Length: 2 Days
Print Friendly, PDF & Email

Bluetooth Security Training

In any wireless networking setup, security is a concern. Bluetooth is no different.

However, with Bluetooth, there’s an additional worry: The automatic nature of the connection, which is a huge benefit in terms of time and effort, can also be a godsend to people looking to send you data without your permission.

Bluetooth opens up a channel for two devices to communicate—an extremely useful arrangement, but one that also opens the door for dangerous interactions. Without strong cryptographic authentication checks, malicious third parties can use Bluetooth to connect to a device they shouldn’t have access to, or trick targets into thinking their rogue device is a trusted one.

The magnitude of Bluetooth security problems is far reaching. Take the BlueBorne flaw, first discovered in September 2017. BlueBorne bugs permit attackers in worst-case scenarios to gain complete control of both a device and any data stored within. The airborne attack is difficult to protect against as it does not spread over an IP connection, and traditional anti-virus solutions are no defense. BlueBorne immediately impacted 5 billion PCs, phones and IoT (Internet of Things) units.

A recent vulnerability called “Key Negotiation of Bluetooth (KNOB),” is a classic example of how the very simplicity and ease of use of Bluetooth is also its weakness. KNOB can attack Bluetooth Classic devices 1.0 to 5.1. It was identified by researchers at the Center for IT-Security, Privacy and Accountability (CISPA) and the disclosure has been published in coordination with multiple vendors including Microsoft, Apple, Intel, Cisco and Amazon.

Security specialists warn that such an attack would allow a third party without knowledge of any secret material such as link and encryption keys to make two (or more) victims agree on an encryption key. This would then enable the cybercriminal to easily brute force the negotiated encryption keys, decrypt the eavesdropped ciphertext, and inject valid encrypted messages—all in real time.

To resolve the issue, the Bluetooth Core Specification has changed to recommend a minimum encryption key length of 7 octets for BR/EDR connections. All product developers are being told to update existing solutions as a matter of urgency enforce a minimum encryption key length of 7 octets for BR/EDR connections.

Individual Bluetooth users should ensure they have installed the latest recommended updates from device and operating system manufacturers.

Bluetooth Security Training Course by Tonex

Bluetooth Security Training is a 2-day practical course covering the security capabilities of Bluetooth. The course provides coverage on Bluetooth weaknesses, threat vectors, Bluetooth security features, Bluetooth attacks and guidelines to organizations employing Bluetooth technologies on securing them effectively. The course covers Bluetooth versions  1.1, 1.2, 2.0 + Enhanced Data Rate (EDR), 2.1 + EDR, 3.0 + High Speed (HS), 4.0, 4.1, and 4.2. Versions 4.0, low energy feature of Bluetooth and Buetooth 5.0 (BT5.0).

Bluetooth wireless technology and devices are susceptible to general wireless networking threats including denial of service (DoS) attacks, eavesdropping, man-in-the-middle (MITM) attacks, message modification, and resource misappropriation. Attacks against Bluetooth devices can provide attackers with unauthorized access to information and unauthorized access.

Learning Objectives

Upon completion of this course, the participants will be able to:

  • Discuss architecture elements of Classic Bluetooth and Bluetooth Low Energy (BLE)
  • Compare Classic Bluetooth vs. Bluetooth Low Energy (BLE) protocols, security features
  • List Bluetooth Classic and Bluetooth Low Energy vulnerabilities, threats, attack types and countermeasures
  • List Bluetooth Classic and Bluetooth Low Energy protocols, vulnerabilities, threats, and countermeasures
  • Analyze L2/L3 packets in both Classic Bluetooth and Bluetooth Low Energy (BLE)
  • Analyze security features in Bluetooth Low Energy GATT profiles

Overview of Bluetooth Wireless Technology

  • Bluetooth Architecture
  • Classic Bluetooth Physical Layer
  • Bluetooth Channels and Principles of Frequency Hopping
  • Classic Bluetooth Protocol stack
  • Asynchronous Connection-Less (ACL)
  • Synchronous Connection-Oriented (SCO)
  • Active Slave Broadcast (ASB)
  • Parked Slave Broadcast (PSB)
  • Link control protocol (LC)
  • Link manager protocol (LMP)
  • Low-energy link layer (LELL)
  • Host controller interface (HCI
  • Classic Bluetooth Host stack
  • Logical link control and adaptation protocol (LCAP)
  • Bluetooth network encapsulation protocol (BNEP)
  • Radio frequency communication (RFCOMM)
  • Service discovery protocol (SDP)
  • Telephony Control Protocol Specification (TCS)
  • Audio/video control transport protocol (AVCTP)
  • Audio/video distribution transport protocol (AVDTP)
  • Object exchange (OBEX)
  • Bluetooth Low Energy (BLE) Physical Layer
  • BLE Protocol stack
  • Low Energy Attribute Protocol (ATT)
  • BLE Profiles and Services
  • Bluetooth Low Energy (BLE) Controller and Host stack
  • Generic Access Profile (GAP)
  • Generic Attribute Profile (GATT)

Bluetooth Classic and BLE Operations

  • Bluetooth packet structure and connection procedures
  • Device Discoverability and Connectability
  • Masters and Slaves
  • Device Addressing
  • Pairing and Bonding
  • Security Modes and Levels
  • Pairing Modes
  • Pairing Phases
  • Pairing Procedures
  • STK generation methods
  • Just Works
  • Passkey Display
  • Out of Band (OOB
  • Numeric

Overview of Bluetooth Security Features  

  • Connecting to Secure Bluetooth Networks
  • Security Features of Bluetooth BR/EDR/HS
  • Security Features of Bluetooth Low Energy (BLE)
  • Pairing and Link Key Generation
  • Authentication
  • Confidentiality
  • Bluetooth Trust Levels, Service Security Levels, Modes and Authorization
  • Bluetooth Low Energy (BLE) Security
  • BLE Security Modes and Levels
  • BLE Pairing Methods
  • Legacy Low Energy Key Generation and Distribution
  • BLE Secure Connection Key Generation
  • BLE CIA (Confidentiality, Authentication, and Integrity)
  • BLE Short Term Key (STK) and Long Term Key (LTK)
  • LTK Derivation from Bluetooth Link Key
  • Bluetooth Link Key Derivation from Low Energy Long Term Key

Bluetooth Application and Service Attacks

  • Bluetooth Cyptographic Attacks
  • Bluetooth Classic and BLE Threat Actors
  • Bluetooth Classic and BLE Vulnerabilities, Threats, and Countermeasures
  • Bluetooth Classic and BLE Risk Mitigation and Countermeasures
  • Bluetooth Classic and BLE Security Checklist and Mitigation Roadmaps
  • Overview of Open Source Tools



Bluetooth Security Training

Request More Information

  • Please complete the following form and a Tonex Training Specialist will contact you as soon as is possible.

    * Indicates required fields

  • This field is for validation purposes and should be left unchanged.