As you might have noticed, I'm working on a low-cost single device Bluetooth Low Energy proxy based on @NordicTweets nRF52840.

I'll take my time for this, but wanna share some (meaningless) curiosities/spec violations I saw on some test devices (kept addresses visible) ...

@NordicTweets 1) The Logitech "R500" clicker rejects reading protected characteristic values with "Insufficient Authentication" Error (not "Insufficient Encryption")

@NordicTweets ... but reading the value after UNAUTHENTICATED pairing is fine (mode: 1, level: 2 == encryption, unauthenticated)

I assume this is true for most devices with IO capabilities "NoInputNoOutput", as it seems to be the only way to make iOS initiate pairing automatically.

@NordicTweets 2) AwoX smart bulb places a "User Description Descriptor" on a BT SIG defined Characteristic (ASCII string 'DevName' for a characteristic called 'Device Name' per spec)

@NordicTweets ... the same AwoX bulb declares a characteristic with 'Notify' property set, but doesn't provide a 'Client Characteristic Configuration Descriptor' to store the notify state (enabled / disabled).

@NordicTweets 3) The "Samsung Gear S3" advertises with all possible flags enabled, claiming not to support BR/EDR, while being a BR/EDR Host AND Controller at the same time

@NordicTweets So yes, all of this is meaningless ... so why do I care?

Because I have hard times cloning such weird devices, with a firmware backed by @NordicTweets softdevice, which enforces specs in many cases.

@NordicTweets Why I think you should care ?

I tested none of those devices for security issues, not even a tiny bit of fuzzing. But products not even able to follow specs, occur a bit fishy security wise.

Just thinking loud 😉

Stay safe

@AwoX @SamsungMobile @Logitech

Comments/clarification appreciated