Pairable mode by default

BR/EDR

BLE

Pairing is the initial step in Bluetooth communication, where trust is established to enable future connections. A device may operate in either a pairable or non‑pairable state, only when it is in a pairable state will it process incoming pairing requests. If the device is set to a non‑pairable state, it will ignore such requests, preventing unintended or unauthorized pairing attempts.

Devices that automatically respond to pairing requests without user intervention may expose excessive device information, increasing the risk of impersonation and expanding the attack surface. Pairing should therefore be restricted to situations where it is strictly necessary, and the device should require physical user interaction such as pressing a button to initiate pairing.

Description

It must be proven that it is only possible to pair with the device by changing its status to pairable. The change of mode to pairable mode must require user intervention to be enabled. Pairable mode must be enabled for a limited time, until a pairing is performed, or the user manually deactivates the status.

To check if the device is pairable, a pairing process can be initiated with user tools or by using libraries such as Scapy. From the resources section, the following may be useful:

ID Description
BSAM-RES-04 Bluetooth connections sniffing
BSAM-RES-05 Capture of a Bluetooth connection
BSAM-RES-06 Enabling debug mode on a Bluetooth controller
BSAM-RES-07 Sending and receiving HCI messages

Example case

A Bluetooth headset is discoverable and pairable after it is turned on. During that time, another unpaired device can access information about these headsets through pairing requests without the user being notified.

We will use Wireshark with BTVS (btvs.exe -Mode wireshark) to capture packets for analysis.

We are pairing headphones with the laptop, which initiates a new connection by requesting the input/output capabilities, ‘IO Capability,’ with the IO Capability Request command:

Wireshark IO Caps Request

The headphones, at that moment, allow the connection as they respond with ‘IO Capability’ using the IO Capability Request Reply command:

Wireshark IO Caps Request Reply

The procedure culminates with the establishment of the connection, notified by the Simple Pairing Complete command:

Wireshark Simple Pairing

The check control FAIL because the device is pairable by default.