You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm deeply concerned that currently any device can connect to the OpenXC VI without authentication of any kind. I see in the source that there is some stuff around enabling PIN authentication, but I can't find any way to actually set a PIN, or documentation of this feature.
The text was updated successfully, but these errors were encountered:
Hey Mitchell, there is no custom PIN support implemented at the moment. To be clear, it does use Bluetooth authentication and encryption, but using the simple pairing protocol (or a default PIN as is common with Bluetooth). The data channel is encrypted. However as you point out, if the VI is powered on and your device is not connected, another device could connect and pair.
The fact that this i a research and development platform not indented for production use, and the attack window is fairly limited in time and space, I don't judge this to be a high risk. I think it's more likely a rouge app on your own phone could take over the Bluetooth connection and try to read or write to the stream.
Security has not been a priority here because again this is for R&D only - this is the primary reason why raw CAN reads and writes are disabled by default.
I'm deeply concerned that currently any device can connect to the OpenXC VI without authentication of any kind. I see in the source that there is some stuff around enabling PIN authentication, but I can't find any way to actually set a PIN, or documentation of this feature.
The text was updated successfully, but these errors were encountered: