Announcement

Collapse
No announcement yet.

Capturing, Analyzing and Faking BLE Communication

Collapse
This is a sticky topic.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Capturing, Analyzing and Faking BLE Communication

    Yimi Hu & Tao Guo: Capturing, Analyzing and Faking BLE Communication

    In this workshop, we will talk about BLE communication security. As far as we know, BLE communication has been widely used in healthcare, beacons, and home entertainment industries. Thus, capturing BLE traffic and doing some security research on BLE communication seems to be interesting. During this workshop, all necessary equipment is provided, such as CC2540, CC Debugger and corresponding software. Besides, 3 kinds of BLE-based devices, which we can find in our daily lives, will be analyzed and attacked. We hope our participants are familiar with Android development/reverse-engineering or Embedded development/reverse-engineering. It’s also OK, if they don’t. And participants need to take his laptop with Win 7 or higher version. During our workshop, we will analyze BLE communication from different aspects, such as sniffing the transmission data between devices, or faking their communication.

    The whole workshop can be divided into 3 parts. And some challenges are left for participants, which can be also added to DEF CON challenges list.

    Trainer Bio(s) (not to exceed 1337 characters total):
    Yimi Hu, member of DC0086, senior security researcher at PwnMonkey Security Lab of Beijing xFutureSecurity Information Technology Co., Ltd., has working on IoT security for several years. During his career, he has committed many CVEs and CNNVDs on smart doorlocks, IP cameras and other devices from well-known manufacturer such as Samsung or Honeywell. He is also a public speaker. He has made many speeches at his country and is good at public speaking.

    Tao Guo, security researcher of xFutureSecurity Information Technology Co., Ltd., member of PwnMonkey Security Lab and DC0086, has been working on development of embedded devices for many years, and now mainly focuses on security analysis of embedded devices. Since when his attention is drawn to smart doorlocks, many vulnerabilities on world-famous smart doorlocks have been committed to CVE and CNNVD.

    Detailed Outline:
    1. What we will provide:
    1) Equipment will be provided:
    a) 5 smart BLE-based bulbs, used for Part 1 Challenge.
    b) 2 smart doorlocks, used for Part 2 Challenge.
    c) Smart band for each participant, used for Part 3 Challenge.
    d) CC2540 Dongle for each participant, used for sniffing BLE communication.
    e) 5 CC-Debuggers, used for flash programs.
    2) Software tools can be downloaded from the HTTP server which we will setup at the workshop:
    a) Jadx, used for Android reverse-engineering.
    b) Wireshark, used for checking Android Bluetooth log.
    c) TI Packet Sniffer, used for viewing the BLE communication data.
    d) IAR Embedded Workbench IDE and TI Flash Programmer, used to flash programs into CC2540.
    e) LightBlue Explorer and nRF Connect, used for the course and challenge in Part 2.
    f) Android APK programed by us, used for data display for Part 3 Challenge.

    2. What we will show:
    The whole workshop can be divided into 3 parts:

    Part 1: Basic Introduction: learning to control smart lamp bulbs
    In this part, we will introduce the process of BLE communication, and then explain the GAP and GATT protocol with provided BLE-based bulbs. Those bulbs are used in some hotel, and we think it’s funny to control the bulb in the next room.
    Before we try to control lamp bulbs, we need to know the instructions that our phone send to lamp bulbs. To obtain the instructions, we will analyze application log of bulb APK. Then the Apps LightBlue Explorer and nRF Connect will be introduced, by which we can control the bulb to turn on or turn off.

    CHALLENGE: Besides turning on or off, the bulbs we provide can also change the light color. Participants can try to turn bulbs to other colors.

    Part 2: Advanced Analysis: security analysis of smart doorlock
    In this part, everybody will learn how to capture BLE packets using a CC2540 Dongle. In addition to analyzing BLE traffic, Android Apk reverse-engineering is also needed.
    First, we will reverse-analyze the APK of the smart doorlock, so that we can understand the authentication process of the smart doorlock. Furthermore, we can steal the authentication key by capturing BLE communication between phone and the doorlock. And our final goal is to unlock the smart doorlock on an unauthorized cellphone.

    CHALLENGE: We will provide 2 smart doorlocks, with similar authentication process. Participants will try to crack the authentication process on their own.

    Part 3: Free Hacking: Analyzing and faking packets of smart band
    The smart band records step count of its owner. And an Apk will be provided for everybody to display his step count.

    In this part, we will provide some hints instead of teaching participants directly, and here’s our final challenge.

    CHALLENGE: Use any approaches to hack the smart band. We will setup 2 or 3 screens to display step count information of all participants. The first one completing this challenge or the one with the largest step count number will be the winner, and we have a souvenir for the winner.

    This game can be added to DEF CON challenges list and played by all DEF CON attendees.
    PGP key: dtangent@defcon.org valid 2020 Jan 15, to 2024 Jan 01 Fingerprint: BC5B CD9A C609 1B6B CD81 9636 D7C6 E96C FE66 156A

  • #2
    捕 获 、分 析 和 伪 造 B L E 通 信

    胡一米
    郭韬

    我们的workshop涉及到的内容是BLE通信安全。
    我们在日常生活中可以体会到,BLE 通信在诸如健康护理或家庭娱乐等行业的应用越来越广泛。所以抓取BLE通信并进行安全分析是一件很有趣的事 情。

    在我们的workshop中,所有必需的工具,比如CC2540 Dongle、CC Debugger以及相应的软件,都已经备好。参与者只需要携带一台笔记本电脑(预装Win 7或更高版本的操作系统)即可。针对BLE通信,我们准备了三款生活中常见的设备:智能灯泡、智能门锁以及 智能手环。
    我们将整个workshop分成了三个部分,每个部分会针对一款设备进行研究。此外我们还设置了一些挑战, 每位参与者都可以用我们提供的工具对之前研究的设备进行攻击。参与到我们的workshop中来,需要你: 最好熟悉安卓开发/逆向或嵌入式开发/逆向,当然我们也会考虑到没有相关经验的同学们。
    你将学到: 1、BLE的基础知识; 2、嗅探周围的BLE通信; 3、发送数据包,“非法”控制设备; 4、伪造数据包,欺骗控制端;

    胡一米,DC0086成员,就职于北京未来安全信息技术有限公司,胖猴实验室高级安全研究院。胡一米在Io T安全研究领域拥有数年工作经验,对如三星、霍尼韦尔等知名厂商的产品进行过深入研究,向CVE及CNNV D提交了许多关于智能门锁、IP摄像头和其他设备的漏洞。郭韬,北京未来安全信息技术有限公司安全研究员, 胖猴实验室和DC0086成员,曾有多年嵌入式设备开发经验,现专注于嵌入式设备的安全研究,目前已经发现 了数个国内外知名智能门锁品牌的安全漏洞。
    PGP key: dtangent@defcon.org valid 2020 Jan 15, to 2024 Jan 01 Fingerprint: BC5B CD9A C609 1B6B CD81 9636 D7C6 E96C FE66 156A

    Comment

    Working...
    X