Security News > 2020 > August > Impersonating users of 'protest' app Bridgefy was as simple as sniffing Bluetooth handshakes for identifiers
As first reported by Ars Technica, Bridgefy was promoting itself earlier this year as the app of choice for protesters in Hong Kong and India to organise their activities without being easily spied upon by law enforcement agencies.
The app uses both the internet and Bluetooth Low Energy for passing messages between users, falling back to the latter as a mesh network if wider internet connectivity is unavailable.
Impersonating a Bridgefy user is as simple as sniffing a BLE handshake to gather the user ID and device address before spoofing the latter.
On the latter, they noted "Compressing a message of size 10MB containing a repeated single character results in a payload of size 10KB", which was enough to crash Bridgefy to the point where the only way to get it working again was to delete the app and reinstall it from scratch.
The Register has contacted Bridgefy for further comment.