KNOB attack Lab

KNOB attack on Bluetooth Low Energy

Welcome to this lab, developed by Daniele Antonioli, Romain Cayre, Aurélien Hernandez, Marco Casagrande and Tommaso Sacchetti. In this lab, you will discover Bluetooth Low Energy security in practice !

Build your own vulnerable BLE device !

In this lab we cover an Introduction about Bluetooth security, its main transports (BC, BLE), procedures (discovery, connect) and logical entities (Host, Controller, HCI). Then we look at Bluetooth security architecture and the specific BC/BLE algorithms and protocols. We conclude by talking about state of the art attacks that we developed against this protocols including KNOB, BIAS, and BLUR.

To discover the protocol, you will build your own BLE-enabled device using an ESP32 System-on-Chip and Apache NimBLE, an open-source Bluetooth 5.1 stack. Then, you will explore how to interact with your devices using BlueZ command-line tools and monitor traffic with Wireshark. Finally, we will dive deeper into BLE security by reproducing KNOB attack setup, a critical attack exploiting a severe vulnerability in the Bluetooth specification.

1. Getting started

In this first part, we introduce the hardware used in this lab and configure the software environment.

2. Create a BLE Peripheral

In this part, we describe how to use Espressif SDK to build a NimBLE example, allowing to spawn a BLE peripheral.

3. Bluetooth traffic analysis

In this part, we introduce how to interact with your ESP32 using Bluetooth Low Energy protocol and how to monitor the traffic using Wireshark.

4. Create a BLE KNOB Attack Tester

In this part, we cover how to modify NimBLE framework to simulate KNOB attack.