Quellen & Referenzen
Diese Seite listet alle verwendeten Quellen, weiterführende Literatur und nützliche Ressourcen.
Offizielle Spezifikationen
Bluetooth SIG
| Dokument | Version | Link |
|---|---|---|
| Bluetooth Core Specification | 5.4 | bluetooth.com/specifications |
| GATT Specification | - | bluetooth.com/specifications |
| Assigned Numbers | - | bluetooth.com/specifications/assigned-numbers |
| Security Manager Specification | - | Teil der Core Spec |
Zitierweise
@techreport{bluetooth_core_5_4,
title = {Bluetooth Core Specification},
version = {5.4},
year = {2023},
institution = {Bluetooth SIG},
url = {https://www.bluetooth.com/specifications/specs/core-specification-5-4/}
}
Security Standards & Frameworks
OWASP
| Dokument | Beschreibung | Link |
|---|---|---|
| OWASP ISTG v1.0 | IoT Security Testing Guide | owasp.org/istg |
| OWASP IoT Top 10 | Häufigste IoT-Schwachstellen | owasp.org/iot-top-10 |
| OWASP Mobile Security | Mobile App Testing | owasp.org/mastg |
@techreport{owasp_istg,
title = {OWASP IoT Security Testing Guide},
version = {1.0},
year = {2024},
institution = {OWASP Foundation},
url = {https://owasp.org/www-project-iot-security-testing-guide/}
}
NIST
| Dokument | Beschreibung | Link |
|---|---|---|
| NIST SP 800-213 | IoT Device Cybersecurity | nist.gov |
| NIST SP 800-183 | Networks of Things | nist.gov |
| NISTIR 8259 | IoT Device Manufacturers | nist.gov |
@techreport{nist_sp800_213,
title = {IoT Device Cybersecurity Guidance for the Federal Government},
number = {SP 800-213},
year = {2021},
institution = {NIST},
url = {https://csrc.nist.gov/publications/detail/sp/800-213/final}
}
BSI
| Dokument | Beschreibung | Link |
|---|---|---|
| BSI TR-03148 | Secure Broadband Router | bsi.bund.de |
| BSI-Grundschutz | IT-Grundschutz-Kompendium | bsi.bund.de |
EU/ETSI
| Dokument | Beschreibung | Link |
|---|---|---|
| ETSI EN 303 645 | Cyber Security for Consumer IoT | etsi.org |
| EU CRA 2024/2847 | Cyber Resilience Act | eur-lex.europa.eu |
@techreport{etsi_en_303645,
title = {Cyber Security for Consumer Internet of Things: Baseline Requirements},
number = {ETSI EN 303 645},
version = {2.1.1},
year = {2020},
institution = {ETSI},
url = {https://www.etsi.org/deliver/etsi_en/303600_303699/303645/}
}
Wissenschaftliche Publikationen
BLE Security Research
| Titel | Autoren | Jahr | Konferenz/Journal |
|---|---|---|---|
| Breaking BLE Beacons for Fun but Mostly Profit | Zuo et al. | 2019 | WiSec |
| SweynTooth: Unleashing Mayhem over Bluetooth Low Energy | Garbelini et al. | 2020 | USENIX Security |
| KNOB Attack | Antonioli et al. | 2019 | USENIX Security |
| BLESA: Spoofing Attacks against Reconnections in BLE | Wu et al. | 2020 | WOOT |
| Method Confusion Attack on Bluetooth Pairing | von Tschirschnitz et al. | 2021 | IEEE S&P |
@inproceedings{sweyntooth2020,
title = {SweynTooth: Unleashing Mayhem over Bluetooth Low Energy},
author = {Garbelini, Matheus E. and others},
booktitle = {USENIX Security Symposium},
year = {2020}
}
@inproceedings{knob2019,
title = {The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation of Bluetooth BR/EDR},
author = {Antonioli, Daniele and Tippenhauer, Nils Ole and Rasmussen, Kasper},
booktitle = {USENIX Security Symposium},
year = {2019}
}
@inproceedings{blesa2020,
title = {BLESA: Spoofing Attacks against Reconnections in Bluetooth Low Energy},
author = {Wu, Jianliang and others},
booktitle = {WOOT},
year = {2020}
}
IoT Security
| Titel | Autoren | Jahr | Konferenz/Journal |
|---|---|---|---|
| Internet of things Security: A Survey | Alaba et al. | 2017 | IJCSI |
| IoT Security: Review, Blockchain Solutions, and Open Challenges | Khan & Salah | 2018 | Future Generation Computer Systems |
Bücher
BLE-Entwicklung
| Titel | Autor | Jahr | ISBN |
|---|---|---|---|
| Getting Started with Bluetooth Low Energy | Townsend et al. | 2014 | 978-1491949511 |
| Bluetooth Low Energy: The Developer's Handbook | Heydon | 2012 | 978-0132888363 |
| Inside Bluetooth Low Energy | Gupta | 2016 | 978-1630810894 |
@book{townsend2014ble,
title = {Getting Started with Bluetooth Low Energy},
author = {Townsend, Kevin and Cufí, Carles and Davidson, Robert},
year = {2014},
publisher = {O'Reilly Media},
isbn = {978-1491949511}
}
Security & Reverse Engineering
| Titel | Autor | Jahr | ISBN |
|---|---|---|---|
| The IoT Hacker's Handbook | Gupta | 2019 | 978-1484242995 |
| Practical IoT Hacking | Chantzis et al. | 2021 | 978-1718500907 |
| Android Security Internals | Elenkov | 2014 | 978-1593275815 |
| Practical Reverse Engineering | Dang et al. | 2014 | 978-1118787311 |
@book{practical_iot_hacking,
title = {Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things},
author = {Chantzis, Fotios and others},
year = {2021},
publisher = {No Starch Press},
isbn = {978-1718500907}
}
Tools & Dokumentation
BLE-Analyse
| Tool | Beschreibung | Link |
|---|---|---|
| blatann | Python BLE Library für nRF52 | blatann.readthedocs.io |
| Wireshark | Netzwerk-Protokollanalyse | wireshark.org |
| nRF Sniffer | BLE Packet Sniffer | nordicsemi.com |
| BlueZ | Linux Bluetooth Stack | bluez.org |
| Ubertooth | Open-Source BLE Sniffer | greatscottgadgets.com |
Reverse Engineering
| Tool | Beschreibung | Link |
|---|---|---|
| JADX | Android APK Decompiler | github.com/skylot/jadx |
| Ghidra | NSA Reverse Engineering Suite | ghidra-sre.org |
| Frida | Dynamic Instrumentation | frida.re |
| APKTool | APK Unpacker | apktool.org |
| Radare2 | Reverse Engineering Framework | radare.org |
Vulnerability Databases
| Ressource | Beschreibung | Link |
|---|---|---|
| CVE | Common Vulnerabilities and Exposures | cve.mitre.org |
| NVD | National Vulnerability Database | nvd.nist.gov |
| FIRST CVSS | CVSS Calculator | first.org/cvss |
| CWE | Common Weakness Enumeration | cwe.mitre.org |
| CAPEC | Attack Pattern Enumeration | capec.mitre.org |
Rechtliche Grundlagen
Deutschland
| Gesetz | Beschreibung | Link |
|---|---|---|
| StGB §202a | Ausspähen von Daten | gesetze-im-internet.de |
| StGB §202b | Abfangen von Daten | gesetze-im-internet.de |
| StGB §202c | Vorbereiten des Ausspähens | gesetze-im-internet.de |
| DSGVO | Datenschutz-Grundverordnung | eur-lex.europa.eu |
| BDSG | Bundesdatenschutzgesetz | gesetze-im-internet.de |
Gesetzentwurf zur Modernisierung
| Dokument | Datum | Link |
|---|---|---|
| RefE Modernisierung Computerstrafrecht | Nov 2024 | bmj.de |
Disclosure & Koordination
| Organisation | Beschreibung | Kontakt |
|---|---|---|
| BSI | Koordinierte Schwachstellenoffenlegung | [email protected] |
| CERT/CC | US-CERT Coordination Center | [email protected] |
| FIRST | Forum of Incident Response Teams | first.org |
| ZDI | Zero Day Initiative | zerodayinitiative.com |
Online-Ressourcen
Tutorials & Blogs
| Ressource | Beschreibung | Link |
|---|---|---|
| Bluetooth SIG Blog | Offizielle News | bluetooth.com/blog |
| Nordic DevZone | nRF Development | devzone.nordicsemi.com |
| Adafruit BLE Guide | Einsteiger-Tutorial | learn.adafruit.com |
| Reverse Engineering BLE | Blog-Serie | Diverse |
CTF & Challenges
| Ressource | Beschreibung | Link |
|---|---|---|
| HackTheBox | Security Challenges | hackthebox.com |
| DVID | Damn Vulnerable IoT Device | github.com/Vulcainreo/DVID |
Hardware-Bezugsquellen
| Händler | Produkt | Preis | Link |
|---|---|---|---|
| Mouser | nRF52840 Dongle | ~10€ | mouser.de |
| DigiKey | nRF52840 Dongle | ~10€ | digikey.de |
| Nordic | Direkt | ~10€ | nordicsemi.com |
Hinweis
Alle Links wurden zuletzt im November 2025 überprüft. Bei toten Links bitte Issue erstellen.