New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security] Bluedroid ignore +6 PIN (IDFGH-3854) #5760
Comments
Hi dragahassan, I tried to reproduce the problem you mentioned, when I entered the wrong key or long sizes key, all of these will pair fail. In ESP-IDF, there is actually a check for smp passkey.
#define BTM_MAX_PASSKEY_VAL (999999)
#define BTM_MIN_PASSKEY_VAL (0)
void SMP_PasskeyReply (BD_ADDR bd_addr, UINT8 res, UINT32 passkey)
{
tSMP_CB *p_cb = & smp_cb;
UINT8 failure = SMP_PASSKEY_ENTRY_FAIL;
SMP_TRACE_EVENT ("SMP_PasskeyReply: Key: %d Result:%d",
passkey, res);
/* If timeout already expired or has been canceled, ignore the reply */
if (p_cb->cb_evt != SMP_PASSKEY_REQ_EVT) {
SMP_TRACE_WARNING ("SMP_PasskeyReply() - Wrong State: %d", p_cb->state);
return;
}
if (memcmp (bd_addr, p_cb->pairing_bda, BD_ADDR_LEN) != 0) {
SMP_TRACE_ERROR ("SMP_PasskeyReply() - Wrong BD Addr");
return;
}
if (btm_find_dev (bd_addr) == NULL) {
SMP_TRACE_ERROR ("SMP_PasskeyReply() - no dev CB");
return;
}
if (passkey > BTM_MAX_PASSKEY_VAL || res != SMP_SUCCESS) {
SMP_TRACE_WARNING ("SMP_PasskeyReply() - Wrong key len: %d or passkey entry fail", passkey);
/* send pairing failure */
smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &failure);
} else if (p_cb->selected_association_model == SMP_MODEL_SEC_CONN_PASSKEY_ENT) {
smp_sm_event(&smp_cb, SMP_SC_KEY_READY_EVT, &passkey);
} else {
smp_convert_string_to_tk(p_cb->tk, passkey);
}
return;
} |
I just start completely everything from scratch to be sure, and this security problem still exist. 0: I create a new Windows 10 Virtualbox! (because my OS have multiple modified ESP-IDF) 1: Setup ESP IDF using esp-idf-tools-setup-2.3.exe (Select new setup for Python & Git) In your Phone/Tablet search and pair for |
Correct PIN is 123456, I set PIN 123456789012 from LG Phone (Android 10). pair status = success
|
Correct PIN is 123456, I set PIN 090909010203. pair status = fail
|
Just idea, maybe smartphone is truncating passkey to only 6 digits? |
@chegewara No, because the phone allow 12 digit, also the same thing on Asus tablet., and the log |
@chegewara in other hand maybe you are right, ESP set max pin len to 6 maybe, so device truncating the pin even if user set 12 digit!. |
Correct PIN is 123456, I set PIN 123456666666. SMP Verbose log:
|
Hi @dragahassan Does the actual application scenario is ESP32 display the passkey and the phone enters the passkey? Could you provide the model of the mobile phone? I want to test the phone if I can find it. |
@xiewenxiang I didn't find yet in SMP components where the peer device PIN, however I tested with LG G7 Android 10, Samsung A7, Asus tablet old Android maybe 7. |
I just tested again with iPhone 11, Samsung S20+.. same results. with non modified gatt_security_server example, it's a bug and we need to figure out how to fix it in SMP components. |
@xiewenxiang please make sure when testing you set the correct first digit, then add random numbers, like "123456111222". |
@dragahassan I am very very sorry that I cannot reproduce the question you mentioned. Maybe there are some differences between our operations I use the gatt_security_server, A little bit of modification, I reproduce the scenario you mentioned with several phones(itouch & iphone 8). The pairing was not successful, but the connection was not be disconnected. The connection was still in the clear text transmission state. Do you hope that the connection will break when the pairing fails? |
ESP32 display the key: 123456 |
Strange!, thank you for this check, maybe we have different kit or different SDK ? I'm using:
|
I just test again with 2 other ESP32 but same kit version (ESP32-WROOM-32D) and Samsung S20+, pairing success. |
I completely tested in accordance with the conditions you said, but still failed to reproduce, all of which were pair fail. Could you provide the bin file you generated? I want to test your firmware directly. The attachment is the bin I generated.
|
I test it with your bin file's, and it's success with 123456666666, I record a video (from virtualbox), I'm sure this security issue still exist, but I can't figure out yet the exact cause. Windows_10_64-2020-08-25T12-44-25-927300900Z.zip If we use the same non modified example, and the same SDK version and compiler.. why we have different size ? my firmware bin file (sec_gatts_demo.bin) is 690K, while your's 704K ? I know enabling log and other stuff in menuconfig can increase the size, but we are okay that we use non modified example, except for enabling |
Thanks for reporting, feel free to reopen. |
The Bluedroid BLE stack take only first six digit for PIN, and ignore completely the rest.
1: Use example: gatt_security_server
2: Build & Flash
3: In your Phone/Tablet search and pair with ESP
The PIN is
123456
, but you can correctly pair with123456999999
, that's because Bluedroid BLE stack take only first six digit.The text was updated successfully, but these errors were encountered: