[jwtorres]

For BT, it's not a matter of transmitting first (for Wifi it would be), but rather transmitting in the exact time slot that the two devices are expecting each other to transmit. This is tightly timed in BT devices (tens of microseconds)--they are only listening on tiny intervals and only expected to transmit on tiny intervals. It would sound like periodic chirping if you were able to hear it with your ears.

Meanwhile, the two BT devices are going to be transmitting in their normal time slots, so you would need to prevent them from being heard by the peer-- otherwise, the combined transmission (of the attacker and original BT device) will look like noise to the receiver and the attack would fail.

The attack is certainly doable, but in a practical setting would be extremely difficult.

[Tuna-Fish]

You are not thinking like an attacker.

The attacker has to hit the precisely correct time slot. However, there is no penalty for hitting the wrong time slots, so the easy solution is to just sync the timeslot boundaries by listening once and then retransmit on every timeslot.

The attacker has to somehow prevent the listener from hearing the original transmission. If the attacker retransmits at a similar power, as BT devices usually do, the combined transmission will look like noise. However, the attacker doesn't need to care about things like FCC rules or BT standards, and can simply transmit at a power few order of magnitudes greater, so that what the receiver hears is pretty much just the attacker.

[jwtorres]

There certainly is a penalty for missing time slots (especially if you're trying to overpower the other transmitter). There are two reasons for this: (1) the victim device will have hit the time slot and the pairing process will move into the next stage and (2) packet counters will prevent you from using the same packet in the wrong slot.

Trying to overpower the transmission of the BT peer is certainly the technique to take (although I was hoping not to broadcast that publicly in my original post). You will still have a tough time, however, because you're probably trying to overpower the transmission of two collocated devices (e.g. keyboard+computer) while you are 5-50feet away. In many cases you'll probably end up saturating the receiving antenna. It will be largely a trial-and-error technique, but it will work eventually.

[jsjohnst]

> packet counters will prevent you from using the same packet in the wrong slot.

Source to back up that claim? I am not an expert, but have enough experience on the topic to feel justified in feeling that’s wrong.

[timerol]

The way you're describing this makes it sound like an extremely difficult process. In some ways, it is. However, every BT device that exists is currently capable of doing this frequency tracking and tight timing. It's merely a matter of starting to transmit slightly earlier and significantly louder than a normal BT transmit after sniffing the start of the connection.

This attack should be possible from any software-defined radio that's capable of sniffing on and forming BT connections.

[jwtorres]

Quoting my response to Tuna-Fish: "Trying to overpower the transmission of the BT peer is certainly the technique to take (although I was hoping not to broadcast that publicly in my original post). You will still have a tough time, however, because you're probably trying to overpower the transmission of two collocated devices (e.g. keyboard+computer) while you are 5-50feet away. In many cases you'll probably end up saturating the receiving antenna. It will be largely a trial-and-error technique, but it will work eventually."