3-Day Training: Blue Oceans – Advanced Attacks Against BLE, NFC, HCE and more (Amsterdam, Netherlands – May 6-8, 2019) – ResearchAndMarkets.com

Training: Blue Oceans: Advanced Attacks Against BLE, NFC, HCE and more”

training has been added to ResearchAndMarkets.com’s

Bluetooth Low Energy is one of the most exploding IoT technologies. BLE
devices surround us more and more – not only as wearables, toothbrushes
and sex toys, but also smart locks, medical devices and banking tokens.

Alarming vulnerabilities of these devices have been exposed multiple
times recently – and yet, the knowledge on how to comprehensively assess
their security seems very uncommon. Not to mention best practices
guidelines, which are practically absent.

This is probably the most exhaustive and up to date training regarding
BLE security – for both pentesters and developers. Compressing years of
painful debugging and reversing into practical, useful checklists. Based
on hands-on exercises on real devices (including multiple smart locks)
as well as a deliberately vulnerable, training hackmelock.

NFC, on the other hand, has been around us for quite long. However, the
vulnerabilities pointed out years ago, probably won’t be resolved in the
near future. It is still surprisingly easy to clone most access control
cards used for buildings today. Among other practical exercises
performed on real installations, the attendees will reverse-engineer an
example hotel access system, and as a result will be able to open all
the doors in facility. A list of several hundred hotels affected

With prevalence of NFC smartphones, a new implementation of this
technology is recently gaining attention: mobile contactless
payments/access control, on Android known as Host Card Emulation. Using
combination of cloud services and mobile security, it is now possible to
embed credit card (or NFC key to a lock) in your phone. Is the
technology as robust as advertised? How to check its security, and how
to implement it correctly? Find out during practical exercises,
including step by step guide on how to bypass security mechanisms and
clone a contactless payment card.

Key Learning Objectives

  • In-depth knowledge of Bluetooth Low Energy, common implementation
    pitfalls, device assessment process and best practices for
  • Ability to identify vulnerable access control systems, clone cards and
    reverse-engineer data stored on card
  • Understanding mobile contactless payments technology, possible
    attacks, risks and countermeasures

Prerequisite Knowledge

  • Basic familiarity with Linux command-line, Kali
  • Scripting skills, pentesting experience, Android mobile applications
    security background will be an advantage, but is not crucial

Hardware / Software Requirements

  • Contemporary laptop capable of running Kali Linux in virtual machine,
    and at least one USB port
  • You can bring your own BLE device or access control card to check its

Each student will receive:

  • Course materials in PDFs (several hundred pages)
  • All required additional files: source code, documentation,
    installation binaries, virtual machine images on a pendrive

Take-away hardware pack of 300 EUR value for hands-on exercises,
consisting of:

  • Rooted NFC- and BLE-capable Android smartphone with all the required
    applications; root-hiding and device characteristics spoofing
    frameworks configured
  • Proxmark3 with latest firmware
  • Multiple RFID/NFC tags for cracking and cloning, including Chinese
    magic UID, T5577, Ultralight, HID Prox, iClass, EV1, Mifare Classic
    with various content (bus ticket, hotel, e-wallet)
  • NFC PN532 board (libnfc)
  • Raspberry Pi 3 (+microSD card and 3 A power adapter), with assessment
    tools and Hackmelock installed for further hacking at home
  • Bluetooth Smart hardware sniffer (nRF, BtleJack) and development kit
    based on nrf51822 module
  • ST-Link V2 SWD debugger for programming nRF boards
  • 2 x Bluetooth Low Energy USB dongles

Each attendee will receive a hardware pack that includes among
others Proxmark 3, a rooted Android smartphone and Raspberry Pi
(detailed below). The hardware will allow for BLE analysis (sniffing,
intercepting), cloning and cracking multiple kinds of proximity cards,
analyse BLE or NFC mobile applications, and practice most of the
training exercises later at home.


Time: 9.00am – 6.00pm

Day 1

  • Bluetooth Smart (Low Energy)
  • Based among others on about 10 various smart locks, beacons, mobile
    PoS, banking token, numerous other devices; and tools developed by the
    trainer: GATTacker BLE MITM proxy and deliberately vulnerable
    Hackmelock (consisting of Android mobile application and lock device
    simulated on Raspberry Pi).
  • Theory introduction
  • BLE beacons
  • Other BLE advertisements
  • Sniffing BLE connections using RF layer hardware
  • HCI dump (Linux, Android) – setup, analysis, difference from RF-layer
    sniffing, replay/fuzzing possibilities
  • Attacking services exposed by devices
  • Device spoofing, active MITM interception
  • Replay attacks
  • Mobile application analysis, attacks on proprietary authentication and
  • Relay attacks – abusing automatic proximity features (e.g. smart lock

Day 2

  • Advanced BLE MITM topics
  • Remote access share functions and their weaknesses – how to bypass
    timing restrictions.
  • Device DFU firmware update OTA services.
  • How to create own, independent server-side API for device – based on a
    real smart lock vendor, which disappeared and shut the servers,
    effectively rendering the device e-waste.
  • Bluetooth link-layer encrypted connections
  • Web Bluetooth – interfacing with nearby devices from javascript.
  • Bluetooth Mesh, Bluetooth 5.0 – what these technologies change and
    what not in terms of BLE security.
  • BLE Hackmelock – open-source software emulated device with multiple
    challenges to practice at home.
  • BLE best practices and security checklist – for security
    professionals, pentesters, vendors and developers.
  • NFC
  • Comprising of hands-on exercises on a real access control
    installations, hotel system and mobile payment applications. Every
    time a student succeeds in bypassing access control system (e.g.
    cloning a card), a specially prepared box will automatically unlock,
    and allow to collect a delicious prize.
  • Short introduction
  • UID-based access control – practical exercises on example reader +
    door lock
  • Wiegand – wired access control transmission standard
  • Mifare Ultralight

Day 3

  • Mifare Classic & its weaknesses – practical exercises based on hotel
    door lock system, ski lift card, bus ticket
  • Reverse-engineering data stored on card – based on a real hotel system
  • ISO15693/iCode SLIX
  • Intercepting card data from distance – building antenna, possibilities
    and limits.
  • Other cards: Mifare Plus, DESFire, Ultralight C, EV1, EV2, HID
    iClass/iClass SE – known attacks, cloning possibilities, default &
    leaked keys, security best practices.
  • EMV
  • Mobile contactless payments & more

For more information about this training visit https://www.researchandmarkets.com/research/kxptlz/3day_training?w=4


Laura Wood, Senior Press Manager
E.S.T Office Hours Call 1-917-300-0470
For U.S./CAN Toll Free Call
For GMT Office Hours Call +353-1-416-8900
Topics: Professional
Development and Training
, Near
Field Communication

Thank you for donating to DutchNews.nl.

We could not provide the Dutch News service, and keep it free of charge, without the generous support of our readers. Your donations allow us to report on issues you tell us matter, and provide you with a summary of the most important Dutch news each day.

Make a donation