Tweet
Yimi Hu & Tao Guo: Capturing, Analyzing and Faking BLE Communication
In this workshop, we will talk about BLE communication security. As far as we know, BLE communication has been widely used in healthcare, beacons, and home entertainment industries. Thus, capturing BLE traffic and doing some security research on BLE communication seems to be interesting. During this workshop, all necessary equipment is provided, such as CC2540, CC Debugger and corresponding software. Besides, 3 kinds of BLE-based devices, which we can find in our daily lives, will be analyzed and attacked. We hope our participants are familiar with Android development/reverse-engineering or Embedded development/reverse-engineering. It’s also OK, if they don’t. And participants need to take his laptop with Win 7 or higher version. During our workshop, we will analyze BLE communication from different aspects, such as sniffing the transmission data between devices, or faking their communication.
The whole workshop can be divided into 3 parts. And some challenges are left for participants, which can be also added to DEF CON challenges list.
Trainer Bio(s) (not to exceed 1337 characters total):
Yimi Hu, member of DC0086, senior security researcher at PwnMonkey Security Lab of Beijing xFutureSecurity Information Technology Co., Ltd., has working on IoT security for several years. During his career, he has committed many CVEs and CNNVDs on smart doorlocks, IP cameras and other devices from well-known manufacturer such as Samsung or Honeywell. He is also a public speaker. He has made many speeches at his country and is good at public speaking.
Tao Guo, security researcher of xFutureSecurity Information Technology Co., Ltd., member of PwnMonkey Security Lab and DC0086, has been working on development of embedded devices for many years, and now mainly focuses on security analysis of embedded devices. Since when his attention is drawn to smart doorlocks, many vulnerabilities on world-famous smart doorlocks have been committed to CVE and CNNVD.
Detailed Outline:
1. What we will provide:
1) Equipment will be provided:
a) 5 smart BLE-based bulbs, used for Part 1 Challenge.
b) 2 smart doorlocks, used for Part 2 Challenge.
c) Smart band for each participant, used for Part 3 Challenge.
d) CC2540 Dongle for each participant, used for sniffing BLE communication.
e) 5 CC-Debuggers, used for flash programs.
2) Software tools can be downloaded from the HTTP server which we will setup at the workshop:
a) Jadx, used for Android reverse-engineering.
b) Wireshark, used for checking Android Bluetooth log.
c) TI Packet Sniffer, used for viewing the BLE communication data.
d) IAR Embedded Workbench IDE and TI Flash Programmer, used to flash programs into CC2540.
e) LightBlue Explorer and nRF Connect, used for the course and challenge in Part 2.
f) Android APK programed by us, used for data display for Part 3 Challenge.
2. What we will show:
The whole workshop can be divided into 3 parts:
Part 1: Basic Introduction: learning to control smart lamp bulbs
In this part, we will introduce the process of BLE communication, and then explain the GAP and GATT protocol with provided BLE-based bulbs. Those bulbs are used in some hotel, and we think it’s funny to control the bulb in the next room.
Before we try to control lamp bulbs, we need to know the instructions that our phone send to lamp bulbs. To obtain the instructions, we will analyze application log of bulb APK. Then the Apps LightBlue Explorer and nRF Connect will be introduced, by which we can control the bulb to turn on or turn off.
CHALLENGE: Besides turning on or off, the bulbs we provide can also change the light color. Participants can try to turn bulbs to other colors.
Part 2: Advanced Analysis: security analysis of smart doorlock
In this part, everybody will learn how to capture BLE packets using a CC2540 Dongle. In addition to analyzing BLE traffic, Android Apk reverse-engineering is also needed.
First, we will reverse-analyze the APK of the smart doorlock, so that we can understand the authentication process of the smart doorlock. Furthermore, we can steal the authentication key by capturing BLE communication between phone and the doorlock. And our final goal is to unlock the smart doorlock on an unauthorized cellphone.
CHALLENGE: We will provide 2 smart doorlocks, with similar authentication process. Participants will try to crack the authentication process on their own.
Part 3: Free Hacking: Analyzing and faking packets of smart band
The smart band records step count of its owner. And an Apk will be provided for everybody to display his step count.
In this part, we will provide some hints instead of teaching participants directly, and here’s our final challenge.
CHALLENGE: Use any approaches to hack the smart band. We will setup 2 or 3 screens to display step count information of all participants. The first one completing this challenge or the one with the largest step count number will be the winner, and we have a souvenir for the winner.
This game can be added to DEF CON challenges list and played by all DEF CON attendees.
In this workshop, we will talk about BLE communication security. As far as we know, BLE communication has been widely used in healthcare, beacons, and home entertainment industries. Thus, capturing BLE traffic and doing some security research on BLE communication seems to be interesting. During this workshop, all necessary equipment is provided, such as CC2540, CC Debugger and corresponding software. Besides, 3 kinds of BLE-based devices, which we can find in our daily lives, will be analyzed and attacked. We hope our participants are familiar with Android development/reverse-engineering or Embedded development/reverse-engineering. It’s also OK, if they don’t. And participants need to take his laptop with Win 7 or higher version. During our workshop, we will analyze BLE communication from different aspects, such as sniffing the transmission data between devices, or faking their communication.
The whole workshop can be divided into 3 parts. And some challenges are left for participants, which can be also added to DEF CON challenges list.
Trainer Bio(s) (not to exceed 1337 characters total):
Yimi Hu, member of DC0086, senior security researcher at PwnMonkey Security Lab of Beijing xFutureSecurity Information Technology Co., Ltd., has working on IoT security for several years. During his career, he has committed many CVEs and CNNVDs on smart doorlocks, IP cameras and other devices from well-known manufacturer such as Samsung or Honeywell. He is also a public speaker. He has made many speeches at his country and is good at public speaking.
Tao Guo, security researcher of xFutureSecurity Information Technology Co., Ltd., member of PwnMonkey Security Lab and DC0086, has been working on development of embedded devices for many years, and now mainly focuses on security analysis of embedded devices. Since when his attention is drawn to smart doorlocks, many vulnerabilities on world-famous smart doorlocks have been committed to CVE and CNNVD.
Detailed Outline:
1. What we will provide:
1) Equipment will be provided:
a) 5 smart BLE-based bulbs, used for Part 1 Challenge.
b) 2 smart doorlocks, used for Part 2 Challenge.
c) Smart band for each participant, used for Part 3 Challenge.
d) CC2540 Dongle for each participant, used for sniffing BLE communication.
e) 5 CC-Debuggers, used for flash programs.
2) Software tools can be downloaded from the HTTP server which we will setup at the workshop:
a) Jadx, used for Android reverse-engineering.
b) Wireshark, used for checking Android Bluetooth log.
c) TI Packet Sniffer, used for viewing the BLE communication data.
d) IAR Embedded Workbench IDE and TI Flash Programmer, used to flash programs into CC2540.
e) LightBlue Explorer and nRF Connect, used for the course and challenge in Part 2.
f) Android APK programed by us, used for data display for Part 3 Challenge.
2. What we will show:
The whole workshop can be divided into 3 parts:
Part 1: Basic Introduction: learning to control smart lamp bulbs
In this part, we will introduce the process of BLE communication, and then explain the GAP and GATT protocol with provided BLE-based bulbs. Those bulbs are used in some hotel, and we think it’s funny to control the bulb in the next room.
Before we try to control lamp bulbs, we need to know the instructions that our phone send to lamp bulbs. To obtain the instructions, we will analyze application log of bulb APK. Then the Apps LightBlue Explorer and nRF Connect will be introduced, by which we can control the bulb to turn on or turn off.
CHALLENGE: Besides turning on or off, the bulbs we provide can also change the light color. Participants can try to turn bulbs to other colors.
Part 2: Advanced Analysis: security analysis of smart doorlock
In this part, everybody will learn how to capture BLE packets using a CC2540 Dongle. In addition to analyzing BLE traffic, Android Apk reverse-engineering is also needed.
First, we will reverse-analyze the APK of the smart doorlock, so that we can understand the authentication process of the smart doorlock. Furthermore, we can steal the authentication key by capturing BLE communication between phone and the doorlock. And our final goal is to unlock the smart doorlock on an unauthorized cellphone.
CHALLENGE: We will provide 2 smart doorlocks, with similar authentication process. Participants will try to crack the authentication process on their own.
Part 3: Free Hacking: Analyzing and faking packets of smart band
The smart band records step count of its owner. And an Apk will be provided for everybody to display his step count.
In this part, we will provide some hints instead of teaching participants directly, and here’s our final challenge.
CHALLENGE: Use any approaches to hack the smart band. We will setup 2 or 3 screens to display step count information of all participants. The first one completing this challenge or the one with the largest step count number will be the winner, and we have a souvenir for the winner.
This game can be added to DEF CON challenges list and played by all DEF CON attendees.
Comment