We located the pistol on the air, with the gun off, from across the room, in under two minutes — using a $15 USB dongle and free software. Anyone can do the same to find who is carrying an LNK9, from tens of meters away, passively and undetectably.
Rated High on the engagement’s CPS / physical-safety severity model. A standard CVSS base score lands in the Medium range (passive, confidentiality-only, no effect on the firing path); we elevate it to High because the disclosed attribute is the carrier’s armed status and location — a personal-safety exposure, not ordinary data leakage. It is not Critical: the weapon’s command channel itself is properly protected (see “The good news”, below).
Every time the LNK9 is powered, its Bluetooth radio advertises a three-layer fingerprint that uniquely and permanently identifies the device as a Lodestar LNK9 — readable by any passive receiver in range, with no pairing or authentication:
| Fingerprint layer | Observed value | Why it identifies the gun |
|---|---|---|
| Static public MAC | 00:80:E1:27:12:28 | Public, IEEE-assigned, never rotates. OUI 00:80:E1 = STMicroelectronics;
the address is derived from the chip’s silicon serial and is fixed for the life of the firearm. |
| Vendor service UUID | 36b438e5-…-776b281227e1 | A custom 128-bit UUID unique to the LNK9 product line. Even if the MAC were randomized, this
alone re-identifies any LNK9. Its b438e5 base matches the GATT profile recovered from
the companion app. |
| Manufacturer company ID | 0x0F47 (3911) | Carried in the advertisement’s manufacturer data. The Bluetooth SIG company-identifier
registry assigns 0x0F47 to Lodestar Technology Inc. — a third, independent tell. |
Any one of these three is enough to detect an LNK9. Together they are an unmistakable,
zero-false-positive signature. The device address type is public (most-significant bits
00), so the Bluetooth privacy feature (rotating addresses) is not in effect.
We did not take the company ID on trust. The mapping
0x0F47 → Lodestar Technology Inc. was confirmed on 2026-06-12 against the
authoritative Bluetooth SIG company-identifier registry — the SIG’s own published
company_identifiers.yaml — and independently corroborated by our own capture:
| Source consulted | Result |
|---|---|
| Bluetooth SIG · company_identifiers.yaml official assigned-numbers registry (source of truth) |
value: 0x0F47 name: 'Lodestar Technology Inc.' |
| Our own RF capture 2,438 ADV_IND PDUs, decoded with tshark |
The confirmed LNK9 broadcasts 0x0F47 in its manufacturer data — an independent,
on-air match to the registry. |
The widely-mirrored Nordic bluetooth-numbers-database does not yet list 3911 —
consistent with a recent SIG assignment. The SIG registry is authoritative and confirms it. This means
the attribution is a public record: any party can map 0x0F47 to the manufacturer
without ever touching the device.
An adversary places a passive BLE scanner — a phone running nRF Connect, or a headless $15 dongle —
at a choke point: a doorway, a parking garage, a checkpoint, a rival’s lobby. It does nothing but
listen, filtering for company ID 0x0F47 or service UUID 36b438e5-….
The attack is entirely passive (receive-only), undetectable, requires no pairing or connection, and — because it is merely receiving unencrypted 2.4 GHz broadcasts — is legal in most jurisdictions. It scales: a handful of sensors can map LNK9 carriers across a building, a campus, or a city.
We ran a “baseline-and-hunt”: opened a live BLE air monitor with the gun off and across the room, locked a baseline of 35 ambient devices, then powered the gun and brought it close. It stood out instantly as the only new device carrying the LNK9 signature.
| Evidence | Detail |
|---|---|
| Identifying packets captured | 2,438 advertising PDUs from the target (decoded with Wireshark/TShark), advertising every ~106 ms, over a 3-minute passive capture |
| Signal | RSSI −54 to −70 dBm (≈ arm’s length to across-room) — strong, steady, persistent |
| Independent confirmation | Connected once and read the attribute table: the live GATT profile exactly matches the 16/26/36 b438e5-…-b841-… characteristics recovered from the companion app — identification is absolute |
| Likely silicon | Fingerprint is consistent with an STMicroelectronics STM32WB-class BLE SoC (public address auto-derived from the chip UID). Inference — to be confirmed by Lodestar/teardown. |
| Chain of custody | Session ATK-260612-061030 · timestamped log + passive .pcap, SHA-256 hashed at capture |
| Dimension | Assessment |
|---|---|
| Attack cost | Low — ~$15 dongle + free software; no transmission, no auth, no connection |
| Detection of the attack | None — purely passive reception; the carrier cannot know they were scanned |
| Persistence | Lifetime of the firearm — the public MAC is fixed in silicon and cannot be changed on current hardware without a firmware-level privacy scheme |
| Re-identification | Unique, zero false positives — the three-layer signature is unambiguous |
| Scalability | High — a sensor mesh tracks carriers at building / campus / city scale |
| Consequence | Physical safety — discloses who is armed, where, and when they are vulnerable |
The firmware advertises using the chip’s static public address and includes a unique service UUID and the manufacturer company ID in the advertising packet. The Bluetooth privacy feature (Resolvable Private Addresses) is not in effect. All three channels must be addressed — rotating the MAC alone is useless while the unique UUID or company ID still betray the device.
This is a privacy/OPSEC exposure at the advertising layer — it is not a break of the weapon’s command path. In the same assessment we connected to the gun and confirmed that every proprietary command and telemetry characteristic rejected unauthenticated reads with “Insufficient Encryption.” The command channel is encryption-gated — a control working exactly as it should. That is why this finding is High and not Critical: an attacker can find the gun, but the GATT layer does not let them read or drive it without an authenticated, encrypted session. The next phase examines that pairing/bonding step directly.
| Standard | Reference |
|---|---|
| NIST SP 800-121 Rev. 2 | §4.2.1 — use Resolvable Private Addresses where identity protection is required; public addresses should not be used |
| Bluetooth Core Spec v5.4 | Vol 6, Part B §6.11 (LE Privacy feature) — device does not employ RPA |
| CWE-200 / CWE-359 | Exposure of device identity / private information to an unauthorized actor over RF |
| CAPEC-612 | Static-MAC tracking (Wi-Fi/BLE) → persistent passive geolocation |
| OWASP IoT Top 10 | I2 — insecure network services / broadcast of device identity without authentication |