How skillful are you in BLE Security?
This is a question for all of you reading this article: How good are your skills at pen-testing BLE devices?
There are hundred of companies that excel in testing hardware devices encompassed in the Internet of Things. I doubt if the major number of companies are any good at properly testing the Bluetooth side of things though.
I can’t argue that many testers have been trained and gained some useful insights about the protocol. But how well have they been trained? There is no free or low-budget BLE standalone course for security. Also, most of the time the BLE is always included as a sub-section, side by side with other protocols. Therefore the current courses don’t focus much on the Bluetooth Low Energy protocol and that doesn’t perform very well.
BLE Vulnerabilities
During my path discovering the protocol, I managed to uncover many areas of the protocol which unfortunately go unnoticed by so many testers:
Access Control
Authentication Bypass
Privacy Issues – compromising PII
Buffer Overflows
Memory Corruption
Denial-of-Service
Security misconfigurations leading to certain vulnerabilities
Pairing-oriented attacks
The above vulnerabilities directly affect the end-user and the application layer. Many developers are trying to push the responsibility to the BLE vendor off-loading the security part of the product. However, the vendor has little to do with the aforementioned vulnerabilities. They need someone like you to bring light into these areas and keep them educated about who’s responsible for what.
Keep your customers happy
Your customers are happier when your test include many important findings. You should have noticed by now that many of your customers don’t know most of the vulnerabilities you report to them. That is fine, this is your job. Through the time customers get familiar with most of the vulnerabilities. However, in Bluetooth Low Energy it’s even darker area for them because most of the pentest companies are touching it softly – if testing BLE at all – and so the customers get to see fewer BLE-related issues. So get educated in BLE and amaze them with something new!
Finding Online Resources
How about start learning about Bluetooth Low Energy online? I may say it is a good starting point, however, I have been there and I can surely say it isn’t the most efficient path to go. For sure it is the right way to learn the first steps. However, I found it frustrating trying to learn BLE in depth from online sources, because everywhere and anyone is teaching just the basics, repeating what is already there. Also, sometime you need the right terms in order to go deeper into the protocol – terms you don’t know they exist.
The following articles will give you a short boost entering the BLE world:
But don’t go just yet, the best still to come.
What about tools?
There are a ton of tools out-there, some badly designed but also some very good designed and cool tools too. Many of them have been developed years ago and they’ve got a good maturity level. In the other hand, many tools have been abandoned and as a result became obsolete.
Through my BLE journey I have seen MOST of the tools out-there are struggling to get installed in the latest operating systems. Furthermore, not all tools can be installed in all operating systems. That’s not enough, because I still needed a bunch of different tools to have complete picture of the security posture of the target.
To give back to the community I have developed my own BLE testing tool and published it for free – it is an open software and open hardware too! I won’t go into explaining what the tool does. Also I have to say that the tool is not for all kind of things, however it does pretty much most of the tasks I need to do during my tests and research.
What requires to master Bluetooth Low Energy?
It needs the right tools properly designed for each test.
It needs resources and concentrated knowledge.
It needs dedication and focus.
It needs the right methodology.
Even with the right tools, I still needed to climb high enough, learn the protocol by my-self and develop the right methodology, which took years. Through the years I gained the experience and knowledge to say I am in a position to confidently and thoroughly testing a device. Due to the lack of information I had to crawl to the Bluetooth specification which is a ton of formal pages. Even then, had to develop my own firmware and software to better understand some concepts.
I also delved into the research part and created my own fuzzers acting in many layers of the protocol – not just in the application layer. I touched the linux and android kernel to understand how I can communicate with the OS in the lower possible level. I had to learn how to bypass the OS and directly speak to the controller. Finally, I have completely skipped the OS and created my own controller using open-source stacks, which I have modified to attack the peer device.
The effort I put into was rewarding as I discovered many vulnerabilities in the products of major BLE manufacturing companies.
Learning BLE – How?
I have gone way far away than anyone should go, in order to conduct a penetration test. So how far do you need to go? I could say definitely further from what free internet can give you, but surely less than delving into the firmware level.
So what are the right tools for a tester?
How do you find the right resources teaching you enough to feel comfortable testing BLE devices?
How do you even start entering into Bluetooth Low Energy?
Considering the time I put into, how do I get certified?
Register to our BLE Security course for free! Contact the author to get an invitation code to the course. It’s a massive text-based course of 16 labs and 400 pages of material explaining each and every step of hacking into BLE.