4

I'm thinking about creating a physical lock, where the keys would simply be paired Bluetooth devices, but I'm concerned about the potential (in)security. I would like to have a Bluetooth 2.1 module constantly scan for paired devices and when one is found and successfully connected to (by the module), open the lock. Neither the 'lock' module or 'key' device will broadcast their Bluetooth address (since the module should already know the key's address from pairing), hopefully keeping the existence of them unknown to any 'bystanders'.

So my question is: using a long pairing PIN (e.g 20 digits) and assuming the pairing process isn't intercepted, would it still be possible to 'spoof' a paired device and therefore allow the module to connect to it?

IAmHello
  • 43
  • 1
  • 1
  • 4
  • a quick Google search turned this up: http://www.tomsguide.com/us/bluetooth-lock-hacks-defcon2016,news-23129.html – schroeder Oct 15 '16 at 20:45
  • All of those locks still use a password, so does that mean that just checking for a paired device is inherently insecure? – IAmHello Oct 16 '16 at 21:39

1 Answers1

4

It has been in the past with various devices. It entirely depends on the BT version and implementation on the device. Modern versions of BT (4.x) have good feature sets to prevent these things from happening but most implementations will downgrade to an insecure setting to facilitate connection with an older device.

There are also implementation errors that lead to a new device leaking the pairing key that is supposed to secure the connection from spoofing.

READ THIS: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-121r2.pdf

THEN READ THIS: https://null-byte.wonderhowto.com/how-to/hack-bluetooth-part-1-terms-technologies-security-0163977/

HackSlash
  • 268
  • 1
  • 10