabilities. And we will learn by doing as we proceed through numerous labs at every level where we examine the interactions between a custom Android phone application, and a piece of hardware with custom firmware, which is typical of BLE usage.

---

Full class outline

• Introduction
• Physical Layer (PHY)
  • Introduction
  • Encoding/Decoding
• Link Layer (LL)
  • Packet formats by PHY type
  • Basic advertisements introduction (ADV_IND)
  • Other basic advertisements (ADV_DIRECT_IND, ADV_NONCONN_IND, ADV_SCAN_IND)
  • Scanning (SCAN_REQ/RSP)
  • Connecting (CONNECT_IND)
  • LL data
  • LL control packets
  • Understanding LL vulnerabilities - Machine-in-the-Middle attacks
  • Understanding LL vulnerabilities - Relay attacks
  • Understanding LL vulnerabilities - “InjectaBLE”
  • Understanding LL vulnerabilities - Privacy attacks
  • LL memory safety threat model
• Host Controller Interface (HCI)
  • Introduction
  • Transport layer
  • Packet formats
  • HCI logging
  • HCI memory safety threat model
• Logical Link Control and Adaptation Protocol (L2CAP)
  • Introduction
  • Data channel
  • Signaling channel
  • L2CAP memory safety threat model
• Generic Access Profile (GAP)
  • Overview
• Security Manager Protocol (SMP)
  • Introduction
  • Legacy pairing
  • Understanding SMP vulnerabilities in the context of Legacy pairing - NINO
  • Understanding SMP vulnerabilities in the context of Legacy pairing - KNOB
  • Secure Connections pairing
  • Understanding SMP vulnerabilities in the context of Secure Connections pairing - KNOB
  • Understanding SMP vulnerabilities in the context of Secure Connections pairing - BlueMirror
  • Understanding SMP vulnerabilities in the context of Secure Connections pairing - Invalid Curve Attack
  • Understanding SMP vulnerabilities in the context of Secure Connections pairing - BLURtooth
  • Understanding SMP vulnerabilities in the context of Secure Connections pairing - Method Confusion
  • LE Security Mode 1
  • LE Security Mode 2
  • SMP memory safety threat model
• Attribute Protocol (ATT)
  • Introduction
  • ATT PDUs
  • Handle enumeration
  • ATT memory safety threat model
• Generic Attribute Profile (GATT)
  • Introduction
  • Services
  • Characteristics
  • Characteristic descriptors
  • GAP service
  • GATT permissions
  • Visualizing GATT via packet sniffing
  • Understanding GATT vulnerabilities - Access control failures
  • Understanding GATT vulnerabilities - Replay attacks
  • Understanding GATT vulnerabilities - Privacy
  • GATT memory safety threat model
• Application-specific vulnerabilities
  • Introduction
  • Command injection
  • Application-layer encryption
  • Insecure firmware updates
  • Application-specific MitM
  • Application-specific replay attacks
• Vulnerability assessment of the Ultra-Vulnerable-Peripheral (UVP) firmware
  • Deep-dive LL vulnerability example - “A 🐞 Has No Name” (CVE-2019-15948)
  • Deep-dive HCI vulnerability example - “BadVibes” (CVE-2020-24490)
  • Deep-dive L2CAP vulnerability example - TBD CVE, most likely CVE-2021-3434
  • Deep-dive GATT vulnerability example - TBD CVE, most likely CVE-2023-40129
  • Dumping firmware
  • Debugging firmware
  • Final class exercise - vulnerability hunting in firmware

Request Training Quote