Pairable mode by default
BR/EDR
BLE
Pairing is the initial step in Bluetooth communication, where trust is established to enable future connections. A device may operate in either a pairable or non‑pairable state, only when it is in a pairable state will it process incoming pairing requests. If the device is set to a non‑pairable state, it will ignore such requests, preventing unintended or unauthorized pairing attempts.
Devices that automatically respond to pairing requests without user intervention may expose excessive device information, increasing the risk of impersonation and expanding the attack surface. Pairing should therefore be restricted to situations where it is strictly necessary, and the device should require physical user interaction such as pressing a button to initiate pairing.
Description
It must be proven that it is only possible to pair with the device by changing its status to pairable. The change of mode to pairable mode must require user intervention to be enabled. Pairable mode must be enabled for a limited time, until a pairing is performed, or the user manually deactivates the status.
Related resources
To check if the device is pairable, a pairing process can be initiated with user tools or by using libraries such as Scapy. From the resources section, the following may be useful:
| ID | Description |
|---|---|
| BSAM-RES-04 | Bluetooth connections sniffing |
| BSAM-RES-05 | Capture of a Bluetooth connection |
| BSAM-RES-06 | Enabling debug mode on a Bluetooth controller |
| BSAM-RES-07 | Sending and receiving HCI messages |
Example case
A Bluetooth headset is discoverable and pairable after it is turned on. During that time, another unpaired device can access information about these headsets through pairing requests without the user being notified.
We will use Wireshark with BTVS (btvs.exe -Mode wireshark) to capture packets for analysis.
We are pairing headphones with the laptop, which initiates a new connection by requesting the input/output capabilities, ‘IO Capability,’ with the IO Capability Request command:
The headphones, at that moment, allow the connection as they respond with ‘IO Capability’ using the IO Capability Request Reply command:
The procedure culminates with the establishment of the connection, notified by the Simple Pairing Complete command:
The check control FAIL because the device is pairable by default.