Reversing and Attacking Google Nearby

[maciejkrolik]

Hello, I came across an article about reversing and attacking Google Nearby. Scripts used to attack Google Nearby are 5 years old. Has the issue already been addressed? Is it still a problem?
https://francozappa.github.io/project/rearby/
https://www.cs.ox.ac.uk/files/10367/ndss19-paper367.pdf

[Xlythe]

The attacks in the paper relied on clients ignoring the authentication tokens provided by Nearby Connections and blindly connecting to devices. To avoid man-in-the-middle attacks, it's important that both sides have an opportunity to verify the token (or to treat all data as unencrypted until the token is confirmed, if you accept first).

It's been a while since I read the paper, so I'll take some time to do a refresher to make sure I didn't miss anything.

[bkmgit]

@maciejkrolik Would there be interest in standardizing the protocol? For example through an IETF RFC. This would possibly:

• Enable industry wide adoption and possibly compatibility with AirDrop
• Enable use on other computing systems
• Enable open source developers to build on it, see for example https://github.com/grishka/NearDrop and https://github.com/vicr123/QNearbyShare
• Encourage others to perform a security audit