WARNING JBD password false sense of security PSA

[BradCagle]

Just wanted to give you guys a heads up. If you have a JBD BMS, and have a passcode set because you're concerned someone might connect to your battery, and change settings.

This is a total false sense of security, as the BMS responds to a clearpass command, and when received fully removes the pass code protection, even over bluetooth.

I have written a script that does this over bluetooth. It's in my Victron dbus-btbattery repo here: https://github.com/bradcagle/dbus-btbattery

 

[time2roll]

True security is just an illusion.

 

[TorC]

@time2roll True, but there's a big difference between "there are always holes" and something that accepts a command from a known untrustable source that bypasses security.

This is like the difference between a password reset link that can be used on any account that works from anywhere on the internet, or the same that works only if it is issued from a local console. The latter would be if the BMS would only reset the PW if requested by UART or another hardware interface.

Locks may only keep honest people honest, but there comes a point when it's too easy for the marginally honest to bypass it.

 

[BradCagle]

Yeah I just want to raise awareness. So if you really need to secure it, you'll need to either unplug the BT module, or possibly install a switch on the power, or data lines.

Or keep something connected 24/7 since they only allow a single connection.