Posts
Sometimes it seems to me that BLE is like an old friend who always does everything wrong…
July 12, 2025 at 8:01 PM•Max Knyazev is typing…Telegram mirror
Sometimes it seems to me that BLE is like an old friend who always does everything wrong at first, but then sharply corrects himself and surprises him with how he is still alive. Because if you read the chronicle of all Bluetooth vulnerabilities over the past 10 years, a logical question arises: how did it even survive to this day? But let's talk about everything in order
🧐
I recently came across a great article "From BlueBorne to LE Secure: How Bluetooth Survived Its Biggest Holes." All the pain of developers and researchers was collected there. The funny thing is that at some point BT/BLE resembled not a protocol, but a solid CTF
😉
But still, BLE is not “bare” Bluetooth, but a huge ecosystem in PIoT, smart locks and other things that make our lives a little more convenient... and sometimes a little less safe
😏
In short, BLE has been hopelessly buggy for a long time. Classic PIN? Hello sniffer. "Just Works"? Great for MITM. Devices trust too much, manufacturers update firmware too rarely, and users are generally unaware that their fitness bracelet could be a Trojan horse on a corporate network ( shadow IoT, all business )
🤌
But there is also good news. The new BLE 5.4 really does a lot. Encrypts packets, prevents the security level from being lowered, and adds control over the minimum key length. Hardware implementations of protection are appearing on chips like nRF52, and this is all really moving the industry forward
👍
Although, of course, if your thermometer from 2016 cannot be updated over the air, no new standards will save it. Here again we come up against the main axiom of IoT security -
Without regular updates, even the most beautiful standard will not save you from trouble
💀
Bluetooth, no matter how much we laugh at it, remains the main connection for most smart devices. But its security is not only about cryptography, but about everything at once: from hardware to firmware, from UX to update policies. And so far, no matter how strange it may sound, he is holding on. Sometimes even more confident than Wi-Fi
🙂
Do you think BLE can be trusted in serious projects today? ( Let's imagine that you have a choice )
🧐
#information_security
#internet_things
Open original post on TelegramI recently came across a great article "From BlueBorne to LE Secure: How Bluetooth Survived Its Biggest Holes." All the pain of developers and researchers was collected there. The funny thing is that at some point BT/BLE resembled not a protocol, but a solid CTF
But still, BLE is not “bare” Bluetooth, but a huge ecosystem in PIoT, smart locks and other things that make our lives a little more convenient... and sometimes a little less safe
In short, BLE has been hopelessly buggy for a long time. Classic PIN? Hello sniffer. "Just Works"? Great for MITM. Devices trust too much, manufacturers update firmware too rarely, and users are generally unaware that their fitness bracelet could be a Trojan horse on a corporate network ( shadow IoT, all business )
But there is also good news. The new BLE 5.4 really does a lot. Encrypts packets, prevents the security level from being lowered, and adds control over the minimum key length. Hardware implementations of protection are appearing on chips like nRF52, and this is all really moving the industry forward
Although, of course, if your thermometer from 2016 cannot be updated over the air, no new standards will save it. Here again we come up against the main axiom of IoT security -
Bluetooth, no matter how much we laugh at it, remains the main connection for most smart devices. But its security is not only about cryptography, but about everything at once: from hardware to firmware, from UX to update policies. And so far, no matter how strange it may sound, he is holding on. Sometimes even more confident than Wi-Fi
Do you think BLE can be trusted in serious projects today? ( Let's imagine that you have a choice )
#information_security
#internet_things
Discussion
Comments
Comments are available only to confirmed email subscribers. No separate registration or password is required: a magic link opens a comment session.
Join the discussion
Enter the same email that you already used for your site subscription. We will send you a magic link to open comments on this device.
There are no approved comments here yet.