FIGURE 2-6. Simulating a BLE device with the LightBlue iOS app
The master and the slave use this formula to calculate the next channel and hop to it at
the same time. The master transmits a packet, followed by the slave. If there is no data to
transmit, they will issue a network packet with no data. Therefore, in order to sniff BLE con-
nections, the ubertooth-btle tool also hops along the same sequence of channels when the -f
flag is specified.
In his paper, Ryan discloses a critical security issue in BLE that is important to under-
stand: the key-exchange protocol used by BLE is vulnerable to brute-force attacks.
The master and the slave device can use encryption to secure the data being transmitted.
In order to do this, they must establish a shared secret known as the long-term key (LTK). In
most cases, the master and the slave reuse the LTK for subsequent connections. The key-
BLUETOOTH LOW ENERGY AND UNLOCKING VIA MOBILE APPS 49