It’s a story we’ve heard many times before: if you want to get your data from the Domyos EL500 elliptical trainer, you need to use a proprietary smartphone application that talks to the device over Bluetooth Low-Energy (BLE). To add insult to injury, the only way to the software will export your workout information is by producing a JPG image of a graph. This just won’t do, so [Juan Carlos Jiménez] gives us yet another extensive write-up, which provides an excellent introduction to practical BLE hacking.
He walks us through BLE GATT (Generic Attribute Profile), the most common way such devices work, different stages of the connection process, and the tools you can use for sniffing an active connection. Then [Juan] shows us a few captured messages, how to figure out packet types, and moves into the tastiest part — using an ESP32 to man-in-the-middle (MITM) the connection.
Bluetooth Low Energy (BLE) is everywhere these days. If you fire up a scanner on your phone and walk around the neighborhood, we’d be willing to bet you’d pick up dozens if not hundreds of devices. By extension, from fitness bands to light bulbs, it’s equally likely that you’re going to want to talk to some of these BLE gadgets at some point. But how?
Well, watching this three part video series from [Stuart Patterson] would be a good start. He covers how to get a cheap nRF52480 BLE dongle configured for sniffing, pulling the packets out of the air with Wireshark, and perhaps most crucially, how to duplicate the commands coming from a device’s companion application on the ESP32.
Testing out the sniffed commands.
The first video in the series is focused on getting a Windows box setup for BLE sniffing, so readers who aren’t currently living under Microsoft’s boot heel may want to skip ahead to the second installment. That’s where things really start heating up, as [Stuart] demonstrates how you can intercept commands being sent to the target device.
It’s worth noting that little attempt is made to actually decode what the commands mean. In this particular application, it’s enough to simply replay the commands using the ESP32’s BLE hardware, which is explained in the third video. Obviously this technique might not work on more advanced devices, but it should still give you a solid base to work from.
In the end, [Stuart] takes an LED lamp that could only be controlled with a smartphone application and turns it into something he can talk to on his own terms. Once the ESP32 can send commands to the lamp, it only takes a bit more code to spin up a web interface or REST API so you can control the device from your computer or other gadget on the network. While naturally the finer points will differ, this same overall workflow should allow you to get control of whatever BLE gizmo you’ve got your eye on.
Remember when it was laser pointers? Well, now it’s drones.
[Thinkerer] sent us this link to what’s essentially a press release for a company called Sensofusion that makes a UAV detector and (they claim) smart jammer, and apparently one is being installed at Denver International airport.
We buy that the “Airfence” system will be able to detect known systems by signature, and possibly even take them over. We’ve seen two exploits of quadcopter radio protocols (one a timing attack and the other a controller ID spoof) that would allow them to do just that. But is that the problem? Don’t most of the major manufacturers fence off airports in software these days anyway? And are drones really the droids that you’re looking for?
They also make some claims about being able to detect and stop DIY copters, but we don’t see how. Imagine that your copter ran encrypted on 2.4 GHz. How is this different from any other WiFi signal? Or imagine that it sends and receives infrequent data in the congested pager bands? And short of jamming, we don’t see how they’re going to take down anything that they don’t already understand.
So, commenteers, how would you do it? Detect and even take over an arbitrary drone? Possible or snakeoil?
