Hacker News new | ask | show | jobs
by tranv94 3644 days ago
Maybe I'm living in the past and haven't been informed, but is Bluetooth still unsecure?
3 comments
programmarchy 3644 days ago
Bluetooth 4.0 and 4.1 had a broken key exchange that was vulnerable to both passive and active attacks [1]. This could be remedied by a custom in-band or out-of-band key exchange, but I think it was rare for device manufacturers to go to those lengths.

The key exchange vulnerability was addressed in Bluetooth 4.2, which implements ECDH and is at least theoretically secure. [2]

[1] https://www.usenix.org/conference/woot13/workshop-program/pr...

[2] http://blog.bluetooth.com/everything-you-always-wanted-to-kn...

link
IshKebab 3644 days ago
Except... that pairing in Bluetooth 4.2 is still broken. And they apparently even used an algorithm from Bluetooth 2 that was known to be broken.

https://pomcor.com/2015/06/03/has-bluetooth-become-secure/

Basically Passkey Entry is broken so eavesdroppers can trivially learn the PIN. You must use a dynamic PIN (not always possible).

Oh and if you're thinking you can implement your own pairing method that is actually secure, via the Out-of-Band method, think again! Neither Android nor iOS support it.

link
gman99 3644 days ago
>Neither Android nor iOS support [pairing ... via the Out-of-Band method].

I'm not sure this is actually true (unless you're talking about bugs with individual manufacturers implementation on Android?). Both iOS and Android support SSP with OOB key exchange via NFC.

There are lots of products that have been available that use this for pairing/connecting, eg: https://www.bose.com/en_us/support/article/pairing-a-device-...

link
IshKebab 3642 days ago
Android supports OOB via NFC, but only as a special case. You should just be able to call `createBondOutOfBand()` but the method is hidden:

https://android.googlesource.com/platform/frameworks/base.gi...

I'm pretty sure iOS doesn't support pairing via NFC.

https://www.linkedin.com/pulse/nfc-speakers-from-apple-you-c...

http://www.informationweek.com/mobile/mobile-business/iphone...

So, no, they don't support OOB (except in one limited case on Android).

link
digi_owl 3644 days ago
If the attacker has a ubertooth, and is present when the key exchange happens.
link
MohammadLee 3644 days ago
Yes, it still is especially since 4.0, and this new update does not seem to do anything to improve it. BT sux.
link
drewbug 3644 days ago
Care to elaborate?
link