this is very cool series. Please make more of it. I did something similar with these Chinese fitness trackers and it was really cool to see how easy it is to sniff BLE data. Now i am planning to reverse engineering BLE stack stack of Xiaomi fitness tracker and your series will help lot. thank you for this amazing video series.
will be at defcon in the IoT village! speaking at cyphercon :D cyphercon.com/presentation/weighing-in-on-smart-health-device-security-hacking-a-smart-scale/
Its interesting that we all try to avoid being tracked, yet we radio tag ourselves with all these BT devices advertising our MAC adresses. With a little direction ANT i can find someone without any reverse engineering anything, stick that on a drone and yikes.
Excellent series Matt, really found it useful! Can data captured by Bluefruit LE Sniffer, be passed to a Kali Linux VM or should I install the Kali OS natively on my machine. I’m attempting to pen test (complete beginner) a few smart bulbs. I do have the nRF52840 but I’m dreading configuring it after having completed the configuration of the Bluefruit LE Sniffer!
Nice tut but I think a BLE with SMA connector would be much better coz you can put a Yagi antenna in it. In this way you can reach much further devices or be much closer to close ones ;) Any idea which would be suitable for this?
I have a question more related to what you said in part 2: You mentioned being connected to the 3 Channels for connection. Can one force disconnect to force a reconnect of target using some type of jamming maybe ?
great info. any links to how to reverse engineer an app? I've got 6 recliners that the kids leave open. I just wanna hit one button and close all of them. lol
I am working on interfacing with a medical device that measures blood pressure, heart rate, etc. This device uses custom services and characteristics. In the past, its now unsupported companion application would authenticate with the device by sending a code to one of the characteristics during the binding process. I've observed that the smartphone sends an encoded authentication code to the device(the user must insert this code). I capture the encoded message with the android log, and seen it in wireshark. However, I'm not sure how to reproduce this encoded value for my own application, which I am developing in Python. Can you help me to understand how can I reproduce same result? Thank you!
I am genuinely convinced that my neighbor has a similar system setup to yours . Would you have any recommendations in exposing or locating this device?
With what is shown in these videos you can't do a true MitM attack. BLE MitM attackers are HARD to pull off. The best you can do is to program a BLE peripheral device to have all the same services and clone the MAC address of the device you want to act as. Then you can program it to act as the real device and could potentially have it relay everything to the real device after connecting to it. This would take A LOT of work.
I've just watched all your videos and have to say they're awesome!
Thanks! Looking forward to making more :)
this is very cool series. Please make more of it. I did something similar with these Chinese fitness trackers and it was really cool to see how easy it is to sniff BLE data. Now i am planning to reverse engineering BLE stack stack of Xiaomi fitness tracker and your series will help lot.
thank you for this amazing video series.
Great series of videos. Used this as a foundation for to a BLE hacking workshop I’m attending at DEFCON this year.
Great part 3, nice work dude! Wish I would have gone to CornCon!
Thanks! I'm hoping to go next year!
@@mattbrwn ever go to DEFCON or Cyphercon?
will be at defcon in the IoT village!
speaking at cyphercon :D
cyphercon.com/presentation/weighing-in-on-smart-health-device-security-hacking-a-smart-scale/
keep up the good work i love these
Incredible content, thank you so much!
Its interesting that we all try to avoid being tracked, yet we radio tag ourselves with all these BT devices advertising our MAC adresses. With a little direction ANT i can find someone without any reverse engineering anything, stick that on a drone and yikes.
Best explanation I've seen. Ty
Excellent series Matt, really found it useful! Can data captured by Bluefruit LE Sniffer, be passed to a Kali Linux VM or should I install the Kali OS natively on my machine. I’m attempting to pen test (complete beginner) a few smart bulbs. I do have the nRF52840 but I’m dreading configuring it after having completed the configuration of the Bluefruit LE Sniffer!
Amazing content !
thank you!
Nice tut but I think a BLE with SMA connector would be much better coz you can put a Yagi antenna in it. In this way you can reach much further devices or be much closer to close ones ;)
Any idea which would be suitable for this?
This is great. Thank you! What if the value returned by the BLE device is non-legible? Would this mean that the value may be custom encrypted?
I have a question more related to what you said in part 2: You mentioned being connected to the 3 Channels for connection. Can one force disconnect to force a reconnect of target using some type of jamming maybe ?
awesome videos. love from China!
which smart watch or heart rate monitor are you using ?
great info. any links to how to reverse engineer an app? I've got 6 recliners that the kids leave open. I just wanna hit one button and close all of them. lol
I am working on interfacing with a medical device that measures blood pressure, heart rate, etc. This device uses custom services and characteristics. In the past, its now unsupported companion application would authenticate with the device by sending a code to one of the characteristics during the binding process.
I've observed that the smartphone sends an encoded authentication code to the device(the user must insert this code). I capture the encoded message with the android log, and seen it in wireshark. However, I'm not sure how to reproduce this encoded value for my own application, which I am developing in Python.
Can you help me to understand how can I reproduce same result?
Thank you!
I have a question , I have 3 nRF52840, but I can just clone the BLE devive and could not to clone mobile device, could you please help?
I am genuinely convinced that my neighbor has a similar system setup to yours . Would you have any recommendations in exposing or locating this device?
Man nice
how could have a sample of MitM attack with your tool?
With what is shown in these videos you can't do a true MitM attack. BLE MitM attackers are HARD to pull off.
The best you can do is to program a BLE peripheral device to have all the same services and clone the MAC address of the device you want to act as. Then you can program it to act as the real device and could potentially have it relay everything to the real device after connecting to it. This would take A LOT of work.
@@mattbrwn is there any document about the steps?
@@mattbrwn also another question is that possible to clone the smart phone as well?
How can i find any vulnerabilities in BLE
which BLE device are you targeting?
Have heard car hacking with Bluetooth?