-
Notifications
You must be signed in to change notification settings - Fork 253
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Paired property is not reset after Authentication Failure (when only remote clears pairing data) #433
Comments
@bojanpotocnik afaik there isn't a clear text on the spec regarding how to treat half-paired cases since there is a chance a rogue device could be impersonating another dropping the pairing shall be a user initiated action, we could however ask the pairing agent what to do which can then popup a dialog asking if the user wants to repair, etc, but I wouldn't drop keys automatically like that. |
how do completely headless devices like Bluetooth speakers handle the half-paired situation? my speaker can unpair and then SSP pair again, while my Raspberry Pi cannot |
I guess that is up to the pairing agent to decide, if it really don't have a user to ask about then it can just remove the device automatically, anyway with headless devices there is probably no way to do man in the middle protection so the pairing is never secure so I assume that us fine, anyway the agent in this case is already a bit special since it is probably needs to be aware it is running on a headless session. |
Quoting #424 (comment)
So maybe some related change is to be considered. Reading above, the issue is that someone could spoof the MAC address of paired device and then reject the pairing, effectively maliciously erasing the pairing data on the central. My initial idea was to somehow provide the information that device disconnected because |
to help understand why we don't care if anyone spoofs a MAC address: We ship a robot with a controller running the BlueZ stack and a permanent, dedicated pair to an Android tablet. We are not creating a civilian app that pairs promiscuously. Our main requirement is that the pair never drops in the field, and if it does, we don't need to get inside the robot to erase its half of the pair. The tablet should just request a pair, and the robot accept it, no questions asked. |
Consider the following use case (using kernel
5.4.0-131-generic
and bluez 5.66):Paired
property of the device is set toTrue
Remote User Terminated Connection
, whilePaired
property staysTrue
. It does not try to pair becausePaired
is alreadyTrue
, but if it does callPair
, the process is stuck.If devices are not paired (1) and wrong passkey is provided or pairing is cancelled, then
org.bluez.Device1.Pair
will fail withorg.bluez.Error.AuthenticationFailed
ororg.bluez.Error.AuthenticationCanceled
.But if the connection fails with
Connection terminated due to authentication failure
, pairing status should also be cleared or the disconnect reason at least propagated higher, instead of device just disconnecting because ofRemote User Terminated Connection
.I am not attaching the logs of successful initial connection (1, 2), because that is normal/usual behaviour. Here is the
btmon --mgmt
output of 4:together with
journalctl -o short-precise -fu bluetooth
(bluetooth.service is started with--experimental -d
)The problem is solved by applying the following patch to
bluez/src/device.c
Lines 6040 to 6052 in 9f50368
but I'm not sure if this is the correct way/place to do it. I found a patch device: Fix pairing has failed due to the error of Already Paired (0x13) which solved a similar problem of removing bonding data, but for a different case.
The text was updated successfully, but these errors were encountered: