VESC safety issues → no PW?

So I was thinking… If you get near to someone with a board, you can theoretically just connect with the VESC tool app and just completely mess up their settings, without them even realizing it until its too late, right? That seems really dangerous, even my 20$ smart BMS lets you set a password you have to enter before you can change any settings.


That’s what the pairing is for.

You can log your own hardware UUID from VESC Tool and then if you “pair it” you won’t be able to connect wirelessly with any other device except your phone or computer, without entering the UUID as the password.

1 Like

In general, until / unless VESC hacking becomes a thing, it seems more a problem than a solution, as I’ve accidentally locked myself out by not knowing my UUIDs before and nobody knows to log that stuff ahead of time.


damn I didn’t even think of that, time to write my UUIDs down.

You can still connect via wire (USB for example) if the pairing flag is set and you use a foreign device.

I always thought that pairing_done flag in VESC Tool does not give any protection. If I remove following lines of code and compile VESC Tool, I can still connect and change settings, right?


It seems to give light protection against casual pranksters, but not any against dedicated bad actors.

Kind of like a lock on a chainlink fence gate that can be jumped over if desired. The drunk guy walking by on the sidewalk probably isn’t going open it and run inside. The guy whose wife you fucked last week will definitely be able to get inside.



I think asking for a PW and encrypting said PW isn’t too much work, is it?

I would love having to enter a password, even when connecting via USB.


No, that’s a lot of work.
A password alone is a little less work, but still not trivial.
Getting support for a new secure handshake, and exchange protocol in every Bluetooth client is even more work.

As a rule of thumb doing security right is always a lot of work.
Of course you can always take shortcuts, but then you’ve only achieved security theater.


I have been thinking about this for a while and finally decided to do some research. awesome question!:+1:

It’s really easy to capture a uuid and bypass this. Float control app for iphone makes it very easy. I would not rely on this at all.

If you’re paranoid, you can disconnect the bluetooth module or disable it. Now you need physical access to the USB port.

Alternatively, Metr modules have a required pairing code.

1 Like