You are reading a single comment by @tom.gidden and its replies.
Click here to read the full conversation.
Espruino is a JavaScript interpreter for low-power Microcontrollers. This site is both a support community for Espruino and a place to share what you are working on.
@tom.gidden
IIRC, the BLE exploit is to do with a particularly weak pairing procedure: if paired in a secure environment -- you do all have a Faraday cage at home, right? -- I assume it's moderately secure... 128-bit AES, I think.
Security on BLE is designed so the host (a.k.a. client, ie. the smartphone) does the vast majority of the work, and the peripheral (a.k.a. server, ie. the widget) just has to do very basic symmetric ciphering. This is to reduce power consumption, offloading all CPU work to the (presumably) more powerful host.
Saying that, I would agree with Gordon's assessment in terms of risk. Most BLE usage seems to be predominantly read-only with most of the security features ignored. Saying that, many do have a DFU mode for OTA updates, and there's little to stop NSA/GCHQ/[A-Z56]{3,} using that to surreptitiously turn your fitness band into a rudimentary espionage device.
Anyway, I apologise for taking this thread so far off-topic!