Jump to content

Unknown BLE signal packet analysis


Recommended Posts

Hey guys, I'm not sure if this has been posted before but I have a rather concerning topic to ask about. This is one of those rare and very smart and informed groups that could really help out here. 

I've enables the phone setting that allows me to see Bluetooth addresses without names and have been doing scans all over my area for, a long time now. There are so many MAC address only BLE signals around and I don't think it's coming from devices or cars or anything commercial. All of these MAC addresses emitted by devices are registered to a vendor right? Just google a BT vendor address searcher and it returns "Samsung" or something like that for any commercial device Mac address entered. Not these ones though, no known vendor. 

I captured some in a bug report and brought the data over to Wireshark and I can't really find much more info except the power level. 

A strong BT signal from a device emits at about -50 dBm (decibel Milli watts) and a weak signals would be -100dBm, and that's the point of signal loss pretty much. These addresses emit at 12dBm which is a lot of energy. 

I'm not that experienced with BT packet/signal analysis but is there any further digging to be dug here? I need someone with a bit more experience. 

I work in software development, and have watched a lot of Hak5 over the years so thank you for all the info you put out it's really great and has helped me a tonne as well as sparking so much curiosity. 

Link to comment
Share on other sites

12 hours ago, VowelMovement said:

All of these MAC addresses emitted by devices are registered to a vendor right?

I wouldn't be so sure about that. BLE uses MAC address randomization just like WiFi does (at least in some implementations) and will probably end up in a "non-vendor" result (just like you do when searching for WiFi related MAC addresses that are randomized).

Link to comment
Share on other sites

@dark_pyrro I would recommend enabling this setting for yourself and scanning around. You'll soon see what I mean and it takes a bit of deduction to guess where they are coming from. It's not just where I am in Europe either, I've tried this when travelling in different countries and it's much the same.

To my understanding Mac address randomisation can be set up for specific implementations but for most commercial devices they would be trackable. Even if part of the address was changed the vendor assigned part would still track back to a vendor. It's a standard that was set up a good while back. For example Hyundai was fined millions for releasing cars with non-vendor trackable MAC addresses. That helped to solidify that commercial standard.


Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...