Re: How hacker will hack/impact my BLE device, when ...??


Marcio Montenegro
 

Hi all,
Maybe you can use crypto device on your product.


You also need to develop an application to configure  crypto device chip.
Then after configuration each device are unique.
For inspiration see:

Note that this devices has no Bluetooth.
Best,
Marcio


On Wed, Mar 21, 2018 at 2:08 AM, Vakul Garg <vakul.garg@...> wrote:

Hi Vikrant

 

I am curious to understand about your security implementation.

I work in area of TLS security and I am not bluetooth security expert.

 

In your case, does the app need to differentiate between a genuine or fake device?

Will it be able to create a shared secret with the device even if it is a clone of genuine device and purpose programmed to leak the common encryption key?

 

Regards

 

Vakul

 

From: zephyr-devel-bounces@lists.zephyrproject.org [mailto:zephyr-devel-bounces@lists.zephyrproject.org] On Behalf Of Vikrant More
Sent: Tuesday, March 20, 2018 11:28 PM
To: zephyr-devel@lists.zephyrproject.org; zephyr-users@lists.zephyrproject.org
Subject: [Zephyr-devel] How hacker will hack/impact my BLE device, when ...??

 

Hi,

 

In my current project, I haven't implemented OOB pairing ( BLE based smart lights)

 

Using Zephyr built-in ECDH library, shared secret (using secp256r1 curve) get created on Device as well as on APP side which will act like encryption key for further communication.

 

On that encrypted link, APP send encryption key which is common for all devices associated with it.

 

All this happens when DEVICE is in factory reset mode.

 

There after communication link is encrypted using newly assign common key.

 

..................................................................................….........................................

 

This will create security risk, only if device is not authenticated by user & it could transfer security key ( which is common to many devices) to unauthorized device.

 

To solve this, APP will automatically trigger DEVICE's LEDs to blink & ask user "do you see blinking LED?" 

 

If user click on "YES" then & only then ECDH process will initiate & common key get share with new DEVICE.

 

------------------------------------------------------------------------------------------------------------------------

 

Besides this I didn't found any security flaw in this implementation. So I need help from Bluetooth Security expert. Is there anyone who can help me to find out flaws & security risks in my current implementation ?

 

Thanks,

vikrant8051


_______________________________________________
Zephyr-devel mailing list
Zephyr-devel@lists.zephyrproject.org
https://lists.zephyrproject.org/mailman/listinfo/zephyr-devel


Join devel@lists.zephyrproject.org to automatically receive all group messages.