In this lab we cover an Introduction about Bluetooth security, its main transports (BC, BLE), procedures (discovery, connect) and logical entities (Host, Controller, HCI). Then we look at Bluetooth security architecture and the specific BC/BLE algorithms and protocols. We conclude by talking about state of the art attacks that we developed against this protocols including KNOB, BIAS, and BLUR.
To discover the protocol, you will build your own BLE-enabled device using an ESP32 System-on-Chip and Apache NimBLE, an open-source Bluetooth 5.1 stack. Then, you will explore how to interact with your devices using BlueZ command-line tools and monitor traffic with Wireshark. Finally, we will dive deeper into BLE security by reproducing KNOB attack setup, a critical attack exploiting a severe vulnerability in the Bluetooth specification.