Cool! I have been using a Nordic BLE sniffer for reverse engineering fitness bands, which is awful because it's only half duplex. Can't wait to try this out.
Imagine it connects to your phone and reports temperature, tilt, humidity, its location, works as a compass (Why not use the phone directly? Well maybe I need to monitor the trailer I am trying to get level as I adjust the front wheel?)
Haha, looks like Victorinox did actually propose a "Presentation Pro" which was to include a bluetooth remote for powerpoint presentations. Doesn't seem to be for sale on the Victorinox website though.
This attack has zero effect on connections established using mitm-protected paring method. This attack is a non-event to any device that follows proper security design as per BT spec
> BLE 4.2 adds 'Secure Connections'. This is apparently also broken and what's more it was broken in 2008 when the same pairing method was used in Bluetooth 2.1!! It doesn't totally break pairing - only the passkey entry method - and you only learn the passkey, not the LTK. But it does allow an attacker to perform a MitM attack if the passkey isn't changed for every pairing attempt.
Are you talking about the pairing protection that came in with 4.2 - released as a standard 2014-12?
I'd have to check versions of my LE BT gear, but I'd expect most of it is more than 4 years old. Earlier versions had some security on the handshake, but AFAIK just how secure that was depends on how cautious/competent the vendor was.
Happy to get more insightful information from you.
I’ve only used Ubertooth [0] to sniff BLE. I was not very impressed with its ability to follow connections (it would frequently miss the connection exchange due to channel hopping).
Can using multiple micro:bits at once with BTLEJack increase the success rate?
Most BLE diagnostic equipment that guarantees capture of all traffic costs over $10k.
I've used a professional wideband BLE analyser before (I can't remember which one unfortunately) and while it was a few thousand pounds, I don't think it cost as much as $10k.
Also I've used Nordic's sniffer program before and it worked well and is free (plus a very small amount for the hardware). Windows only though.
25 comments
[ 3.3 ms ] story [ 62.5 ms ] threadI was very excited to find out how and why anybody would put BLE into a literal multi tool!
> Person 2: Take a look.
"Your Swiss-Army Knife is now connected"
> Person 1: Nice.
> Person 2: Nice.
https://www.engadget.com/2009/01/09/victorinox-presentation-...
(like all the larger Swiss Army knives, it's a gimmick.)
I thought exact same thing and realized what my (actual physical) Swiss Army Knife is missing.
Disappointed
But I gather a third party can force a handshake refresh at will, which may be what they're doing here. Code's available. : )
This attack has zero effect on connections established using mitm-protected paring method. This attack is a non-event to any device that follows proper security design as per BT spec
Fixed with the BT LE Secure Connections key exchange, but many devices don't implement that
(Heading: Pairing Methods for LE Secure Connections (4.2 devices only))
https://devzone.nordicsemi.com/f/nordic-q-a/14481/secure-ble...
I'd have to check versions of my LE BT gear, but I'd expect most of it is more than 4 years old. Earlier versions had some security on the handshake, but AFAIK just how secure that was depends on how cautious/competent the vendor was.
Happy to get more insightful information from you.
1. See a BLE connection in place.
2. Get address information.
3. Jam connection.
4. Watch re-authentication.
5. Use observed authentication.
Can using multiple micro:bits at once with BTLEJack increase the success rate?
Most BLE diagnostic equipment that guarantees capture of all traffic costs over $10k.
[0] - https://github.com/greatscottgadgets/ubertooth
Also I've used Nordic's sniffer program before and it worked well and is free (plus a very small amount for the hardware). Windows only though.
https://www.tesla.com/support/model-3#phone-key