Ir a contenido

Lab401 Workshop: Hacking and Securing BLE and RFID devices

Lab401 Workshop: Hacking and Securing BLE and RFID devices

Introduction

Over three days clients will receive theoretical and practical training on all aspects of BLE and RFID penetration testing.

Clients will learn BLE basics, sniffing, dumping, spoofing, MITM, jamming, replaying and relaying techniques, and how to apply them a variety of real-world BLE devices: smart locks, beacons, mobile Point-of-Sale devices, banking tokens and more.

RFID training comprehensively covers introductory to advanced subjects; Basic theory, hardware & tools used to detect, manipulate, sniff, crack, emulate and clone various RFID systems.

Bluetooth Low Energy is one of the most exploding IoT technologies. BLE devices surround us more and more – not only as wearables, toothbrushes and sex toys, but also smart locks, medical devices and banking tokens. Alarming vulnerabilities of these devices have been exposed multiple times recently. And yet, the knowledge on how to comprehesively assess their security seems very uncommon. This is probably the most exhaustive and up to date training regarding BLE security – for both pentesters and developers. Based on hands-on exercises with real devices (including multiple smart locks), dedicated personal device flashed to a BLE devkit, and a deliberately vulnerable, training hackmelock.

RFID/NFC, on the other hand, has been around us for quite long. However, the vulnerabilities pointed out years ago, probably won’t be resolved in a near future. It is still surprisingly easy to clone most access control cards used today. Among other practical exercises performed on real installations, the attendees will reverse-engineer an example hotel access system, and as a result will be able to open all the doors in facility. A list of several hundred affected hotels included.

With prevalence of NFC smartphones, a new implementation of this technology is recently gaining attention: mobile contactless payments/access control, on Android known as Host Card Emulation. Using combination of cloud services and mobile security, it is now possible to embed not only credit card, but also NFC key to a lock in your phone. Is the technology as robust as advertised? How to check its security, and how to implement it correctly? Find out during practical exercises!


Slawomir Jasek

RFID/BLE Security Expert

Speaker, trainer and IT security consultant with over 15 years of experience. Slawomir Jasek has participated in countless assessments of systems’ and applications’ security for leading financial companies, public institutions and cutting edge tech startups.

Currently leads research on various topics in Polish software security company SecuRing and provides trainings regarding security of contemporary locks and access control systems (www.smartlockpicking.com).

Beside research and training, he focuses on consulting and designing of secure solutions for various software and hardware projects, during all phases - starting from a scratch. Previously gave talks, workshops or trainings at HackInParis, BlackHat USA, multiple Appsec EU, HackInTheBox Amsterdam, Deepsec, BruCON, Confidence, Devoxx and many other events.

Intended Public

  • Pentesters
  • Security Professionals & Researchers
  • RFID / BLE hardware designers / developers
  • Law enforcement / government
  • RFID / BLE enthusiasts

Prerequisites

  • No prior knowledge of Bluetooth Low Energy nor NFC is required
  • Basic familiarity with Linux command-line
  • Laptop capable of running VMWare virtual machines (8GB RAM Minimum)
  • Scripting skills, pentesting experience, Android mobile applications, security background will be an advantage but is not crucial
  • Clients can bring their own BLE / RFID devices to audit

Take-home materials

  • Comprehensive Training Manual (2000+ pages)
  • Pendrive with all required source / docs / VM images / tools
  • Full hardware pack:
    - Rooted NFC/BLE-capable Android smartphone with all the required applications
    - Proxmark 3 with latest firmware
    - Multiple RFID/NFC tags for cracking and cloning, including “Chinese magic UID”, T5577, Ultralight, HID Prox, iClass, EV1, Mifare Classic with various content (bus ticket, hotel, e-wallet, ...)
    - NFC PN532 board (libnfc)
    - Raspberry Pi 3 (+microSD card and 3.1A power adapter), with assessment tools and Hackmelock installed for further hacking at home.
    - Bluetooth Smart hardware sniffer (nRF, BtleJack) based on nrf51822 module
    - Individual BLE device to attack running on development kit (including source code)
    - ST-Link V2 SWD debugger for programming nRF boards
    - 2 Bluetooth Low Energy USB dongles

Upcoming Dates

  • 📅 April 20-22, 2020 📍 Amsterdam, NL 🇬🇧
  • 📅 June 15-17, 2020 📍 Paris, France 🇬🇧
Signup for an upcoming workshop
Signup for workshop
Subscribe for event updates

Detailed Course Overview

Day One

Bluetooth Smart (Low Energy)

Introduction to BLE Basics with hands-on, practical examples on ten various BLE devices: smart locks, beacons, mobile PoS, banking token, various other devices.

Introduction to several tools including the speaker's GATTacker BLE MITM proxy against a and deliberately vulnerable "Hack-me Lock".

Theory introduction
  • What is Bluetooth Smart/Low Energy/4.0, how it is different from previous Bluetooth versions?
  • Usage scenarios, prevalence in IoT devices
  • Protocol basics
  • Required hardware for BLE assessment
BLE Advertisements
  • Device Scanning Tools
  • BLE Beacons
  • Beacon Simulation
  • Beacon Abuse == Free Beer
  • "Encrypted" beacons
  • BLE Advertisements: Snatching Phone Status, Number..
  • Advertisement Spoofing, DOS
BLE Connections
  • Central vs peripheral device
  • GATT – services, characteristics, descriptors, handles, reading, writing, notifications
  • Mapping device services and characteristics
  • Interacting with BLE devices using mobile phone, command-line, various tools
  • Taking control of simple, insecure devices – sex toys, key finders, etc
Sniffing BLE connections with RF Tools
  • BLE radio modulation, channels, hopping, connection initiation
  • BLE link layer encryption – introduction, why is it hardly used in practice
  • Sniffing hardware: Ubertooth, nRF sniffer, BtleJack, Sniffle, SDR …
  • Wireshark filters, tips&tricks
  • Sniffing static cleartext password of a smart lock and other devices
HCI dump - capturing BLE traffic
  • Difference from RF layer sniffing
  • Linux command-line hcidump
  • Android: live BLE packets analysis in Wireshark via TCP service
Device spoofing & active MITM
  • How to perform "man in the middle" attack on BLE connections
  • Available tools: GATTacker, BtleJuice, BtleJack, Mirage
  • MAC address cloning, mobile OS GATT cache potential problems
  • Analysing intercepted traffic
  • Denial of Service attacks
  • Jamming and hijacking active connections with BtleJack
Replay attacks
  • Intercept transmission
  • Analyse authentication protocol weakness in example smart lock
  • Perform replay using tools or mobile phone, and unlock the device
Relay attacks
  • Abusing automatic proximity features (e.g. smart lock autounlock).

Day Two

Case Study: Smart Lock vulnerabilities

Smart Lock Vulnerabilities
  • Attacks on proprietary authentication and protocols
  • Decompile Android app, locate relevant source code fragments
  • Understand proprietary BLE communication protocol – commands, data exchanged with device
Smart Locks Continued
  • Based on example smart lock, discover protocol weakness, create exploit to open the lock without knowing current password or prior sniffing
  • Exploit the vulnerability using just a mobile phone – nRF Connect macros
  • Verify other vendor’s claims on “Latest PKI technology” and “military grade encryption”
Smart Locks Continued
  • Example unlocked AT command interface via BLE service of a smart lock
  • Remote access share functions and their weaknesses – how to bypass timing restrictions.
  • How to create own, independent server-side API for device – based on a real smart lock vendor, which disappeared and shut the servers, effectively rendering the device e-waste
Advanced BLE MITM topics
  • Hooks, data modification on the fly (example attack on mobile PoS)
  • Command injection
  • Upstream websocket proxy
  • “Rolljam”-like attacks on single use keys
  • When MITM attack does not work or is not possible – debugging, troubleshooting
Bluetooth link-layer encrypted connections
  • BLE pairing, bonding, encryption
  • Intercepting pairing process and decoding Long Term Keys (crackLE)
  • Weaknesses of simple pairing (static PIN, just works)
  • How to trick a victim into re-pairing
Web Bluetooth
  • Hijacking BLE devices from a hostile web site
  • Writing new javascript interface to control own device
  • Bluetooth Mesh, Bluetooth 5.0
  • BLE Hackmelock
  • BLE best practices and security checklist
NFC Introduction
  • RFID/NFC – where do I start?
  • Frequencies, card types, usage scenarios
  • How to recognize card type – quick walkthrough
  • Equipment, and what can you do with it – mobile phone, card reader, simple boards, Chameleon Mini, Proxmark, other hardware
UID-based access control
  • UID-based access control
  • UID lengths, formats
  • Cloning Mifare UID
  • Emulate contactless card UIDs with Android & iOS
  • Card cloning from photographs
  • Cloning other ID-based cards
  • Emulate card using Proxmark, Chameleon Mini
  • Brute-force
  • Attack counter-measures
Wiegand Standard
  • Sniff data via Raspberry Pi GPIO, ESP RFID Tool, BLE-Key..
  • Decoding and cloning sniffed data
  • Physical replay attacks
Mifare Ultralight
  • Data structure
  • Reading, cloning, emulating
  • Example data stored on hotel access card
  • Ultralight EV1, C

Day Three

Mifare Classic & its weaknesses

A deep dive into the massively popular "Mifare Classic" chipset with several practical examples on real-world systems: Hotels, Ski Lifts, Bus Tickets..

Introduction
  • Mifare Classic – data structure, access control, keys, encryption
  • Default & leaked keys
  • Reading & cloning card data using just a mobile phone
  • Cracking keys – nested, darkside attacks
  • Libnfc tools – mfoc, mfcuk, MiLazyCracker
  • Cracking Mifare using Proxmark
  • Attacks on EV1 "hardened" Mifare Classic
  • Online attacks against reader
Host Card / Phone Emulation
  • Hardware Secure Element vs software Host Card Emulation
  • Example vulnerable HCE access control system (unlocking door using your NFC phone)
  • Protocols, commands, applications – ISO14443-4, 7816-4, APDU, AID, …
  • Analysis, sniffing NFC using Proxmark, dumping NFC on the phone,
  • Bypassing security mechanisms, key extraction, spoofing other user’s credentials
  • Remote relay attacks and countermeasures
Card Specific Attacks
  • DESFire Introduction + Attacks
  • ISO15693/iCode SLIX (SkiPass) Cloning
  • HID iClass - Cloning Legacy and Standard
  • HID iClass Elite Attacks
  • HiTag2 Password Sniffing and Simulation via Proxmark
Reversing Card Data
  • Recoding access control data
  • Creating hotel mastercards
Closing Subjects
  • Long Range Attacks: Possibilities and Limits
  • Antenna Construction

How to participate?

Workshops are regularly scheduled, with the additional possibility of private sessions if required. To stay informed about upcoming workshop dates, subscribe to our Workshop mailing list.

Signup for an upcoming workshop
Signup for workshop
Subscribe for event updates