In the movie Blackhat, the Bad Guy communicated "anonymously" with his cronies by setting up (I think) a Bluetooth hot spot in an open mall.
They all virtually crossed paths at some specific spot, where there was a radio and computer hidden in a bush.
The premise is these folks have never met, and assuming that the cronies aren't familiar with the tech and told to "go to this bench, do this workflow, enter in these codes". Rather they were told to download an app to their phone, go to this area and "start chatting", or maybe they connected to the bush server, and exchanged messages without ever having to be in the same place at the same time.
Can a modern phone contact a BT device without being manually paired (assuming it has cooperating software on the phone)? A non-hacked phone? Could they have been using just raw BLE for this?
> The premise is these folks have never met, and assuming that the cronies aren't familiar with the tech and told to "go to this bench, do this workflow, enter in these codes". Rather they were told to download an app to their phone, go to this area and "start chatting", or maybe they connected to the bush server, and exchanged messages without ever having to be in the same place at the same time.
I'm pretty sure walkie-talkies can be purchased at any street-corner and replicate this.
Even toy walkie-talkies in the USA follow the FRS standard and have roughly ~1 mile or so of range (3 to 5 miles for more expensive walkie-talkies). Meaning you can have an untrackable "virtual meetup" with strangers as long as you all coordinate a time, place, and channel to talk.
------------
If you want more smarts, you'll want to:
1. Use LoRa -- 900MHz (800ish in Europe) is superior for range. Bluetooth is 2.4GHz and attenuates too quickly, and is therefore short-range only (a few hundred meters reliably).
2. LoRa modules are cheap. Arduinos, ESP32, Beaglebone ConnectPlay, etc. etc. A ton of different microcontrollers and microprocessors exist. Slap a solar panel + lead-acid battery on a BeagleBone Play or something and now you got 24-hour always on servers with 3 to 5 miles of communication range. Add on TLS1.3 and now its encrypted to the latest and greatest specifications of encryption available.
Walkie-talkies are still unconventional technical items. Everyone has a phone - homeless people have phones. Phones are ubiquitous, and someone having one is not unusual.
They might be lower-tech, but it is odd if someone has a walkie-talkie - also easy to monitor (range == eavesdroppers have range too) and it is in fact illegal to use encryption over the available frequencies or to send digital data (so all things you could do, but which would draw attention).
The problem with committing crimes is that efforts to cover up the crime themselves are likely to create evidence of it.
Unless you're disrupting military / police / aviation frequencies, there is virtually no enforcement. The FCC does not routinely police the airwaves - they can be asked to investigate egregious disturbances, but if they do choose to respond (which is rare), that response will not start for weeks or months. Nobody is going to show up with guns drawn for an encrypted LoRa connection.
LoRA is very neat, been playing with Meshtastic lately a bit - only downside is how fucking chatty it is, which makes it very easy to perform direction finding / trilateration using something like a KrakenSDR (or just a normal SDR and a directional antenna).
At some point I’d like to mess with trying to do “burst” comms over LoRA, maybe meshtastic can be fiddled with to act in this manner - where it only actually sends RF traffic when it has something to say.
I just double-checked and I got my initial spelling (LoRA) wrong. Its actually spelled (LoRa) (lower-case a, not an upper-case). I've edited my earlier message to correct my mistake.
LoRA is the LLM / deep learning stuff. LoRa is the radio. Hurrah, overloaded terms!
You can configure the spreading factor and bandwidth to make the bursts very short, at the cost of robustness to interference etc. And transmit at sparse intervals if you want.
Yup, BLE can transmit data without pairing. That's how AirTags and the like work.
Basically, BLE is designed for lightweight sensors that periodically wake up and blindly transmit their data. It doesn't know or care if anyone receives.
The amount of data is small and necessarily unencrypted. Throughput is also very low.
For bidirectional communication, you might be able to do the reverse: have your device transmit these blind BLE packets, but I don't know offhand if that's supported in Android. There may be other ways, like packing some data into an advertisement query or something.
Again I'm not sure how well it's supported in Android, but under Windows you can silently establish a connection with an unsecured BLE device without user interaction. You don't actually pair to BLE devices most of the time, it's a different mechanism. And again this comes without encryption, but there's ways around that.
Android has a BLE scanner app that can passively read info. I don't know enough about the protocol to know if that is the same thing you are referring to.
Android allows you to initiate scanning and receive advertisements without user interaction (assuming the app has the permissions to run in the background and use Bluetooth). Advertisements are "broadcasts" or "beacons"
"Pairing" in BLE-speak is a key exchange procedure so devices can establish a secure connection without performing authentication again.
BLE communication can happen inside of a "connection", or outside of a connection.
A typical device "advertises" it's presence with beacons which are broadcast on 3 channels. These beacons are user-defined, so you can use them like UDP packets. Sensor wakes up and broadcasts the current temperature.
Your smartphone can receive advertisements while scanning. Check out the insane number of beacons present in an American apartment complex.
Note: BLE connections may be encrypted, or not. That's up to you. You do not need to "pair" (exchange keys) to communicate with a connection. There are 4 "modes" to authenticate. Without an out-of-band communication mode, all are vulnerable to MITM.
The latest BLE standard improves range with a half-data rate PHY. Range is determined by transmit power and attenuation. Most BLE radios are designed for short-range communication. I've never seen one consuming more than mW, but that does not mean you couldn't make an amplifier that transmits BLE much further
At least for BLE one could use advertising packets to transmit the data, sensor beacons tend to do this with e.g. a temperature.
There is also the scan-response mode, initiated by the device scanning for others. And you can use plain GATT without any authentication, but that would be fully unencrypted iirc.
Rangewise it might be possible to reach 100m in an open field under very good conditions, especially when utilizing coded PHY, but not with default power levels I think.
There is a lot more to know, one place to start is 'Intro to Bluetooth low energy' by Mohammed Afaneh
depending on how good of a line-of-sight you have to the transmitter, you can receive over 50+m using a well-tuned antenna
if the transmitter is hidden, range largely depends on what it's hidden inside, but even a phone at the bottom of a backpack can receive from a similarly hidden flipper zero broadcasting from another backpack at about 5-10m
> Can a modern phone contact a BT device without being manually paired (assuming it has cooperating software on the phone)?
Yes. I manage IOT apps for android and iOS that do exactly this. You can write/read data to any bluetooth device around you that is advertising as connectable and has a GATT characteristic that supports it.
They all virtually crossed paths at some specific spot, where there was a radio and computer hidden in a bush.
The premise is these folks have never met, and assuming that the cronies aren't familiar with the tech and told to "go to this bench, do this workflow, enter in these codes". Rather they were told to download an app to their phone, go to this area and "start chatting", or maybe they connected to the bush server, and exchanged messages without ever having to be in the same place at the same time.
Can a modern phone contact a BT device without being manually paired (assuming it has cooperating software on the phone)? A non-hacked phone? Could they have been using just raw BLE for this?
What kind of range does BT and BLE have?