Bluetooth Security Training
One of the major vulnerabilities with Bluetooth security has been eavesdropping.
This is where eavesdroppers trick you into pairing with their devices by misspelling the name of a device your device trusts. They can, for example, name their device the same name you have named your office printer, so when you are searching the printer using your phone Bluetooth, it is the hackers’ Bluetooth you find and connect with first. Upon pairing, they gain access to your entire device.
Another major Bluetooth security issues has been bluesnarfing. This occurs when a hacker pairs with your Bluetooth device without your knowledge and steals or compromises your personal data.
Fortunately, much of these Bluetooth security issues have been resolved with the latest version of Bluetooth, BLE 5.2, largely due to an updated SoC (system-on-a-chip) solution.
These new SoCs in BLE 5.2 provide a security feature called Secure Boot with root of trust and secure loader (RTSL) that uses a two-stage bootloader designed to ensure that an EFR32BG22-based system boots only with authenticated firmware.
Conceptually, Secure Boot with RTSL addresses a weakness in older single-stage bootloader systems that permitted hackers to take complete control of a connected system by booting it with compromised firmware.
The use of signed firmware would seem to provide a solution to this problem. In practice, however, the use of counterfeit certificates to sign firmware or use of legitimate certificates fraudulently obtained by bad actors can leave even signed booting methods exposed to attack.
In contrast, an EFR32BG22-based system establishes a root of trust built on a first stage bootloader that pulls trusted firmware from ROM. In turn, this trusted software uses strict authentication methods to verify the source and integrity of the second stage bootloader code, which in turn verifies and loads the application code.
The ability to build a system solution on a root of trust allows developers to deliver products with high confidence in the ongoing integrity of the software even through over the air (OTA) firmware update cycles.
Bluetooth Security Training Course by Tonex
Bluetooth Security Training is a 2-day practical course covering the security capabilities of Bluetooth. The course provides coverage on Bluetooth weaknesses, threat vectors, Bluetooth security features, Bluetooth attacks and guidelines to organizations employing Bluetooth technologies on securing them effectively. The course covers Bluetooth versions 1.1, 1.2, 2.0 + Enhanced Data Rate (EDR), 2.1 + EDR, 3.0 + High Speed (HS), 4.0, 4.1, and 4.2. Versions 4.0, low energy feature of Bluetooth and Buetooth 5.0 (BT5.0).
Bluetooth wireless technology and devices are susceptible to general wireless networking threats including denial of service (DoS) attacks, eavesdropping, man-in-the-middle (MITM) attacks, message modification, and resource misappropriation. Attacks against Bluetooth devices can provide attackers with unauthorized access to information and unauthorized access.
Learning Objectives
Upon completion of this course, the participants will be able to:
- Discuss architecture elements of Classic Bluetooth and Bluetooth Low Energy (BLE)
- Compare Classic Bluetooth vs. Bluetooth Low Energy (BLE) protocols, security features
- List Bluetooth Classic and Bluetooth Low Energy vulnerabilities, threats, attack types and countermeasures
- List Bluetooth Classic and Bluetooth Low Energy protocols, vulnerabilities, threats, and countermeasures
- Analyze L2/L3 packets in both Classic Bluetooth and Bluetooth Low Energy (BLE)
- Analyze security features in Bluetooth Low Energy GATT profiles
Overview of Bluetooth Wireless Technology
- Bluetooth Architecture
- Classic Bluetooth Physical Layer
- Bluetooth Channels and Principles of Frequency Hopping
- Classic Bluetooth Protocol stack
- Asynchronous Connection-Less (ACL)
- Synchronous Connection-Oriented (SCO)
- Active Slave Broadcast (ASB)
- Parked Slave Broadcast (PSB)
- Link control protocol (LC)
- Link manager protocol (LMP)
- Low-energy link layer (LELL)
- Host controller interface (HCI
- Classic Bluetooth Host stack
- Logical link control and adaptation protocol (LCAP)
- Bluetooth network encapsulation protocol (BNEP)
- Radio frequency communication (RFCOMM)
- Service discovery protocol (SDP)
- Telephony Control Protocol Specification (TCS)
- Audio/video control transport protocol (AVCTP)
- Audio/video distribution transport protocol (AVDTP)
- Object exchange (OBEX)
- Bluetooth Low Energy (BLE) Physical Layer
- BLE Protocol stack
- Low Energy Attribute Protocol (ATT)
- BLE Profiles and Services
- Bluetooth Low Energy (BLE) Controller and Host stack
- Generic Access Profile (GAP)
- Generic Attribute Profile (GATT)
Bluetooth Classic and BLE Operations
- Bluetooth packet structure and connection procedures
- Device Discoverability and Connectability
- Masters and Slaves
- Device Addressing
- Pairing and Bonding
- Security Modes and Levels
- Pairing Modes
- Pairing Phases
- Pairing Procedures
- STK generation methods
- Just Works
- Passkey Display
- Out of Band (OOB
- Numeric
Overview of Bluetooth Security Features
- Connecting to Secure Bluetooth Networks
- Security Features of Bluetooth BR/EDR/HS
- Security Features of Bluetooth Low Energy (BLE)
- Pairing and Link Key Generation
- Authentication
- Confidentiality
- Bluetooth Trust Levels, Service Security Levels, Modes and Authorization
- Bluetooth Low Energy (BLE) Security
- BLE Security Modes and Levels
- BLE Pairing Methods
- Legacy Low Energy Key Generation and Distribution
- BLE Secure Connection Key Generation
- BLE CIA (Confidentiality, Authentication, and Integrity)
- BLE Short Term Key (STK) and Long Term Key (LTK)
- LTK Derivation from Bluetooth Link Key
- Bluetooth Link Key Derivation from Low Energy Long Term Key
Bluetooth Application and Service Attacks
- Bluetooth Cyptographic Attacks
- Bluetooth Classic and BLE Threat Actors
- Bluetooth Classic and BLE Vulnerabilities, Threats, and Countermeasures
- Bluetooth Classic and BLE Risk Mitigation and Countermeasures
- Bluetooth Classic and BLE Security Checklist and Mitigation Road maps
- Overview of Open Source Tools
Bluetooth Security Training