It’s actually possible to use the debugger on the NRF dev kits to flash/debug custom PCBs with NRF chips. So a separate (more expensive) JTAG debugger is in fact not required.
Yes nrf dev boards have an on board j-link, and Nordic provides instructions on how to turn the board into a programmer. Their licensing with segger explicitly allows this as long as you use it for other Nordic devices. Much cheaper than a standalone j-link.
BLE has a privacy feature that enables MAC address rotation, but it isn't a requirement. Apple products and Android phones use the privacy feature, but other than that most products don't. The possibility of tracking someone via the MAC address of their Bluetooth devices is very real.
But you are correct that regular apps can't address the MAC address of connected Bluetooth devices, so the tracking vulnerability that OP is suggesting isn't really possible.
Apple devices all use a private resolvable Bluetooth address that changes every 15 minutes. That, along with a cryptographic payload, protect against this.
Aside from Apple products and Android phones, most other Bluetooth Products do not use private resolvable addresses, and many have the issue that you describe. The name isn’t always so obvious, but sometimes there is identifiable data that can be read.
Not sure I agree here. Most Bluetooth Low Energy devices (aside from Apple Devices and Android phones) don't make use the privacy feature and therefore their device address can be linked to a specific product. Many Bluetooth products have user accounts attached to them (think fitness trackers and AirTag-like products) meaning that the device address can be tied to a specific user.
Now consider the vast number of “smart nodes” out there (eg street lights) that have multi-protocol connectivity built into them. Whoever controls these nodes can simply scan and log every BLE advertisement that is nearby.
I’m not saying that this is the only way that a person can tracked or that this kind of tracking is definitely happening right now, but it’s a very real possibility.
There’s no actual Bluetooth connection that happens here. The AirTag or other FindMy-enabled device is purely transmitting. The packets being transmitted are Bluetooth Low Energy advertisements (sometimes referred to as “beacons”). Any Apple device can perform Bluetooth Low Energy scanning and can listen for these advertisements, and report what they’ve found to Apple’s servers.
Private resolvable addresses are a BLE thing, but very few devices (aside from Apple products and Android phones) actually use them. It’s a shame, really, because most embedded BLE stacks support the feature.
My company is working on a platform to make BLE product development much easier than it is today, and also to improve the quality of BLE products. We plan to make privacy a standard feature.
The Bluetooth Mesh standard actually is based on a Bluetooth 4.0 feature set (basic advertising and scanning), so really any BLE device can support it. The problem is that the software is complicated, so typically only newer devices have software support.
Many chip vendors have BT mesh implementations, including Nordic, TI, SiLabs, Cypress, Dialog, and ST.
It’s a little bit better than that, in that only some nodes rebroadcast everything while you can have lower-power nodes be primarily in transmit mode. But yes, I think the spec could use a lot of improvement.
It does seem like there’s a lot of momentum in the BT-SIG to grow the standard over a long period of time, and there also are a lot of active contributors, so I do expect it to mature in the future.
Easy to say, and I can’t know for sure exactly what factored impacted Broadcom’s decisions here, but I can tell you that chip manufacturers are under extreme pressure to keep costs down, which means that they may under-spec systems at times. Also, with the long design cycles involved in chip design the patch capabilities may have been decided years in advance, before realizing how much would be needed.
In general I agree with your comment, though it’s a lot easier to say this in hindsight.
Bluetooth has the Secure Simple Pairing (SSP) feature, and Bluetooth Low Energy has the LE Secure Connections feature, which both use Elliptic Curve Diffie-Hellman Key Exchange and therefore is protected against passive eavesdropping. The standard also includes the ability to support authenticated pairing for protection against Man-in-the-Middle attacks; if you've ever had to see if a 6-digit number matches on the two devices that are being paired, then you are seeing the authenticated pairing taking place.
Even though the Bluetooth standard includes these features, many products don't actually use them and simply transmit data without any encryption or authentication procedure. This is particularly a problem with many Bluetooth LE products.
No, iOS devices enable Bluetooth Low Energy advertising pretty much the entire time that Bluetooth is on. This is used for features such as handover and Airdrop (and now for contact tracing, if enabled).
