Add notice about security concerns

[J4nsen]

Hi,

I have some security concerns regarding theJK-BMS.

Am I right that the pins one needs to use in the offical app are somewhat snake oil? I assume that they are sent in the messages to the app and only verified inside the app, but not by the BMS itself?

Do you know if a constant connection from an esp via BT-LE to the BMS prevents attackers from exploting this behaviour?

[syssi]

Your assumption is correct. This is my assumption (never verified): If you connect to the BMS and request the device info the BMS returns a frame containing the name of the BMS and the current password. If you change a restricted settings at the android app the entered/required password is compared to the value from the device info frame (locally). No real security here. ;-)

TL&DR: No password required to control the BMS.

Do you know if a constant connection from an esp via BT-LE to the BMS prevents attackers from exploting this behaviour?

I don't have much knowledge about possible attacks of BLE connections. The ESP connection to the BMS isn't rock solid. An attacker could connect to the BMS on every "connection reset".

[syssi]

The advantage of a permanent BLE connection: The BLE module doesn't advertise the BMS if an connection is active. Your neighbor won't see the device permanently anymore at the list of nearby bluetooth devices. ;-)

[J4nsen]

Thanks for your answer. This BL connection thingy without any real authentication/authorization makes me somewhat uncomfortable.

Do you know a way to disable bluetooth in the BMS or is there a way to make it read-only?

I like the idea of "hiding" the device with a permanent connection by the ESP. Even if it more security through obscurity...

EDIT: Perhaps this security enhancement of your project could also be mentioned on the front page :)

[syssi]

If you open the BMS you could pull the RST pin of the bluetooth module to GND to disable the module permanently. Did you see the issue about wired communication with the BMS using the serial lines of the BLE module? This is possible but not implemented yet: https://github.com/syssi/esphome-jk-bms/issues/108

[J4nsen]

Oh nice, didnt know about that issue. Would love to see that implemented :)

Right now I'm using the RS485 port for dbus-serialbattery. It would be awesome to hijack the RX/TX lines and use them with esphome-jk-bms.

Thank you very much! I got all the answers I needed

[syssi]

I re-open the issue as reminder to extend the docs.

[syssi]

How to occupy the BLE module to stop advertising the BMS using BLE: https://github.com/syssi/esphome-jk-bms/blob/main/yaml-snippets/esp32-ble-block-traffic.yaml