BTLE Keyfobs

There are these little Bluetooth Low Energy things which attach to key fobs. When you lose your keys, you can make them beep remotely with your iPad. They also have a little button on them which you can use to take a photo.

This project exploits the fact that these devices perform no authentication (like regular Bluetooth Pairing), and my be set off by any client which can connect and issue the command used to make them beep.

Specifically, Service fff0, characteristic fff2, using this command written as 5 unsigned 8-bit integers:

• byte 0: 0xAA
• byte 1: 0x03
• byte 2: n
• byte 3: on_ms
• byte 4: off_ms

Where n is the number of beeps, on_ms is the on-time in milliseconds and off_ms is the off time in milliseconds.

Other commands may be possible but I'venot gotten around to fuzzing the thing to see what it can do.

Pre-requisites

• Python (2.7 and 3.4 tested and working)
• bluepy (sudo pip install bluepy)
• bluepy.btle (comes with bluepy)

beepmonster.py

This program will continuously scan for new BTLE devices, and if it detects that one is a compatible device, it will start it beeping in morse code, the phrase "hi mouse" every 15 seconds.

NOTE: Needs to be executed as root on most Linux distros (BTLE scanning is a privileged opreation).

Known Issues

Exceptions

When a BeepMaker thread experiences any sort of exception (e.g. BTLE stack reports a failure to connect), that thread is then useless, and the device in question will not be added again, and so will remain silent until the program is re-started.

Dropped messages

It seems the BTLE message writing isn't super reliable, and you sometimes get parts of your message dropped. Deal.

Acknowledgements

Found this page super-helpful: http://guru.multimedia.cx/bluetooth-tracking-devicestagskey-finders/