 I am Ryan. I am going to be talking to you about a little project I did. I released it a couple of months ago. It's a CTF based on BLE. I'll kind of tell you a little bit in depth about why I did it and kind of some of the components of it in the makeup. So it's my Twitter handle at HackNAR if you want to send me anything. So the de facto who am I slide before I get started. I work at Atlassian. I run the security intelligence team which is our DFIR team globally and our red team. I'm an advisor for an end point security company named Zifton. It was kind of like a past life of mine when I worked there but I'm happy at Atlassian now. I do a lot of Bluetooth stuff in my spare time. I'm an old man skateboarder. I like to skateboard a lot. There's a picture of me trying to teach my kid to drop in on a quarter pipe. Anyone else here like to skateboard? If you do there's a really cool skate park about 15 minutes from here that I went to the other day. It's called like a Roya Grand skate park. It's like a really unique park that's all like pump tracks. It killed my legs in about 20 minutes but it was a lot of fun. And then I'm a regular member of AHA as well which is an Austin thing. A bunch of security nerds that get together once a month. Okay so on with this, the important stuff. What is this thing? So the BLE CTF is a Bluetooth low energy CTF. It's built on an ESP32 chip set. So I did nothing with the hardware. I just wrote all the firmware for this thing that kind of hosts the whole entire CTF. So there's my little disclaimer there that this chip set is not my creation design or manufacture or anything like that. I just flashed the CTF to the firmware. You can even flash it on the DC dark net badge this year because it's on an ESP32. So pretty cool. I was glad to get my hands on one of those. It's all written in C. I actually got the ESP32 because I heard you could do it in MicroPython. You could run MicroPython all night and I was like oh that would be super quick. I can do this like in five minutes. But you can't do a MicroPython stack and keep the Bluetooth stack at the same time so I just wrote it all in C. The GAT server itself. Basically the firmware creates a GAT server which hosts the CTF and there's around 20 flags in total. And they're all meant to kind of step you through editorially like from beginning to more advanced steps in Bluetooth low energy. So why did I create this thing? Right? I think like throughout the years I've done a lot of Bluetooth talks and just a lot of Bluetooth research. And there wasn't like a de facto standard way to educate people on Bluetooth low energy. Even in Bluetooth classic it's the same problem. So I created the CTF and it's really you know kind of like an entry level learning platform in order to get you ramped up to the skill set that you can start tinkering and hacking on Bluetooth low energy GAT servers. Low cost of entry, right? You can get these chips from China for about five dollars. So I didn't want to make anything that was super expensive. You need no prior Bluetooth experience if you want to get started with this. Don't think that you know like I've had my colleague Christian who's in the audience. He had no Bluetooth experience before. I used him as a guinea pig on the CTF to make sure that people could actually go through this thing from start to finish without knowing Bluetooth. And I wanted to get more people involved. I do a lot of Bluetooth talks and a lot of times I just see people's eyes glaze over and like they have no idea what I'm talking about. So I just wanted more people involved in this. And I'd never written a GAT server before. So it was a challenge to myself. All right. So what do you need to get started? As I mentioned, you'll need an ESP32 of any form, shape, whatever manufacturer. You can buy them on eBay for five dollars. You can buy them on Prime if you're impatient and get it the next day for ten dollars. Or if you don't want to flash it at all, I sell overpriced ones for either twenty dollars or a beer. And they're just pre-flashed with the CTF. And if you are getting one that's not pre-flashed, you'll need the source code which is in my repo that I'll share later. Basically you just compile it up and then you flash it to the ESP32. And then I would recommend that you have a Linux box in order to do the CTF. A lot of people have contacted me and they're like, oh, I just did it on my phone with NRF Connect. You can. But I think you're better off with a Linux box than using standard Linux tools. So from the software side, like I mentioned, if you're using standard Linux box, you can really do the entire CTF with HCI util and GAT tool. There's other tools that help, you know, evil socket, Simone Evil Socket's tool, blah, if I'm pronouncing it wrong, let me know. It's really useful for visualizing a GAT server and seeing everything that's running on it. So really great tool for it. You don't need it. You can't actually do the whole CTF in blah, but it's really nice in order to just kind of visualize what's going on. And then I provide a vagrant script in the source repository as well that will just spin up a new box with all the tools that you need on it if you're not running a Linux box and you're doing it on something like OSX. Cool. What will you learn, right? If you do the CTF from start to finish, it teaches you all the basics of Bluetooth low energy, like in interacting with a GAT server. So you'll learn how to do reads in many ways. You'll learn how to do writes in many ways. Notifications and notification tricks, indication, indication tricks. You'll learn to tinker with a lot of the client settings on a Bluetooth dongle in like HCI, Util and things like that. And you'll learn a lot of the server structures that you will see in a GAT server. And there's a lot of other stuff in there, but these are kind of like the basics that you'll take away after you finish the CTF. Cool. So I embedded a video demo. See if it even works. All right. So here's me. What's it? Cool. It's going over there, but not over here. This is just showing getting started, right? Like doing a HCI Util scan and finding the CTF. So basically, after you plug in the ESP32 and it's live, you'll do a scan and you'll find the MAC address that you'll need in order to just kind of poke around with it. And the next one is flag one. This is not like a spoiler. You can only get flag one by actually, sorry, the text is a little small there. I'll post these slides to my Git repo afterwards though. Let's see if I can make it start. Yeah, screw this. Let's do it this way. So here I have the Git repo up and oh God, it's not working over there. There you go. Demo. Okay. So flag one is a Git me. You can only get it from reading the documentation and the whole purpose of it is to actually just make sure that you know how to properly do a Git read and a Git write. So here on your left side, you'll see the repo. The repo hosts a hint for every single flag. None of the hints will actually give you a straight take away on how to actually get the flag. Except for flag one because flag one is just meant to be like kind of cut and paste. You swap out your MAC address and then you submit your flag value to the GAT server. So here in the bottom, I'm just kind of going to read one character handle. There's one handle inside of the GAT server that will basically tell you your score out of 20. So you have a zero out of 20 or you have a one out of 20, what not. It depends how many flags you've submitted. So the first thing we're going to do here is we're going to read that. We'll see that we have a zero out of 20 score. Then after that, we're going to take the value for flag one, which is given to you in the documentation. And we're going to do a GAT tool write of that value. And you can do these GAT writes with either GAT tool or you can use Blaz really nice way to do it. Especially for a lot of the ASCII values because you can submit the ASCII straight and not have to convert the hex to ASCII. So it's a nice way to do it. And then after that, we're just going to go ahead and we're going to read the flag handle again and we'll see that we have a score of one out of 20 instead of zero out of 20. And then just for kind of clarity as well, we'll go ahead and we'll read the GAT server with Blaz in order to show all the values, which is a lot more nice way to actually visualize the whole thing. So that's going to become a next. He's got cooler ASCII graphics to me too. But here you can see we now have a one out of 20. We submitted the first flag. Cool. As for extras, there's kind of like some extras here. As I mentioned, you can do this whole CTF with just basics using HCI, Util and GAT tool. But I had a lot of people say, hey, you know, like I wanted something that was more complex and I needed a number two or anything like that. I didn't make that as a requirement because, you know, as I mentioned before, I wanted this to be very entry level and cheap. And so, but it is a great utility for learning to tinker with your Uber tooth or NRF sniffer firmware. So as you kind of do the whole entire CTF, you know the values that you're submitting from the client to the server. So sniffing the traffic with an Uber tooth or Nordic semi semiconductor sniffer firmware, you know what values you're looking for in the PCAP files. So it makes for a really nice tool. A lot of people have trouble when they first get into sniffing traffic with an Uber tooth or NRF connect or NRF Nordic firmware sniffer, blah, blah, blah. Because it's kind of fickle sometimes when you try to first sniff that, you know, that initial connection in order to follow all the packets and double your data into PCAP. So this is a really nice way to kind of learn how to hone your skills in those tools as well. Another little Easter egg too is there's actually two LEDs on this version of the ESP 32 development hardware that I'm using. And so anytime anyone like when you first fired up only the red lights on and then anytime anyone ever does a like a get read on any of your characteristics, the blue light turns on. So it's a really fun way to just like walk around the conference and see if anyone's actually looking at your Bluetooth. I've actually had a couple of them like running the whole entire time through besides Defcon and Black Hat. And I haven't had a blue light turn on once. So it kind of gives you a little idea of how many people are actually just actively, you know, scanning all Bluetooth devices out there. And as I mentioned, I released this a few months ago and I've had like really great feedback. A lot of people just saying that it's a great tool to learn Bluetooth from the ground up. I was actually impressed with all the feedback I've gotten. So if you have done the CTF and you've given me feedback, thank you very much. I appreciate it. But my favorite feedback is this one. There's an intern who I think lives in Minnesota, and that's his GitHub repo there. He wrote a, he forked the whole project to a fantasy RPG Bluetooth low energy CTF. So basically as you complete flags, you kill goblins and trolls and you know, get cool swords and stuff. So I was like, dude, you're so amazing. That's a really cool project. So I don't know. But if you want to check out his stuff, it's there. I think his repo name is just BTLE CTF under bar fun. Cool. Future work. So I really love feedback. I love critical feedback as well. And I realize that a lot of people want more advanced versions of the CTF. So here's some of the future work that I'm working on and some of the timelines that I kind of gave myself. So some of the stuff that I want to do for this version is to randomize all the flag values. So every time that you do make and make flash, you have randomized values in the actual GAT server. And then I submitted this to a couple of CTFs for upcoming conferences. And if I get accepted, then I want to write a CTFD harness for it. So the ESP32s are actually dual band. You can do Wi-Fi and Bluetooth on it. So it actually be really easy to just kind of hook up a networking harness to CTFD. So you can actually keep scores and have like 20 of these things spread out and then everyone can actually do their own CTF and then you can see the scores in the competition. So those are the two things for version one I'm going to be adding. And then in late September, I've started to work on V2. I hope to have it done by late September. And this one's just evil. I took like every single like evil GAT trick that I've learned and could think of. And I've kind of started iterating it into POCs right now. And I'm going to just plug it all together and then have something in late September. A lot of people, it's probably going to make you bang your head on the table and pull out all your hair. And you'll think that it's broken. But there's a lot of evil GAT stuff you can do that you just don't see in any device. But once you start using the APIs and coding it all in C and getting low level with it, there's a lot of really nasty stuff you can do. And then in late January, probably around Shmootime, I'm trying to get a V3 out, which would actually be two ESP32s. So that would actually have a requirement that you would need some type of sniffer hardware, whether it be a Nuber 2s or the Nordic Semiconductor sniffer firmware. So those are my rough deadlines and I hope to get them done by them. A couple of shout outs. Thanks to everyone that's actually done it. I really appreciate the feedback. My friend Alec who I was drinking beers with at Shmootime and kind of came up with this idea for the CTF. Christian for making BTLE CTF stickers for me because it's something I probably would have never done. And he was a good guinea pig and then all my a-ha people for listening to all my Bluetooth talks. And then here's the resources if you want to check out the project, the repos on the bottom, or you can just ping me, read my blog. I have a couple of write ups on it as well. But yeah. That's it. Questions? Brigids. Cool. And I got a bag full of these things too if you want one, just come talk to me. Oh, how did I get into attacking Bluetooth? I don't know. I started working on the Ubertooth firmware back when it was released. I did a DEF CON talk about it before Dominic did. So I have that one on him. He's not paying attention to me. But anyhoo. But that's how I got into it. I just started playing around with the Ubertooth and then had a lot of fun with it and started just playing with Bluetooth. Yeah, the question is what is the tool chain I'm using to flash the ESPs? It's just the, what is the manufacturer for them? Just the typical APK for it. The expressive software development kit. So that's it. For a couple of these you can actually use like, I've never done it, but apparently you can flash a lot of the ESPs with like Arduino and stuff like that. But I don't know if it'll work or not. I just use the expressive SDK. Other questions? All right. That's it. Thank you for coming.