COMMSEC: The Tragedy of Bluetooth Low Energy


August 25, 2023




CommSec Track

Bluetooth Low Energy (BLE) has become an integral component of billions of smart devices worldwide, but it also faces various challenges from different attack methods.

In this talk, I will discuss examples of how wireless bit streams can escape and affect reality, covering security risks from shallow to deep levels on different protocol layers of BLE products and discussing the unique attack surface of BLE protocol.

The first topic is “Money Thief”. I will talk about a vulnerability in QR code payments that not only allows attackers to directly transfer funds from users during payment, leaving the merchant without any payment, but also allows attackers to modify the QR code amount. Both the merchant and the user suffer losses while the attacker invisibly takes the money.

The second topic is “Unlock Everything”. Unlocking is an impulse carved into the hacker’s DNA. Starting from analyzing smart devices that establish private protocols based on the Generic Attribute Profile (GATT) protocol layer, I will demonstrate how to restore the validity period of unlock commands to override locks and how to bypass laptop lockscreens. Then, I will introduce design flaws in the BLE Controller and use them to demonstrate movie-level hacker behaviors, such as opening and driving a car several miles away.Regarding the technical details of the BLE Controller layer here, I will submit a white paper. This demonstration will showcase similar issues in three car models and blur the boundary between virtual and security.

Lastly, I will introduce a BLE security detection tool that can reproduce the attacks in our case and provide security researchers with research and communication capabilities, as well as manufacturers with the ability to test the security of their BLE products. Let us make our intelligent lives more secure!

Security Engineer


Linfeng Xiao (肖临风) is a security engineer working at Xiaomi. His research focuses on binary security, radio security, and he is mainly responsible for the security research, daily testing, and automation capability improvement of Xiaomi IoT products, ensuring the security of the entire lifecycle of these products, and responding to related security emergency incidents. Currently, his research is focused on the field of automotive security. He is skilled in vulnerability discovery and has submitted valid vulnerabilities to companies such as Tencent, Baidu, NetEase, Huawei, OPPO, and D-Link. He has successfully hacked products in the Tianfu Cup and Bughunter Cup. He won the second prize in the first CAVD Cup automotive information security challenge.

Security Engineer


He is a security engineer working at Xiaomi. He has experienced serious career planning to change careers, worked in tianyu mobile hardware engineer, Qualcomm CE, etc. Then in 2018, he got involved in network security industry, before coming to Xiaomi, he worked in 360 for more than 3 years as an IOT security researcher position, mainly specializing in hardware, firmware security, radio security, communication protocol security, linux, RTOS system and other security research, in Ali, 360, Xiaomi and other vendors src have submitted valid vulnerabilities, 360, Xiaomi and other manufacturers src have submitted effective vulnerabilities.