Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Bluetooth pairing without user confirmation

Can I pair two devices over Bluetooth without a need to confirm this in user interface, accept to pair this devices. Can I exchange some extra data over, for example NFC, and then safely pair those two devices over Bluetooth without any extra user action?

like image 222
michael Avatar asked May 04 '11 14:05

michael


People also ask

Can someone pair with my Bluetooth without me knowing?

Can someone connect to my Bluetooth without me knowing? Theoretically, anyone can connect to your Bluetooth and gain unauthorized access to your device if the visibility of your Bluetooth device is on.

How do I confirm my Bluetooth connection?

Make sure Bluetooth is turned on. Touch and hold Bluetooth . In the list of paired devices, tap a paired but unconnected device. When your phone and the Bluetooth device are connected, the device shows as "Connected."

Can you force Bluetooth pairing?

Go to the Policies tab, you can either create a new policy or edit an already existing one. Navigate to Android–> Restrictions–> Allow Network Settings. Enable the 'Force Bluetooth' option to prevent the users from turning OFF the blue tooth and the 'Force Wi-Fi' option to prevent turning OFF the Wi-Fi.


3 Answers

This need is exactly why createInsecureRfcommSocketToServiceRecord() was added to BluetoothDevice starting in Android 2.3.3 (API Level 10) (SDK Docs)...before that there was no SDK support for this. It was designed to allow Android to connect to devices without user interfaces for entering a PIN code (like an embedded device), but it just as usable for setting up a connection between two devices without user PIN entry.

The corollary method listenUsingInsecureRfcommWithServiceRecord() in BluetoothAdapter is used to accept these types of connections. It's not a security breach because the methods must be used as a pair. You cannot use this to simply attempt to pair with any old Bluetooth device.

You can also do short range communications over NFC, but that hardware is less prominent on Android devices. Definitely pick one, and don't try to create a solution that uses both.

Hope that Helps!

P.S. There are also ways to do this on many devices prior to 2.3 using reflection, because the code did exist...but I wouldn't necessarily recommend this for mass-distributed production applications. See this StackOverflow.

like image 149
devunwired Avatar answered Oct 19 '22 05:10

devunwired


Well, this should really be broken into 2 parts:

  1. Can you pair 2 Bluetooth devices without going through a Bluetooth pairing handshake? No, you can't. That's baked into the protocol so there is no way around this.
  2. Can you perform the handshake without a user interface? Yes, you can: that's just code.

I'm not sure how you do it in Windows land, but in *nix land there are functions buried in the Bluez stack that let you receive notifications about when a new device appears, and send it the pairing code (clearly there have to be these functions: those are what the user interface use). Given sufficient time and experience I'm sure you could figure out how to write your own version of the Bluetooth Settings app that somehow:

  • Detected a new device had arrived
  • Looked at the name/bluetooth mac address and checked some internal database for the pairing code to use.
  • Sent the pairing code and completed the operation

All without having to pop up a user interface.

If you go ahead and write the code I'd LOVE to get my hands on it.

like image 6
Femi Avatar answered Oct 19 '22 07:10

Femi


Short answer: When I send files between devices with OBEX I am almost never prompted to pair, so it is certainly possible.

1) An application and the device itself can each be set to need/not-need authentication modes, so often there was no requirement for pairing. For instance most OBEX (OPP) servers don't need any authentication at all so there is not need for pairing/bonding.

Presumably "Wireless Designs"'s answer was covering that case.

2) Then if pairing was required by the device/app:

2.1) Prior to v2.1 for pairing then the two devices needed to have matching passphrase/PINs. So this either needed user involvement (to enter the PINs) or knowledge in the softwareto know the PIN: either defined in the app if pin callback send pin="1234", or smarts in the OS like BlueZ and Win7 (see Slide 20 at my Bluetooth in Windows 7 doc) which has logic like: if(remotedevice=headset) then expectedPin ="0000". Don't know what Android does

2.2) In v2.1 Secure Simple Pairing (SSP) was added. Which changes pairing to:

if (either is pre-v2.1) then
   Legacy
else if (Out-Of-Band channel) then
   OutOfBand
else if (neither have "Man-in-the-Middle Protection Required") then
   (i.e. both have "Man-in-the-Middle Protection _Not_ Required")
   Just-Works
else
   Depending on the two devices' "IO Capabilities", either NumericComparison or Passkey.
   Passkey is used when one device has KeyboardOnly -- and the peer device _isn't_ NoInputNoOutput.
endif

From 32feet.NET's BluetoothWin32Authentication user guide, see also the SSP sections in [1]

So to have pairing be unprompted needs either "JustWorks" or "Out-of-Band" eg your NFC suggestion.

Hope that helps...

like image 4
alanjmcf Avatar answered Oct 19 '22 06:10

alanjmcf