1
00:00:01,730 --> 00:00:08,780
Hi there, welcome back to this course, I will talk in this lesson about Bluetooth Low Energy security

2
00:00:08,780 --> 00:00:09,640
assessment.

3
00:00:10,280 --> 00:00:15,780
Let's see first an introduction to Bluetooth Low Energy. Bluetooth 4

4
00:00:15,800 --> 00:00:26,660
specifications allow devices to implement both BLE and classic Bluetooth, that is Bluetooth Base

5
00:00:26,660 --> 00:00:37,910
Rate / Enhanced Data Rate. BLE  uses the same frequencies as Bluetooth BR/EDR that are between

6
00:00:37,910 --> 00:00:43,040
2.4 gigahertz and 2.4835

7
00:00:43,040 --> 00:00:56,120
gigahertz. Operating systems that support BLE are iOS five and above Android 4.3

8
00:00:56,120 --> 00:01:00,590
and above, Windows 8 and above, Linux 3.4 and above.

9
00:01:02,360 --> 00:01:11,290
Let's see some technical features of BLE protocol: instead of the classic 79  1 megahertz

10
00:01:11,300 --> 00:01:20,390
Bluetooth channels, Bluetooth Low Energy has 40  2 megahertz channels. Within a channel, data

11
00:01:20,390 --> 00:01:23,840
is transmitted using Gaussian Frequency Shift

12
00:01:23,840 --> 00:01:32,360
Keying, similar to the classic Base Rate of Bluetooth. The bitrate is 1 megabits per second and

13
00:01:32,360 --> 00:01:36,130
the maximum transmission power is 10 milliwatt.

14
00:01:39,970 --> 00:01:47,720
Bluetooth Low Energy uses frequency Hopping to counteract  narrow band interference problems.

15
00:01:48,650 --> 00:01:55,730
And if you want further technical details  you can obtain it from the official specifications published

16
00:01:55,730 --> 00:01:58,390
by Bluetooth SIG

17
00:01:58,490 --> 00:02:01,220
Special Interest Group.

18
00:02:04,120 --> 00:02:11,980
The BLE protocol is used innumerous Iot devices to handle short distance data transmissions.

19
00:02:12,400 --> 00:02:20,230
The slide provides a short list of such devices for example, smartwatches, wearables, smart locks,

20
00:02:20,230 --> 00:02:25,600
smart lighting, consumer electronics, fitness trackers, etc..

21
00:02:27,380 --> 00:02:32,240
Let's see a simple introduction to the BLE stack.

22
00:02:33,320 --> 00:02:39,620
First of all, the Generic Access Profile (GAP) controls the state of the device,

23
00:02:39,620 --> 00:02:50,120
that could be one of these: stand by, advertising, scanning, initiating, connected. Advertisers transmit

24
00:02:50,120 --> 00:02:56,480
data without connecting, while scanners scan for advertisers.

25
00:02:56,990 --> 00:03:03,670
An Initiator is a device that responds to an advertiser with a request to connect.

26
00:03:04,460 --> 00:03:13,460
If the advertiser accepts the connection request, both the advertiser and initiator enter a connected

27
00:03:13,460 --> 00:03:14,120
state.

28
00:03:14,840 --> 00:03:23,810
When a device is connected, it connects as either master or slave. The device

29
00:03:23,810 --> 00:03:31,970
initiating the connection becomes the master and the device accepting the request becomes the slave.

30
00:03:33,320 --> 00:03:43,370
The HCI layer provides communication between the host and the controller through a standardised interface.

31
00:03:44,210 --> 00:03:50,150
The L2CAP layer provides data encapsulation services to the upper

32
00:03:50,150 --> 00:03:55,840
lawyers, allowing for logical end-to-end communication of data.

33
00:03:56,420 --> 00:04:06,080
The security manager layer defines the methods for pairing and key distribution, and provides functions

34
00:04:06,260 --> 00:04:14,480
for the other layers of the protocol stack to securely connect and exchange data with another device.

35
00:04:15,530 --> 00:04:25,640
The Generic Access Profile (GAP) layer directly interfaces with the application and the profiles, to

36
00:04:25,640 --> 00:04:31,310
handle device discovery and connection-related services for the device.

37
00:04:31,940 --> 00:04:36,350
Gap handles the initiation of security features.

38
00:04:37,220 --> 00:04:45,920
The ATT layer allows a device to expose certain pieces of data or attributes to another device.

39
00:04:46,760 --> 00:04:55,970
The Generic Attribute Profile (GATT) layer is a service framework that defines the sub-procedures for using

40
00:04:55,970 --> 00:04:58,070
ATT. Data

41
00:04:58,070 --> 00:05:05,180
communications that occur between two devices in a Bluetooth low energy connection are handled through

42
00:05:05,180 --> 00:05:06,980
GATT sub-procedures.

43
00:05:07,520 --> 00:05:13,330
The application and/or profile will directly use GATT.

44
00:05:16,750 --> 00:05:23,290
These graphics represent the state diagram of a BLE device.

45
00:05:26,180 --> 00:05:35,990
And this shows the structure of a typical BLE packet format, also showing the two detail cases

46
00:05:35,990 --> 00:05:40,880
relating to data packet and an advertisement packet.

47
00:05:44,330 --> 00:05:54,740
This graphic represents a data structure managed by a GATT server and can be interrogated in read/wright mode

48
00:05:54,920 --> 00:06:05,060
by GATT clients. GATT establish a strict hierarchy to organize attributes, allowing the access and retrieval

49
00:06:05,090 --> 00:06:14,390
of information between client and server to follow a set of rules that together constitute the framework

50
00:06:14,690 --> 00:06:16,460
used by all

51
00:06:16,460 --> 00:06:18,620
GATT-based profiles.

52
00:06:21,510 --> 00:06:31,670
For connecting two devices (an advertisers and an initiator), BLE provides 4 pairing mechanisms:

53
00:06:32,550 --> 00:06:41,650
the first is "Just Works", one of the most common pairing modes used by devices without display, and

54
00:06:41,670 --> 00:06:45,690
that uses a pairing key of six zeros.

55
00:06:47,000 --> 00:06:58,130
"Passkey" uses a six digit passkey, then "Numeric comparison" shows same number on both devices, asking

56
00:06:58,130 --> 00:07:08,390
the user to confirm whether the numbers match. "Out-of-band" shares the pin using an out-of-band channel

57
00:07:08,390 --> 00:07:11,960
such as NFC (near field communication).

58
00:07:14,390 --> 00:07:21,930
Let's see some command line tools, useful for verifying the security of Iot devices.

59
00:07:22,610 --> 00:07:27,600
Let's consider an analysis environment with a Linux operating system.

60
00:07:28,310 --> 00:07:38,180
First of all, the Bluez Linux kernel modules must be installed, if not already present, essential

61
00:07:38,180 --> 00:07:46,070
in order to use Bluetooth devices such as a Bluetooth USB dongle and the command line tools that we

62
00:07:46,070 --> 00:07:46,610
will see.

63
00:07:47,700 --> 00:07:52,290
Next the Bluetooth service must be started.

64
00:07:55,710 --> 00:08:03,850
hciconfig is used to configure Bluetooth devices. Without parameters

65
00:08:03,870 --> 00:08:14,130
It prints basic information on a device, that is the interface type, the Bluetooth device address and

66
00:08:14,130 --> 00:08:19,110
other flags such as the state of the interface, up or down,

67
00:08:21,510 --> 00:08:29,960
if it is enabled, the scan, authentication type, encryption, etc..

68
00:08:31,860 --> 00:08:41,800
Another tool that you can use is the hcitool that's used to configure Bluetooth connections and

69
00:08:41,830 --> 00:08:51,500
send some special command to Bluetooth devices, for example, with the lescan command hcitool

70
00:08:51,550 --> 00:08:56,950
inquire remote BLR devices and for each discovered device

71
00:08:58,450 --> 00:09:06,920
It prints the device name. In recent version of Linux, the command may not work.

72
00:09:07,820 --> 00:09:17,020
Another useful tool is gatttool that's a tool that can be used to manipulate attributes with a Bluetooth

73
00:09:17,020 --> 00:09:19,120
low energy device.

74
00:09:20,880 --> 00:09:28,650
And as an alternative to using the hcitool and gatttool command in recent versions of the Linux kernel,

75
00:09:29,070 --> 00:09:34,560
it is possible to use the utility bluetoothctl.

76
00:09:35,310 --> 00:09:44,670
It allows to initiate a scan of BLE devices, connect to them and perform attribute read and write

77
00:09:44,670 --> 00:09:48,260
operations and many more other operations.

78
00:09:50,670 --> 00:10:02,610
The slide show the gatt menu of bluetoothctl, along with all the commands that you can use

79
00:10:02,610 --> 00:10:06,600
after a connection to a BLE device.

80
00:10:11,940 --> 00:10:20,490
Has been discovered several security vulnerabilities of a system on a chip devices from

81
00:10:20,490 --> 00:10:31,080
various manufacturers in the implementation via BLE SDK, collectively referred to as a "SweynTooth".

82
00:10:31,800 --> 00:10:41,910
According to the researchers, hackers in close physical proximity to vulnerable devices can abuse this

83
00:10:41,910 --> 00:10:51,060
vulnerability to remotely trigger deadlocks, crashes and even bypass security in BLE products,

84
00:10:51,590 --> 00:11:00,360
allowing them to arbitrarily access device, read or write functions that otherwise they may only be

85
00:11:00,360 --> 00:11:04,170
accessible by an authorised user.

86
00:11:06,230 --> 00:11:15,170
Countermeasures for BLE vulnerabilities are to update always device firmware with

87
00:11:15,170 --> 00:11:18,550
vendor-released security patches whenever possible.

88
00:11:21,310 --> 00:11:29,710
In order to check, in a vulnerability assessment of a BLE device, the mandatory presence of authentication

89
00:11:30,070 --> 00:11:39,340
(requests for an authentication key) during connection, and the presence of encryption on data transmission, it is

90
00:11:39,340 --> 00:11:43,310
possible to use packet sniffing and analysis tools.

91
00:11:43,970 --> 00:11:50,140
The slide shows a couple of hardware devices useful for Bluetooth sniffing.

92
00:11:52,290 --> 00:12:01,690
For example, with the use of Ubertooth One tool, it is possible to use the command ubertooth-btle

93
00:12:02,220 --> 00:12:10,170
that can sniff BLE connections and save the data traffic in a file for subsequent inspection with

94
00:12:10,170 --> 00:12:13,080
a packet analyzer such as Wireshark.

95
00:12:15,500 --> 00:12:22,820
There are more advanced than performing tools on the market for acquisition and analysis of BLE data traffic,

96
00:12:23,120 --> 00:12:30,620
such as the Ellisys Bluetooth Vanguard tool, that is a Bluetooth protocol analyzer.

97
00:12:32,940 --> 00:12:35,260
OK, the lesson ends here.

98
00:12:35,490 --> 00:12:38,040
Thank you for your attention bye.