Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Bluetooth Secure Simple Pairing (SSP) using QR code as Out of Band (OOB) channel

I have a Windows 7 application, which uses Stollmann SDK to successfully bond PC with Android. The bidirectional exchange of Bluetooth MAC address, hash and randomizer is carried out out of band via NFC:

application with qr code

The source code of the Windows application unfortunately can not be shared here. On the Android side no app is needed and the Secure Simple Pairing is performed by the operating system (by HandoverManager?) once an NDEF message with application/vnd.bluetooth.ep.oob is received.

Now I am trying to create an Android app, which would use unidirectional authentication to perform OOB pairing via scanned QR code (instead of NFC).

A custom QR code would be shown at PC screen (generated by ZXing.Net) and contain Bluetooth MAC address, hash and randomizer.

However OOB bonding seems to be not implemented yet in Android -

BluetoothAdapter.java:

/**
 * Read the local Out of Band Pairing Data
 * <p>Requires {@link android.Manifest.permission#BLUETOOTH}
 *
 * @return Pair<byte[], byte[]> of Hash and Randomizer
 *
 * @hide
 */
public Pair<byte[], byte[]> readOutOfBandData() {
    if (getState() != STATE_ON) return null;
    //TODO(BT
    /*
    try {
        byte[] hash;
        byte[] randomizer;

        byte[] ret = mService.readOutOfBandData();

        if (ret  == null || ret.length != 32) return null;

        hash = Arrays.copyOfRange(ret, 0, 16);
        randomizer = Arrays.copyOfRange(ret, 16, 32);

        if (DBG) {
            Log.d(TAG, "readOutOfBandData:" + Arrays.toString(hash) +
              ":" + Arrays.toString(randomizer));
        }
        return new Pair<byte[], byte[]>(hash, randomizer);

    } catch (RemoteException e) {Log.e(TAG, "", e);}*/
    return null;
}

BluetoothDevice.java:

/**
 * Start the bonding (pairing) process with the remote device using the
 * Out Of Band mechanism.
 *
 * <p>This is an asynchronous call, it will return immediately. Register
 * for {@link #ACTION_BOND_STATE_CHANGED} intents to be notified when
 * the bonding process completes, and its result.
 *
 * <p>Android system services will handle the necessary user interactions
 * to confirm and complete the bonding process.
 *
 * <p>Requires {@link android.Manifest.permission#BLUETOOTH_ADMIN}.
 *
 * @param hash - Simple Secure pairing hash
 * @param randomizer - The random key obtained using OOB
 * @return false on immediate error, true if bonding will begin
 *
 * @hide
 */
public boolean createBondOutOfBand(byte[] hash, byte[] randomizer) {
    //TODO(BT)
    /*
    try {
        return sService.createBondOutOfBand(this, hash, randomizer);
    } catch (RemoteException e) {Log.e(TAG, "", e);}*/
    return false;
}

/**
 * Set the Out Of Band data for a remote device to be used later
 * in the pairing mechanism. Users can obtain this data through other
 * trusted channels
 *
 * <p>Requires {@link android.Manifest.permission#BLUETOOTH_ADMIN}.
 *
 * @param hash Simple Secure pairing hash
 * @param randomizer The random key obtained using OOB
 * @return false on error; true otherwise
 *
 * @hide
 */
public boolean setDeviceOutOfBandData(byte[] hash, byte[] randomizer) {
  //TODO(BT)
  /*
  try {
    return sService.setDeviceOutOfBandData(this, hash, randomizer);
  } catch (RemoteException e) {Log.e(TAG, "", e);} */
  return false;
}

My question:

Since OOB Bluetooth pairing works well over NFC on Android - do you think there is a (hackish) way to do the same via QR code?

Maybe (crazy idea) by feeding HandoverManager with a fake NDEF message?

like image 384
Alexander Farber Avatar asked Jun 24 '15 13:06

Alexander Farber


People also ask

What is OOB pairing?

OOB pairing is a way of sharing the encryption keys by some other means than the 2.4GHz band. With MITM, there is still 1 in a million chance that a hacker may get access to all the informaiton. To address such concerns, BLE protocl provides a feature called Out-of-Band (OOB) Pairing.

What is SSP Bluetooth?

Introduced in the Bluetooth 2.1 specification, Secure Simple Pairing (SSP) fixes all of the issues of the previous pairing method, and makes pairing Bluetooth devices simpler than ever. Stronger security also means new challenges for Bluetooth engineers.

How does Bluetooth pairing work?

When Bluetooth-enabled devices are close to each other, they automatically detect each other. Bluetooth uses 79 different radio frequencies in a small band around 2.4 GHz. This band is used by Wi-Fi too, but Bluetooth uses so little power that interference with Wi-Fi communication is negligible.


1 Answers

You can not fake the NFC broadcast which is actually posted by NFC service app when it detects the NFC tag. Since this is a protected broadcast non system apps can not broadcast the intent.

like image 61
siva Avatar answered Sep 30 '22 13:09

siva