← Back to context

Comment by ryukoposting

6 days ago

As someone who finally recently escaped bluetooth firmware development: yes, Bluetooth is leaking secrets and it doesn't even require any silly RF shenanigans. Almost nothing actually implements LESC. Apple refuses to implement OOB pairing, so no peripherals can force you to use it, so everything is subject to MITM attacks. The entire ecosystem is a mess of consultants and underpaid devs copy-pasting Nordic sample code, with no time or financial incentive to do more than the bare minumum. Never trust any product that moves sensitive data through Bluetooth.

15 comments

ryukoposting

Reply
9029  5 days ago

Do you have an opinion on the keyboard firmware ZMK? They seem to use LESC but MITM during pairing is still a concern: https://zmk.dev/docs/features/bluetooth

  • ryukoposting  5 days ago

    It's a keyboard, I wouldn't fret about it. The idea that someone is going to steal your keystrokes to get your passwords is pretty moustache-twirly.

    I'm more concerned about card readers, medical devices, etc.

    • wongarsu  5 days ago

      I think we can safely assume that a device that does that for entire offices at once is in the NSA's current ANT catalog. And other state actors are probably not far behind

      The only thing making these kinds of attacks unattractive is that most companies are too stingy to buy anything better than a cheap wired Logitech keyboard

      1 reply →

    • imglorp  5 days ago

      Isn't this kind of thing a trinket at Defcon these days like the pineapple thing, or even a Flipper plugin? Ie not super hard to get and not so much mustache.

      1 reply →

matthewdgreen  6 days ago

Apple claims to have implemented an entire second security level for their Bluetooth apps based on iMessage, but I trust it not at all.

(To be clear, I trust the iMessage protocol with reasonable confidence. I judge the probability that Apple has applied this extra layer of security uniformly to all sensitive data to be about 8%.)

  • ggm  6 days ago

    8.75% surely? you need at least two digits of specious precision on that non-random number.

    • cozzyd  5 days ago

      More likely 8.333% I would think (1/12). The same probability of a broken clock yielding the correct hour.

  • hulitu  5 days ago

    > Apple claims to have implemented an entire second security level for their Bluetooth apps based on iMessage,

    iMessage... the golden standard for 1click RCE. /s

SXX  6 days ago

Just curious if it that insecure how does Magic Keyboard with Touch ID works? Does it use some apple proprietary "magic"?

  • makeitdouble  6 days ago

    > "magic"

    They're on an proprietary extension of Bluetooth, standard compatible but closed to their devices. They usually don't talk much about it, Phil Schiller was the most explicit I think (it was about the airpod's W1 but it's the same deal)

    https://www.theverge.com/2016/9/7/12829190/apple-w1-chip-iph...

    > Apple’s Phil Schiller described Apple’s move to a new wireless chip as “fixing the challenges” of wireless audio

  • ryukoposting  5 days ago

    The short answer is yes, it's proprietary shenanigans. Apple likes security for Apple peripherals connected to Apple iPhones, and they consciously undermine security of anything else.