As someone who finally recently escaped bluetooth firmware development: yes, Bluetooth is leaking secrets and it doesn't even require any silly RF shenanigans. Almost nothing actually implements LESC. Apple refuses to implement OOB pairing, so no peripherals can force you to use it, so everything is subject to MITM attacks. The entire ecosystem is a mess of consultants and underpaid devs copy-pasting Nordic sample code, with no time or financial incentive to do more than the bare minumum. Never trust any product that moves sensitive data through Bluetooth.
Do you have an opinion on the keyboard firmware ZMK? They seem to use LESC but MITM during pairing is still a concern: https://zmk.dev/docs/features/bluetooth
Apple claims to have implemented an entire second security level for their Bluetooth apps based on iMessage, but I trust it not at all.
(To be clear, I trust the iMessage protocol with reasonable confidence. I judge the probability that Apple has applied this extra layer of security uniformly to all sensitive data to be about 8%.)
They're on an proprietary extension of Bluetooth, standard compatible but closed to their devices. They usually don't talk much about it, Phil Schiller was the most explicit I think (it was about the airpod's W1 but it's the same deal)
The short answer is yes, it's proprietary shenanigans. Apple likes security for Apple peripherals connected to Apple iPhones, and they consciously undermine security of anything else.
I really think we need a modern replacement to bluetooth, something that doesn't have weird behaviour with headphones, is more secure and doesn't have weird connection issues all the time, and is as ubiquitous as bluetooth is now. I know it will never happen, but I can only hope
Well what's interesting to me is that Logitech has their wireless dongle and wireless gaming headphones (which need lower latency) have theirs. These have existed for how many decades? Surely there's a way to just standardize this. And it shouldn't need to be long range. Just a few meters to the tv or something.
I guess that's where Bluetooth LE and LE Audio should come in, but it's coming along very slowly or not at all in Apples case. Or maybe it is, they don't talk about it
If I am reading this [1] correctly, regular Bluetooth >5.0 offers transfer speeds of 50Mbits/sec, while Bluetooth LE offers 2Mbits/sec. Does Bluetooth LE even solve fundamental problems like high quality bidirectional audio?
It's been so terribly bad since it came out. You know it's bad when there's even an xkcd about it: this one is from 5 years ago, joking about 10 years before that. https://xkcd.com/2055/
It still leaks when you turn bluetooth off in "control center". Last time i checked you're broadcasting an unchanging uuid that only changes every 12 hours or so. It's gross.
Rotating keys frequently would probably help. But the best thing to do is use implementations that are less leaky in the first place (which is easier said than done).
On the other hand, I’d argue that it’s close enough to trivial to be considered trivial. How many embedded devices transmit sensitive information?
Now, I know that pretty much every Bluetooth based credit card reading device explicitly defends against a channel such as this, but there are tons of access control solutions, and medical devices that don’t
Would you notice a raspberry pi tucked into the mess of wires beneath the security guard guards desk?
As someone who finally recently escaped bluetooth firmware development: yes, Bluetooth is leaking secrets and it doesn't even require any silly RF shenanigans. Almost nothing actually implements LESC. Apple refuses to implement OOB pairing, so no peripherals can force you to use it, so everything is subject to MITM attacks. The entire ecosystem is a mess of consultants and underpaid devs copy-pasting Nordic sample code, with no time or financial incentive to do more than the bare minumum. Never trust any product that moves sensitive data through Bluetooth.
Do you have an opinion on the keyboard firmware ZMK? They seem to use LESC but MITM during pairing is still a concern: https://zmk.dev/docs/features/bluetooth
It's a keyboard, I wouldn't fret about it. The idea that someone is going to steal your keystrokes to get your passwords is pretty moustache-twirly.
I'm more concerned about card readers, medical devices, etc.
5 replies →
Apple claims to have implemented an entire second security level for their Bluetooth apps based on iMessage, but I trust it not at all.
(To be clear, I trust the iMessage protocol with reasonable confidence. I judge the probability that Apple has applied this extra layer of security uniformly to all sensitive data to be about 8%.)
8.75% surely? you need at least two digits of specious precision on that non-random number.
1 reply →
Text written with a non-apple Bluetooth keyboard is green?
> Apple claims to have implemented an entire second security level for their Bluetooth apps based on iMessage,
iMessage... the golden standard for 1click RCE. /s
Just curious if it that insecure how does Magic Keyboard with Touch ID works? Does it use some apple proprietary "magic"?
> "magic"
They're on an proprietary extension of Bluetooth, standard compatible but closed to their devices. They usually don't talk much about it, Phil Schiller was the most explicit I think (it was about the airpod's W1 but it's the same deal)
https://www.theverge.com/2016/9/7/12829190/apple-w1-chip-iph...
> Apple’s Phil Schiller described Apple’s move to a new wireless chip as “fixing the challenges” of wireless audio
The short answer is yes, it's proprietary shenanigans. Apple likes security for Apple peripherals connected to Apple iPhones, and they consciously undermine security of anything else.
I really think we need a modern replacement to bluetooth, something that doesn't have weird behaviour with headphones, is more secure and doesn't have weird connection issues all the time, and is as ubiquitous as bluetooth is now. I know it will never happen, but I can only hope
Well what's interesting to me is that Logitech has their wireless dongle and wireless gaming headphones (which need lower latency) have theirs. These have existed for how many decades? Surely there's a way to just standardize this. And it shouldn't need to be long range. Just a few meters to the tv or something.
I guess that's where Bluetooth LE and LE Audio should come in, but it's coming along very slowly or not at all in Apples case. Or maybe it is, they don't talk about it
If I am reading this [1] correctly, regular Bluetooth >5.0 offers transfer speeds of 50Mbits/sec, while Bluetooth LE offers 2Mbits/sec. Does Bluetooth LE even solve fundamental problems like high quality bidirectional audio?
[1] https://en.wikipedia.org/wiki/Bluetooth#Specifications_and_f...
1 reply →
Yes please, immediately.
It's been so terribly bad since it came out. You know it's bad when there's even an xkcd about it: this one is from 5 years ago, joking about 10 years before that. https://xkcd.com/2055/
It still leaks when you turn bluetooth off in "control center". Last time i checked you're broadcasting an unchanging uuid that only changes every 12 hours or so. It's gross.
Time for everyone to implement some variation of https://www.bluetooth.com/specifications/specs/authorization... ?
I read the abstract, while not familiar with the topic, how would we go about limiting the inpact?
Rotating keys frequently would probably help. But the best thing to do is use implementations that are less leaky in the first place (which is easier said than done).
A side channel attack revealing AES key from just 90,000 traces.
Sigh, side channel attacks seem to be everywhere now.
That 90,000 traces did take 225 hours to capture so it is truly a huge amount of data and not a trivial attack.
On the other hand, I’d argue that it’s close enough to trivial to be considered trivial. How many embedded devices transmit sensitive information?
Now, I know that pretty much every Bluetooth based credit card reading device explicitly defends against a channel such as this, but there are tons of access control solutions, and medical devices that don’t
Would you notice a raspberry pi tucked into the mess of wires beneath the security guard guards desk?
1 reply →
That's less than two weeks.
2 replies →
people are finally aware everything leaks, it's just a matter of how closely you look
Everything leaks if you stare at it long enough
3 replies →