Defeating Bluetooth Low Energy 5 PRNG for Fun and Jamming

Conference:  Defcon 27



Bluetooth Low Energy (BLE) protocol and its security vulnerabilities
  • BLE protocol provides encryption and authentication during pairing phase
  • Three types of attacks on BLE: eavesdropping, jamming, and hijacking
  • Hardware required for performing attacks on BLE devices
  • Improvements in BLE version 5 include better range, throughput, and coexistence
  • New channel selection algorithm introduced in BLE version 5
The speaker mentioned a tool called BTD Jack, which is like a 'fisherman knife' for performing attacks on BLE devices. This tool is compatible with the micro bit, a tiny device originally designed to teach UK students how to code. The speaker also mentioned that the TI Texas Instrument development board is more powerful but more expensive than the micro bit.


Bluetooth Low energy version 5 has been published in late 2016, but we still have no sniffer supporting this specific version (and not that much compatible devices as well). The problem is this new version introduces a new channel hopping algorithm that renders previous sniffing tools useless as devices can no longer be attacked and connections analyzed. This new algorithm is based on a brand new pseudo-random number generator (PRNG) to provide better collision avoidance while kicking out all of our good old sniffing tools. Unless some random hacker manages to break this not-that-strong PRNG and upgrades his BLE sniffing tool to support this algorithm ;). In this talk, we will explain why this PRNG is vulnerable and how it can be easily defeated to sniff and jam communications between two BLE 5 devices. A new version of BtleJack will be released during this talk, providing an efficient way to sniff BLE 5 connections to our fellow IoT hacker family.