Re: [Zephyr-devel] How hacker will hack/impact my BLE device, when ...??

Vikrant More <vikrant8051@...>

Hi Vakul,

Thanks for reply !!

No, APP can't differentiate between Genuine & Fake device.

And Yes, user by mistake can connect with his neighbor/attacker Device.

solution - 1) APP will check RSSI signal strength of Device. If it is in the range of 1-2 meters then only APP proceeds further.

              2) APP will pop-up with BUTTON to force user to Blink LED on connected device. And ask user "Have you seen Blinking LED ?"
                  If he/she clicks on "YES",  then only APP proceeds further.

                  Let suppose,

                  A = attacker fake device
                  B = newly purchased User's device

                  if user by mistake connect with A, then APP will Blink A instead B. Even after this, if user click on "Yes" on response of "Have you seen Blinking LED ?"
                  then it is User responsibility.

                 Risk - In above example, User can connect with A, at same time attacker could connect with B.
                           And when user click on Button to blink LED, same time attacker may Blink LED on B. Here, user may feel that he is connected to B & will press on "YES"


On Wed, Mar 21, 2018 at 10:38 AM, Vakul Garg <vakul.garg@...> wrote:

Hi Vikrant


I am curious to understand about your security implementation.

I work in area of TLS security and I am not bluetooth security expert.


In your case, does the app need to differentiate between a genuine or fake device?

Will it be able to create a shared secret with the device even if it is a clone of genuine device and purpose programmed to leak the common encryption key?






From: [] On Behalf Of Vikrant More
Sent: Tuesday, March 20, 2018 11:28 PM
Subject: [Zephyr-devel] How hacker will hack/impact my BLE device, when ...??




In my current project, I haven't implemented OOB pairing ( BLE based smart lights)


Using Zephyr built-in ECDH library, shared secret (using secp256r1 curve) get created on Device as well as on APP side which will act like encryption key for further communication.


On that encrypted link, APP send encryption key which is common for all devices associated with it.


All this happens when DEVICE is in factory reset mode.


There after communication link is encrypted using newly assign common key.




This will create security risk, only if device is not authenticated by user & it could transfer security key ( which is common to many devices) to unauthorized device.


To solve this, APP will automatically trigger DEVICE's LEDs to blink & ask user "do you see blinking LED?" 


If user click on "YES" then & only then ECDH process will initiate & common key get share with new DEVICE.




Besides this I didn't found any security flaw in this implementation. So I need help from Bluetooth Security expert. Is there anyone who can help me to find out flaws & security risks in my current implementation ?




Join to automatically receive all group messages.