Relay Attack #85
Comments
|
The methodology is described in this talk: https://hardwear.io/netherlands-2022/presentation/bluetooth-LE-link-layer-relay-attacks.pdf I hope to release the code for that functionality eventually, though at the time of publication of that research, there was reluctance in our company to release it due to concerns about possible misuse. With that said, you can implement the relay attack functionality as described in the talk with the public Sniffle firmware if you write the host-side "glue" code yourself. |
|
Yes, that’s what I meant by host side glue. |
|
It’s mostly just forwarding packets from one side to another, though you do need to keep track of the connection event counter on both sides. If they’re too far out of sync, there will be issues with connection parameter changes. For unencrypted connections, you can change the instant value in connection parameter change requests to avoid issues. For encrypted connections, you need to keep the connection event counters roughly in sync. |
Hi, graet product. I ahve bought some TI dev boards to play around with.
Have you documented the relay attack methodology anywhere? I'm looking to give it a go and didn't know whether there were some documented instructions somewhere? Or if you could give us a point in the right direction.
Thanks!
The text was updated successfully, but these errors were encountered: