25 comments

[ 3.3 ms ] story [ 62.5 ms ] thread
Cool! I have been using a Nordic BLE sniffer for reverse engineering fitness bands, which is awful because it's only half duplex. Can't wait to try this out.
Using Hacker News as a mechanical engineer with not much interest in software sometimes leads to cases where I misinterpret article titles.

I was very excited to find out how and why anybody would put BLE into a literal multi tool!

> Person 1: BLE in a Swiss-Army Knife.. what can you do with that?

> Person 2: Take a look.

"Your Swiss-Army Knife is now connected"

> Person 1: Nice.

> Person 2: Nice.

Oh look, it's downloading a software update!
Imagine it connects to your phone and reports temperature, tilt, humidity, its location, works as a compass (Why not use the phone directly? Well maybe I need to monitor the trailer I am trying to get level as I adjust the front wheel?)
Electrical engineer here: and I also read the title, wondering who would 'put BLE into a literal multi tool!' :-)
This.

I thought exact same thing and realized what my (actual physical) Swiss Army Knife is missing.

Disappointed

Are ble connections neither encrypted nor authenticated? How on Earth does the connection hijacking work so simplistically?
My understanding is the initial handshake is not terribly secure, and sniffers watching that can obtain the long term key used by the pair forever.

But I gather a third party can force a handshake refresh at will, which may be what they're doing here. Code's available. : )

False, basically on every count.

This attack has zero effect on connections established using mitm-protected paring method. This attack is a non-event to any device that follows proper security design as per BT spec

There are vulnerabilities in the "standard" LE pairing, even with MITM, that make these things possible.

Fixed with the BT LE Secure Connections key exchange, but many devices don't implement that

> BLE 4.2 adds 'Secure Connections'. This is apparently also broken and what's more it was broken in 2008 when the same pairing method was used in Bluetooth 2.1!! It doesn't totally break pairing - only the passkey entry method - and you only learn the passkey, not the LTK. But it does allow an attacker to perform a MitM attack if the passkey isn't changed for every pairing attempt.

https://devzone.nordicsemi.com/f/nordic-q-a/14481/secure-ble...

Are you talking about the pairing protection that came in with 4.2 - released as a standard 2014-12?

I'd have to check versions of my LE BT gear, but I'd expect most of it is more than 4 years old. Earlier versions had some security on the handshake, but AFAIK just how secure that was depends on how cautious/competent the vendor was.

Happy to get more insightful information from you.

Not even looking at the code:

1. See a BLE connection in place.

2. Get address information.

3. Jam connection.

4. Watch re-authentication.

5. Use observed authentication.

They are both, if either side requests it. If you do not, you deserve what you get.
Ok that makes sense. I'm resisting to urge to hack my Vivosmart.
I’ve only used Ubertooth [0] to sniff BLE. I was not very impressed with its ability to follow connections (it would frequently miss the connection exchange due to channel hopping).

Can using multiple micro:bits at once with BTLEJack increase the success rate?

Most BLE diagnostic equipment that guarantees capture of all traffic costs over $10k.

[0] - https://github.com/greatscottgadgets/ubertooth

I've used a professional wideband BLE analyser before (I can't remember which one unfortunately) and while it was a few thousand pounds, I don't think it cost as much as $10k.

Also I've used Nordic's sniffer program before and it worked well and is free (plus a very small amount for the hardware). Windows only though.