Sniffing with the nRF52840 dongle

Can the nRF52840 dongle be used to sniff/record BLE communications even if the recorded packets cannot be decrypted, or can it only record packets when decryption is possible (have the required TK and pairing method)?

0 Kenneth over 4 years ago

It's only really able to record packets when decryption is possible, the main reason is that the link will very likely change the connection parameters or hopping sequence, and without decryption the sniffer will not be able to receive the change.

Kenneth
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 INShaikh over 4 years ago

Thanks Kenneth.

At DEFCON 27, Damien Cauquil demonstrated a method of inferring the channel hopping counter used. This enabled him to determine the sequence of channel hops, thus allowing him to sniff the BLE session. Sure, it wouldn't work if there were continuous changes made to the connection parameters, but else from that, there wasn't much of an issue. This was implemented on his BTLEJack.

Has Nordic not yet been able to implement this or a similar technique to sniff a connection, or have I misunderstood something?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Kenneth over 4 years ago in reply to INShaikh

Honestly speaking I don't see that very useful, the nRF sniffer it used to sniff a connection during development, typically you will then use bonding method that can be decrypted or provide debug keys to decrypt the connection on the fly.

Kenneth
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel