esphome-jk-bms icon indicating copy to clipboard operation
esphome-jk-bms copied to clipboard

Published 20 hours ago verified publisher icon syssi

Add notice about security concerns

Open J4nsen opened this issue 2 years ago • 7 comments

Hi,

I have some security concerns regarding theJK-BMS.

Am I right that the pins one needs to use in the offical app are somewhat snake oil? I assume that they are sent in the messages to the app and only verified inside the app, but not by the BMS itself?

Do you know if a constant connection from an esp via BT-LE to the BMS prevents attackers from exploting this behaviour?

J4nsen avatar Jul 10 '22 14:07 J4nsen

Your assumption is correct. This is my assumption (never verified): If you connect to the BMS and request the device info the BMS returns a frame containing the name of the BMS and the current password. If you change a restricted settings at the android app the entered/required password is compared to the value from the device info frame (locally). No real security here. ;-)

TL&DR: No password required to control the BMS.

Do you know if a constant connection from an esp via BT-LE to the BMS prevents attackers from exploting this behaviour?

I don't have much knowledge about possible attacks of BLE connections. The ESP connection to the BMS isn't rock solid. An attacker could connect to the BMS on every "connection reset".

syssi avatar Jul 10 '22 16:07 syssi

The advantage of a permanent BLE connection: The BLE module doesn't advertise the BMS if an connection is active. Your neighbor won't see the device permanently anymore at the list of nearby bluetooth devices. ;-)

syssi avatar Jul 11 '22 06:07 syssi

Thanks for your answer. This BL connection thingy without any real authentication/authorization makes me somewhat uncomfortable.

Do you know a way to disable bluetooth in the BMS or is there a way to make it read-only?

I like the idea of "hiding" the device with a permanent connection by the ESP. Even if it more security through obscurity...

EDIT: Perhaps this security enhancement of your project could also be mentioned on the front page :)

J4nsen avatar Jul 11 '22 10:07 J4nsen

If you open the BMS you could pull the RST pin of the bluetooth module to GND to disable the module permanently. Did you see the issue about wired communication with the BMS using the serial lines of the BLE module? This is possible but not implemented yet: https://github.com/syssi/esphome-jk-bms/issues/108

syssi avatar Jul 11 '22 12:07 syssi

Oh nice, didnt know about that issue. Would love to see that implemented :)

Right now I'm using the RS485 port for dbus-serialbattery. It would be awesome to hijack the RX/TX lines and use them with esphome-jk-bms.

Thank you very much! I got all the answers I needed

J4nsen avatar Jul 11 '22 12:07 J4nsen

I re-open the issue as reminder to extend the docs.

syssi avatar Jul 12 '22 06:07 syssi

How to occupy the BLE module to stop advertising the BMS using BLE: https://github.com/syssi/esphome-jk-bms/blob/main/yaml-snippets/esp32-ble-block-traffic.yaml

syssi avatar Apr 14 '23 07:04 syssi