Update On The BLUFFS Bluetooth Vulnerability

December 2, 2023 by 14 Comments

As we first reported in yesterday’s weekly security post, researchers at EURECOM have revealed the details (PDF, references) of a new man-in-the-middle (MITM) attack on Bluetooth 4.2 through 5.4, which has been assigned CVE-2023-24023. Like preceding CVEs, it concerns the session authentication between Bluetooth devices, where the attacker uses spoofed paired or bonded devices to force the use of a much shorter encryption key length.

The name of this newly discovered vulnerability is BLUFFS (Bluetooth Forward and Future Secrecy), where forward and future secrecy are important terms that refer to the protection of secure sessions against compromise in the past (forward, FoS) and future (FuS). The CVE presentation notes that the Bluetooth specification does not cover either FuS or FoS. In total two new architectural vulnerabilities were discovered, both of which attack the security key.

The Bluetooth SIG has released a statement regarding this attack method. Although serious, it would seem that the core issue is that some implementations allow for encryption key lengths below 7 octets:

Continue reading “Update On The BLUFFS Bluetooth Vulnerability”

Converting Bluetooth Sensors To Zigbee

November 29, 2023 by 19 Comments

With the increase in popularity of Internet of Things (IoT) devices and their need to communicate wirelessly,  there’s been a corresponding explosion of wireless protocols to chose from. Of course there’s Wi-Fi and Bluetooth, but for more specialized applications there are some other options like Z-Wave, LoRa, Sigfox, and Thread. There’s a decent amount of overlap in their capabilities too, so when [SHS] was investigating some low-cost Xiaomi sensors it was discovered that it is possible to convert them from their general purpose Bluetooth protocol over to the more IoT-specialized Zigbee protocol instead.

These combination temperature and humidity sensors have already been explored by [Aaron Christophel] who found that it’s possible to flash these devices with custom firmware. With that background, converting them from Bluetooth to Zigbee is not a huge leap. All that’s needed is the Zigbee firmware from [Ivan Belokobylskiy] aka [devbis] and to follow the steps put together by [SHS] which include a process for flashing the firmware using an over-the-air update and another using UART if the wireless updates go awry. Then it’s just a short process to pair the new Zigbee device to the network and the sensor is back up and running.

Converting from one wireless protocol to another might not seem that necessary, but using Bluetooth as an IoT network often requires proxy nodes as support devices, whereas Zigbee can communicate directly from the sensor to a hub like Home Assistant. Other Zigbee devices themselves can also act as a mesh network of sorts without needing proxy nodes. The only downside of this upgrade is that once the Bluetooth firmware has been replaced, the devices no longer has any Bluetooth functionality.

Thanks to [RoganDawes] for the tip!

Bluetooth Device Visualizer Reveals Devices In Vicinity

October 21, 2023 by 2 Comments

Have you ever wondered how many Bluetooth devices are floating around you? You could use one of those creepy retail store Bluetooth tracking systems, or set your smartphone to scan. Alternatively, you could use the Bluetooth Devices Visualizer from [Jeremy Geppert].

The device was inspired by [Jeremy’s] trip to Hackaday Supercon 2022. Wanting to build something with LEDs that worked in a badge-like form factor, he set out on whipping up a device to scan and display a readout of Bluetooth devices in the immediate area.

The device is based on an ESP32 microcontroller, which provides the necessary Bluetooth hardware to scan for devices. It then displays the number of devices found using an 8 x 8 array of addressable LEDs. There is also a small OLED display on board for displaying relevant details to the device’s operation. The device neatly fits on a lanyard, and is more of an art project than anything else. It’s no wardriver, and details of devices found are not logged or stored in any way when the device is switched off.

With a variety of operational modes, it’s a fun way to get an idea of just how many Bluetooth devices are really out there these days. If you’ve got your own nifty Bluetooth hacks in the works, don’t hesitate to let us know!

 

Compact, Gesture-Based Remote Control Over Bluetooth

October 14, 2023 by 6 Comments

[AlexMiller11] shared a project for a DIY gesture-sensing remote control that acts like a Bluetooth keyboard, capable of controlling media and presentations on a computer with a high degree of accuracy.

The device recognizes eight different gestures and controls a host PC over Bluetooth.

The hardware is a Silicon Labs xG24 dev kit, a small IoT-focused board able to be powered by a CR2032 cell. Part of what makes it all work is the six-axis IMU sensor, but the rest is the software to interpret that data and figure out what motions the user is trying to do. That happens with a Neuton.AI model and SDK, a tiny but effective machine learning framework for small devices.

How does it actually work? The device acts as a Bluetooth HID, and gets connected to a PC in the same was as a regular Bluetooth keyboard. Once that’s done, recognized gestures are printed out the serial port as well as sent via Bluetooth to the host machine. Media can then be played, paused, volume adjusted, presentations controlled, and more. More details are on the project’s GitHub repository. There’s also a demo video that explains exactly what’s going on, embedded below the page break.

Machine learning is a way of using software to solve the kinds of problems humans are not very good at writing programs to solve, and accurate gesture recognition is a good example. Not all such applications require heaps of overheating GPUs, either. We’ve seen the concept of a neural network stripped down to its bare essentials running on an Arduino Uno, for those who would like to better appreciate the fundamentals.

Continue reading “Compact, Gesture-Based Remote Control Over Bluetooth”

Bluetooth Battery Monitors That Also Monitor Your Position, Without Asking

June 27, 2023 by 40 Comments

These days Bluetooth-based gadgets are everywhere, including for car and solar batteries. After connecting them up to the battery, you download the accompanying app on your smartphone, open it up and like magic you can keep tabs on your precious pile of chemistry that keeps things ticking along. Yet as [haxrob] discovered during an analysis, many of these devices will happily pass your location and other information along to remote servers.

The device in question is a Bluetooth 4.0 Battery Monitor that is resold under many brands, and which by itself would seem to do just what it is said to do, from monitoring a battery to running crank tests. Where things get unpleasant is with the Battery Monitor 2 (BM2) mobile app that accompanies the device. It integrates a library called AMap which is “a leading provider of digital map in China” and part of Alibaba. Although the app’s information page claims that no personal information is collected, the data intercepted with Wireshark would beg to differ.

In part 2 of this series, the BM2 app is reverse-engineered, decompiling the Java code. The personal information includes the latitude and longitude, as well as GPS, cell phone tower cell IDs and WiFi beacon data, which understandably has people rather upset. In addition to leaking your personal info, the BM2 app seems to be also good at running constantly in the background, which ironically drains your phone’s battery at an alarming rate.

Cases like these should be both a warning to not just install any app on your smartphone, as well as a wake-up call to Google and others to prevent such blatant privacy violations.

(Thanks to [Drew] for the tip)

Raspberry Pi Pico W Now Supports Bluetooth

June 15, 2023 by 11 Comments

What’s the best kind of upgrade a piece of consumer technology can get? A free one that doesn’t require you to do anything other than accept a new version of the software it’s running.

That’s precisely what every current (and future) owner of the Raspberry Pi Pico W just got with the addition of Bluetooth support to SDK 1.5.1. This is possible because the CYW43439 radio chipset used on the wireless version of the Pi Pico has always had Bluetooth capabilities, they just weren’t officially accessible from the C or MicroPython environments until now. In a corresponding blog post, [Eben Upton] explains that part of the delay was due to difficulties in getting both WiFi and Bluetooth connections to work simultaneously over the three-pin SPI bus that links the two chips on the board.

One thing that struck us as particularly interesting here is the use of BlueKitchen’s BTStack to provide support for both Bluetooth Classic and Low Energy profiles. This library is released under a modified version of the BSD 3-Clause license that otherwise specifically forbids commercial usage. That would be a problem for anyone who wanted to sell a gadget built around the Pico W, so Raspberry Pi Ltd negotiated — and presumably paid for — a special dispensation so commercial use is in the clear.

We should note that technically Bluetooth support was available in a beta state previously, albeit without this new license agreement made with BlueKitchen. Though anyone with a keen eye knew Bluetooth support was coming well before that, our own [Elliot Williams] called it when he first set eyes on the Pi Pico W back in 2022.

Hackaday Prize 2023: Bluetooth Spell To Speak

June 6, 2023 by 1 Comment

Have you ever known what you wanted to say but couldn’t figure out exactly how to say it? For some individuals, that’s all the time. The gap between intention and action can be a massive chasm. [Pedro Martin] is trying to help bridge that gap with a Bluetooth RPM letterboard.

[Soma Mukhopadhyay] developed Rapid Prompting Method (RPM) for teachers to work with students with autism. Gentle physical cues can help individuals complete motor movements, which can be used as a communication mechanism by pointing to a letterboard. Students can eventually move onto an tablet, but some students see the light as sensory noise or might associate it with playtime.

[Pedro] hopes that his letterboard will be able to provide tactile feedback for each letter to strengthen the connection the teacher is trying to establish. The letter board is a 22 by 14 grid (308 total) of touch electrodes connected to three MPR121 12-channel capacitive touch sensors connected to an ESP32 via I2C. Additionally, 60 LEDS controlled by two shift registers are interspaced between the touch electrodes. As only one LED will be on at a given time, [Pedro] can use the shift registers in a row/column setup since the current draw should be small. A piezo buzzer serves as additional feedback for the student. The ESP32 emulates a Bluetooth keyboard, so the teacher doesn’t have to keep track of what the student is spelling and can focus on RPM.

[Pedro] encountered the usual slew of debugging problems, such as ground bouncing, captive noise, and Bluetooth wonkiness. The code, KiCad, and STL files are on the Hackaday.io project page. If you want more accessibility-focused keyboards, look at the RP2040-based Intellikeys we saw recently.

Continue reading “Hackaday Prize 2023: Bluetooth Spell To Speak”