Every BLE packet contains an access address (AA), which is a unique identifier to refer to
a specific connection. When a device transmits an advertising packet, a fixed AA of
0x8e89bed6 is used (as shown in Figure 2-5).
It is possible to mimic BLE devices by using the LightBlue iOS app on an iPhone, as
shown in Figure 2-6. This is useful to test Ubertooth One functionality and make sure the
capture tools are working. Notice that the advertising virtual device with name Blood Pressure
shown in Figure 2-6 is captured in the Wireshark analysis shown in Figure 2-5.
FIGURE 2-5. BLE advertising packet analysis in Wireshark
In his whitepaper “Bluetooth: With Low Energy Comes Low Security”, researcher Mike
Ryan describes how to capture BLE connections. Essentially, connections hop across the 37
channels reserved for transmission using a hopIncrement value. The nextChannel value is cal-
culated as follows:
nextChannel ≡ channel + hopIncrement (mod 37)CHAPTER 2: ELECTRONIC LOCK PICKING—ABUSING DOOR LOCKS TO COMPROMISE(^48) PHYSICAL SECURITY