Pairing without user interaction
In Bluetooth, it is necessary to establish a shared link key between two devices to encrypt communications. The pairing procedure “introduces” both devices to each other and establishes the shared key. There are different methods to establish the shared key, and some of these do not implement security controls to verify the identity of the involved devices.
The just works method allows pairing using a numerical key, which is done without user interaction, and does not implement measures to ensure that the devices are known to the user. All the cryptographic material used for a just works connection during the pairing process is sent over the Bluetooth band without any encryption, making it possible to capture this information with a sniffer and impersonate the device.
Additionally, if the pairing mode is legacy, it is susceptible to man-in-the-middle (mitm) attacks.
The following two elements must be checked to verify that the control is satisfied:
- The “Authentication requirements” field of the “IO Capability Response” message must show a value with MITM protection.
- The device shall reject any pairing attempt that requires the “just works” method.
The “IO Capability Response” message, which contains the “Authentication Requirements” field, can be captured during a pairing with a user tool or by using Scapy to simulate a partial pairing.
To verify that it is not possible to pair using the “just works” method, one can first check what capabilities the audited device has, and secondly, configure a local device with the necessary capabilities to downgrade the pairing method to “just works”.
The control is only fulfilled when using a value for “Authentication Requirements” that includes MITM protection and it is not possible to pair with “just works”.
To check this control, the following resources may be useful:
|Bluetooth connections sniffing
|Capture of a Bluetooth connection
|Sending and receiving HCI messages
|Changing the attributes of a controller
We will use Wireshark with BTVS (btvs.exe -Mode wireshark) to capture and analyze the packets.
The Bluetooth device configuration tool of the laptop’s operating system is used to initiate the connection. In Bluetooth Classic, the connection between the two devices starts with the IO Capability Request command.
The headphones respond with the IO Capability Request Reply command with IO Capability 0x03 (NoInputNoOutput). This allows pairings without user intervention.
Pairing is confirmed a few messages later with the Simple Pairing Complete command.
The input/output capabilities of the headphones have allowed pairing without user confirmation or notification.
The check control FAIL when a device is pairable without user intervention.
The Just Works pairing method should be avoided. In this case, the device had buttons on both headphones that can be utilized as Yes/No buttons, thus providing a means for pairing confirmation.
- Bluetooth Core V5.3, Vol. 3, Part C, Section 18.104.22.168 - IO capabilities
- Bluetooth Core V5.3, Vol. 3, Part C, Section 22.214.171.124 - Mapping of input / output capabilities to IO capability
- Bluetooth Core V5.3, Vol. 3, Part C, Section 126.96.36.199 - IO and OOB capability mapping to authentication stage 1 method
- Bluetooth Core V5.3, Vol. 3, Part H, Section 2.3.2 - IO capabilities
- Bluetooth Core V5.3, Vol. 3, Part H, Section 188.8.131.52 - Selecting key generation method
- Bluetooth Core V5.3, Vol. 3, Part H, Section 2.3.1 Pairing Methods
- Bluetooth Core V5.3, Vol. 3, Part H, Section 184.108.40.206 LE Legacy pairing - Just Works
- Bluetooth Core V5.3, Vol. 3, Part H, Section 220.127.116.11 Out Of Band
- Bluetooth Core V5.3, Vol. 3, Part H, Section 18.104.22.168.2 Aunthenticacion Stage 1 - Just Works or Numeric Comparison