Input and output capabilities
BR/EDR
BLE
At the start of pairing, both devices exchange the information required to establish a shared key for secure future connections. Among the exchanged data are the input and output capabilities (IO capabilities), which indicate whether a device can show information on a screen, accept simple button presses, or allow the user to enter a code through a keypad. These capabilities help determine the safest and most suitable authentication method for the pairing process, depending on what each device can actually do.
Devices with greater input and output capabilities should use them to enable more secure pairing modes, since part of the security relies on user interaction to verify that the devices being paired are the intended ones. This verification, commonly through PIN confirmation, provides protection against MitM attacks.
Devices with limited IO capabilities cannot perform this verification and may be restricted to insecure methods such as “Just Works”, which does not require user interaction nor protects against MitM attacks. Therefore, devices should declare the highest IO capabilities available and avoid declaring none.
Description
Information about supported input and output capabilities is exchanged between the devices when pairing, so this information must be captured during this process.
This can be done by initiating a pairing with a user tool, such as bluetoothctl, and capturing the connection with Wireshark. Another method is to use a Bluetooth packet sending library to simulate the initiation of a pairing and terminate the connection when the IO Capabilities Response message, which contains the necessary information, is received.
The message contains the IO Capability field with one of the following values:
| Value | Name | Description |
|---|---|---|
| 0x00 | DisplayOnly | It is capable of displaying information on a screen but cannot receive inputs. |
| 0x01 | DisplayYesNo | It can display information and/or yes/no questions, allowing for limited interaction. |
| 0x02 | KeyboardOnly | It can receive input through a keyboard (e.g., entering a PIN during pairing). |
| 0x03 | NoInputNoOutput | It has no means to display information or receive input from, for example, keyboards or buttons. |
| 0x04 | KeyboardDisplay | It can receive input through a keyboard and it is capable of displaying information. |
The values are used to determine which pairing method will be used with the device, so it should be the value with the highest possible capabilities. Therefore, it should be checked that the capabilities set in software are the highest that the device hardware allows.
Related resources
To discover the IO Capability and related values of a device, a pairing can be forced, and the results captured using the following resources:
| ID | Description |
|---|---|
| BSAM-RES-04 | Bluetooth connections sniffing |
| BSAM-RES-05 | Capture of a Bluetooth connection |
| BSAM-RES-06 | Enabling debug mode on a Bluetooth controller |
| BSAM-RES-07 | Sending and receiving HCI messages |
Example case
We will use Wireshark with BTVSBTVS (btvs.exe -Mode Wireshark) to capture packets for the analysis of pairing between a laptop and the Samsung Galaxy Buds 2 Bluetooth Classic headphones and the Sony SP-WI600N BLE headphones.
For Bluetooth Classic, observe the IO Capability field can be found in the IO Capability Request and IO Capabilitiy Response commands. The provided example illustrates an IO Capability Response command with IO Capability field value of 0x03 (NoInputNoOutput).
Moving to Bluetooth Low Energy, find the IO Capability field in the Pairing Request and Pairing Response commands. The given example displays a Pairing Request command with IO Capabilitiy field value of 0x03 (NoInputNoOutput).
The control FAIL when a device does not have the value 0x04 (KeyboardDisplay).
The auditor must ensure that the declared features match those present in the physical device.
External references
- Bluetooth Core V5.3, Vol. 3, Part C, Section 5.2.2.4 - IO capabilities
- Bluetooth Core V5.3, Vol. 3, Part C, Section 5.2.2.5 - Mapping of input / output capabilities to IO capability
- Bluetooth Core V5.3, Vol. 3, Part C, Section 5.2.2.6 - IO and OOB capability mapping to authentication stage 1 method
- Bluetooth Core V5.3, Vol. 3, Part H, Section 2.3.2 - IO capabilities
- Bluetooth Core V5.3, Vol. 3, Part H, Section 2.3.5.1 - Selecting key generation method
