Äike BLE authentication bypass default BLE private key allow...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://blog.nns.ee/2026/01/06/aike-ble/
• Blog Title: Äike BLE authentication bypass: default BLE private key allows unlocking any nearby scooter
• Suggested Section: Mobile Pentesting -> Android Applications Pentesting (Frida) and/or a new IoT/BLE subsection under Generic Hacking / Hardware-Physical Access (e.g., "BLE/GATT Pentesting: Frida sniffing + challenge-response auth bypass via default keys")

🎯 Content Summary

The post reverse-engineers the Äike electric scooter Android app (React Native compiled to Hermes bytecode) and identifies a critical BLE authentication design/implementation flaw: the scooter fleet uses a shared default BLE “private key” (20 bytes of 0xFF), so any attacker within BLE range can authenticate to and control any nearby scooter (e.g., unlock/lock, open battery tray, change settings).

1) Reverse engineering setup (why dynamic analysis was needed)
The app is React ...

🔧 Technical Details

Reversing React Native apps compiled to Hermes: When RN JavaScript is compiled into Hermes bytecode, static decompilation is often noisy/unreliable. A practical workflow is to (1) decompile native Java/Kotlin bridge code (e.g., with Vineflower) to locate OS/API boundaries, and (2) use dynamic instrumentation (Frida) to observe inputs/outputs and reconstruct protocol logic without fully recovering JS source. Hermes-focused tools (hermes_rs, hermes-dec, hasmer, hbctool) can supplement but runtime logging often yields faster protocol recovery.

BLE protocol extraction by hooking Android GATT APIs: Hook android.bluetooth.BluetoothGatt and android.bluetooth.BluetoothGattCallback methods for characteristic reads/writes/notifications to dump UUIDs and raw payloads (hex/ASCII). This reveals proprietary BLE authentication steps and command formats, and can support replay/modification of messages once framing is understood.

Crypto identifi...

🤖 Agent Actions

Summary:

• Added a Hermes-friendly dynamic analysis section showing how to hook BluetoothGatt/BluetoothGattCallback and MessageDigest with Frida to reconstruct BLE challenge-response flows when RN JS is compiled to Hermes.
• Documented the discovered BLE authentication pattern (SHA1(challenge||key)), the risk of default/shared keys, command/notification characteristics, and frame layout for post-auth control.
• Included an expandable bleak-based PoC for computing the response and issuing commands, and updated references with the Äike BLE auth-bypass write-up.

Tests:

• Not run (documentation-only changes).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://blog.nns.ee/2026/01/06/aike-ble/

Content Categories: Based on the analysis, this content was categorized under "Mobile Pentesting -> Android Applications Pentesting (Frida) and/or a new IoT/BLE subsection under Generic Hacking / Hardware-Physical Access (e.g., "BLE/GATT Pentesting: Frida sniffing + challenge-response auth bypass via default keys")".

Repository Maintenance:

• MD Files Formatting: 936 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0