|
|
|
1. Table of Contents
|
|
|
|
[[_TOC_]]
|
|
|
|
|
|
|
|
# Introduction
|
| ... | ... | @@ -182,7 +183,9 @@ The attacker can also exploit the silently created pairing to act as a trusted p |
|
|
|
|
|
|
|
##### Silent Pairing Fix
|
|
|
|
|
|
|
|
As part of our BLE work on this project, we have put together a patch for the BLESSED library that we are using, which fixes this vulnerability by proxying GATT read and write values to remove the authentication flag which triggers automatic pairing. [TODO link the patch when we are eventually able to]
|
|
|
|
As part of our BLE work on this project, we have put together a patch for the BLESSED library that we are using, which fixes this vulnerability by proxying GATT read and write values to remove the authentication flag which triggers automatic pairing.
|
|
|
|
|
|
|
|
TODO: Link the patch when we are eventually able to.
|
|
|
|
|
|
|
|
Our fix is heavily based on work by the COVIDSafe Android application team. The current version of the fix uses Java's reflection API to extract a specific field in the active `BluetoothGatt` object, and replace it with a proxy object that runs an `InvocationHandler` checking for characteristic read and write invocations.
|
|
|
|
|
| ... | ... | @@ -398,13 +401,14 @@ During our research, the Nexus 5X, Pixel 3a, 4, and 5 all had the highest possib |
|
|
|
|
|
|
|
#### BluetoothCommunicator
|
|
|
|
|
|
|
|
BluetoothCommunicator is a BLE library built upon the core Android `BluetoothGATT` objects similar to BLESSED. However, unlike BLESSED, BluetoothCommunicator is geared more towards async messaging, and not a general-use library.
|
|
|
|
BluetoothCommunicator is a BLE library built upon the core Android `BluetoothGatt` objects, similar to BLESSED.
|
|
|
|
However, unlike BLESSED, BluetoothCommunicator is geared more towards async messaging, rather than being a general-purpose library.
|
|
|
|
|
|
|
|
<https://github.com/niedev/BluetoothCommunicator>
|
|
|
|
|
|
|
|
Because of the added flexibility working with BLESSED gives us, future development of BLE mesh networking tools will likely focus on our allocator characteristic framework. However it is useful to research the BluetoothCommunicator library because it gives us insight into how a higher-level messaging framework might be built upon the allocator characteristic system.
|
|
|
|
|
|
|
|
While the library has methods built to enable auto-peering, our attempt to enable auto-peering with this framework proved unsuccessful.
|
|
|
|
While the library has methods to enable auto-peering, our attempt to enable auto-peering with this framework proved unsuccessful.
|
|
|
|
|
|
|
|
### Bluetooth Mesh
|
|
|
|
|
| ... | ... | @@ -525,10 +529,10 @@ NSD (implemented by the Android platform) appears to get some kind of special tr |
|
|
|
|
|
|
|
### LAN Broadcast
|
|
|
|
|
|
|
|
KDE Connect uses LAN broadcast, rather than multicast, for discovering peers.
|
|
|
|
The KDE Connect app uses LAN broadcast, rather than multicast, for discovering peers.
|
|
|
|
We should investigate whether this could be used to work around the issues we've seen with LAN multicast on some devices and networks.
|
|
|
|
|
|
|
|
https://invent.kde.org/network/kdeconnect-android/-/blob/master/src/org/kde/kdeconnect/Backends/LanBackend/LanLinkProvider.java
|
|
|
|
<https://invent.kde.org/network/kdeconnect-android/-/blob/master/src/org/kde/kdeconnect/Backends/LanBackend/LanLinkProvider.java>
|
|
|
|
|
|
|
|
## Wi-Fi
|
|
|
|
|
| ... | ... | |
