Pre-requisites:

• Laptop, ideally running linux, with support for BLE and/or external BLE dongle. (We have a couple Raspberry PI you can borrow for the duration of the workshop. Subject to availability)
• VsCode or any modern text editor (to code C and python)
• Basic python understanding (Any general programming understanding is enough)
• [OPTIONAL] ESP32 to flash your own target device (This is not required as we will provide targets)

Contents

• CTF for the workshop: https://github.com/hackgnar/ble_ctf
• Take home challenge: https://github.com/hackgnar/ble_ctf_infinity/tree/master

Introduction to BLE protocol

What is BLE?
Short differentiation between bluetooth classic and BLE
GAP, GATT, ATT, SMP
Explain protocols on actual wireshark traces (?)

Using BLEAK - https://github.com/hbldh/bleak

• What is bleak?
• What is a GATT client?
• Installation
• Flashing the target device - ESP32 + esptool.py
• Exercise 0x01: Using Bleak to identify BLE devices
• Exercise 0x02: Listing BLE services
• Exercise 0x03: Walking the BLE service tree. GATT

Bluetooth Attacks / Sniffing

• Sniffing on your device: Android HCI Snoop logs Wireshark)
• Sniffing without access to any of the devices: Sniffle (Demo works, but probably no hands-on activity for the participants?)
• (Maybe MITM attacks with active injection such as with mirage. But there was Bsides talk last year already)
• BLE Encryption https://github.com/mikeryan/crackle

Using Bless - https://github.com/kevincar/bless

• Recap: What is a GATT server?
• Implementing advertising
• Emulating iBeacon:
  • Airtags

Optional section: Creating firmware

• Why TI SoC and radio? -> Cheap and common
• Cheap and not so cheap TI based dongles and boards
  • Uberthoot One -
  • CatSnifer - https://electroniccats.com/store/catsniffer/
  • ZZH ElectroLama - https://electrolama.com/projects/zig-a-zig-ah/
  • TI evaluation board -
• Firmware for CC26XX/CC13XX based boards and dongles