3-Day Training: Blue Oceans - Advanced Attacks Against BLE, NFC, HCE and more (Amsterdam, Netherlands - May 6-8, 2019) - ResearchAndMarkets.com

DUBLIN--()--The "3-Day Training: Blue Oceans: Advanced Attacks Against BLE, NFC, HCE and more" training has been added to ResearchAndMarkets.com's offering.

Bluetooth Low Energy is one of the most exploding IoT technologies. BLE devices surround us more and more - not only as wearables, toothbrushes and sex toys, but also smart locks, medical devices and banking tokens.

Alarming vulnerabilities of these devices have been exposed multiple times recently - and yet, the knowledge on how to comprehensively assess their security seems very uncommon. Not to mention best practices guidelines, which are practically absent.

This is probably the most exhaustive and up to date training regarding BLE security - for both pentesters and developers. Compressing years of painful debugging and reversing into practical, useful checklists. Based on hands-on exercises on real devices (including multiple smart locks) as well as a deliberately vulnerable, training hackmelock.

NFC, on the other hand, has been around us for quite long. However, the vulnerabilities pointed out years ago, probably won't be resolved in the near future. It is still surprisingly easy to clone most access control cards used for buildings today. Among other practical exercises performed on real installations, the attendees will reverse-engineer an example hotel access system, and as a result will be able to open all the doors in facility. A list of several hundred hotels affected included.

With prevalence of NFC smartphones, a new implementation of this technology is recently gaining attention: mobile contactless payments/access control, on Android known as Host Card Emulation. Using combination of cloud services and mobile security, it is now possible to embed credit card (or NFC key to a lock) in your phone. Is the technology as robust as advertised? How to check its security, and how to implement it correctly? Find out during practical exercises, including step by step guide on how to bypass security mechanisms and clone a contactless payment card.

Key Learning Objectives

  • In-depth knowledge of Bluetooth Low Energy, common implementation pitfalls, device assessment process and best practices for implementation
  • Ability to identify vulnerable access control systems, clone cards and reverse-engineer data stored on card
  • Understanding mobile contactless payments technology, possible attacks, risks and countermeasures

Prerequisite Knowledge

  • Basic familiarity with Linux command-line, Kali
  • Scripting skills, pentesting experience, Android mobile applications security background will be an advantage, but is not crucial

Hardware / Software Requirements

  • Contemporary laptop capable of running Kali Linux in virtual machine, and at least one USB port
  • You can bring your own BLE device or access control card to check its security

Each student will receive:

  • Course materials in PDFs (several hundred pages)
  • All required additional files: source code, documentation, installation binaries, virtual machine images on a pendrive

Take-away hardware pack of 300 EUR value for hands-on exercises, consisting of:

  • Rooted NFC- and BLE-capable Android smartphone with all the required applications; root-hiding and device characteristics spoofing frameworks configured
  • Proxmark3 with latest firmware
  • Multiple RFID/NFC tags for cracking and cloning, including Chinese magic UID, T5577, Ultralight, HID Prox, iClass, EV1, Mifare Classic with various content (bus ticket, hotel, e-wallet)
  • NFC PN532 board (libnfc)
  • Raspberry Pi 3 (+microSD card and 3 A power adapter), with assessment tools and Hackmelock installed for further hacking at home
  • Bluetooth Smart hardware sniffer (nRF, BtleJack) and development kit based on nrf51822 module
  • ST-Link V2 SWD debugger for programming nRF boards
  • 2 x Bluetooth Low Energy USB dongles

Each attendee will receive a hardware pack that includes among others Proxmark 3, a rooted Android smartphone and Raspberry Pi (detailed below). The hardware will allow for BLE analysis (sniffing, intercepting), cloning and cracking multiple kinds of proximity cards, analyse BLE or NFC mobile applications, and practice most of the training exercises later at home.


Time: 9.00am - 6.00pm

Day 1

  • Bluetooth Smart (Low Energy)
  • Based among others on about 10 various smart locks, beacons, mobile PoS, banking token, numerous other devices; and tools developed by the trainer: GATTacker BLE MITM proxy and deliberately vulnerable Hackmelock (consisting of Android mobile application and lock device simulated on Raspberry Pi).
  • Theory introduction
  • BLE beacons
  • Other BLE advertisements
  • Sniffing BLE connections using RF layer hardware
  • HCI dump (Linux, Android) - setup, analysis, difference from RF-layer sniffing, replay/fuzzing possibilities
  • Attacking services exposed by devices
  • Device spoofing, active MITM interception
  • Replay attacks
  • Mobile application analysis, attacks on proprietary authentication and protocols
  • Relay attacks - abusing automatic proximity features (e.g. smart lock auto-unlock).

Day 2

  • Advanced BLE MITM topics
  • Remote access share functions and their weaknesses - how to bypass timing restrictions.
  • Device DFU firmware update OTA services.
  • How to create own, independent server-side API for device - based on a real smart lock vendor, which disappeared and shut the servers, effectively rendering the device e-waste.
  • Bluetooth link-layer encrypted connections
  • Web Bluetooth - interfacing with nearby devices from javascript.
  • Bluetooth Mesh, Bluetooth 5.0 - what these technologies change and what not in terms of BLE security.
  • BLE Hackmelock - open-source software emulated device with multiple challenges to practice at home.
  • BLE best practices and security checklist - for security professionals, pentesters, vendors and developers.
  • NFC
  • Comprising of hands-on exercises on a real access control installations, hotel system and mobile payment applications. Every time a student succeeds in bypassing access control system (e.g. cloning a card), a specially prepared box will automatically unlock, and allow to collect a delicious prize.
  • Short introduction
  • UID-based access control - practical exercises on example reader + door lock
  • Wiegand - wired access control transmission standard
  • Mifare Ultralight

Day 3

  • Mifare Classic & its weaknesses - practical exercises based on hotel door lock system, ski lift card, bus ticket
  • Reverse-engineering data stored on card - based on a real hotel system
  • ISO15693/iCode SLIX
  • Intercepting card data from distance - building antenna, possibilities and limits.
  • Other cards: Mifare Plus, DESFire, Ultralight C, EV1, EV2, HID iClass/iClass SE - known attacks, cloning possibilities, default & leaked keys, security best practices.
  • EMV
  • Mobile contactless payments & more

For more information about this training visit https://www.researchandmarkets.com/research/kxptlz/3day_training?w=4


Laura Wood, Senior Press Manager
For E.S.T Office Hours Call 1-917-300-0470
For U.S./CAN Toll Free Call 1-800-526-8630
For GMT Office Hours Call +353-1-416-8900
Related Topics: Professional Development and Training, Near Field Communication


Laura Wood, Senior Press Manager
For E.S.T Office Hours Call 1-917-300-0470
For U.S./CAN Toll Free Call 1-800-526-8630
For GMT Office Hours Call +353-1-416-8900
Related Topics: Professional Development and Training, Near Field Communication