5,216 research outputs found
MagicPairing: Apple's Take on Securing Bluetooth Peripherals
Device pairing in large Internet of Things (IoT) deployments is a challenge
for device manufacturers and users. Bluetooth offers a comparably smooth trust
on first use pairing experience. Bluetooth, though, is well-known for security
flaws in the pairing process. In this paper, we analyze how Apple improves the
security of Bluetooth pairing while still maintaining its usability and
specification compliance. The proprietary protocol that resides on top of
Bluetooth is called MagicPairing. It enables the user to pair a device once
with Apple's ecosystem and then seamlessly use it with all their other Apple
devices. We analyze both, the security properties provided by this protocol, as
well as its implementations. In general, MagicPairing could be adapted by other
IoT vendors to improve Bluetooth security. Even though the overall protocol is
well-designed, we identified multiple vulnerabilities within Apple's
implementations with over-the-air and in-process fuzzing
Inside Job: Diagnosing Bluetooth Lower Layers Using Off-the-Shelf Devices
Bluetooth is among the dominant standards for wireless short-range
communication with multi-billion Bluetooth devices shipped each year. Basic
Bluetooth analysis inside consumer hardware such as smartphones can be
accomplished observing the Host Controller Interface (HCI) between the
operating system's driver and the Bluetooth chip. However, the HCI does not
provide insights to tasks running inside a Bluetooth chip or Link Layer (LL)
packets exchanged over the air. As of today, consumer hardware internal
behavior can only be observed with external, and often expensive tools, that
need to be present during initial device pairing. In this paper, we leverage
standard smartphones for on-device Bluetooth analysis and reverse engineer a
diagnostic protocol that resides inside Broadcom chips. Diagnostic features
include sniffing lower layers such as LL for Classic Bluetooth and Bluetooth
Low Energy (BLE), transmission and reception statistics, test mode, and memory
peek and poke
- …