Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add BLE pairing and bonding for security #237

Open
goffi-contrib opened this issue Aug 12, 2021 · 4 comments
Open

Add BLE pairing and bonding for security #237

goffi-contrib opened this issue Aug 12, 2021 · 4 comments

Comments

@goffi-contrib
Copy link

Hi,

first thanks for this project, it's really neat to have a micropython watch and indeed the easy developer onboarding seems reached.

At the moment, the security in wasp-os is a concern though: because there is not authentication, any apps which can do BT and reach the watch can have full access to the python console. Furthermore, the MAC address can be probably spoofed, and notification can then be read (with potentially really sensitive ones, like authentication codes, or normally encrypted messages).

I'm not a BLE expert, but I think that adding pairing/bonding would be a good start to make the whole thing more secure. Would it be possible to implement it?

Thanks

@goffi-contrib goffi-contrib changed the title Add bluetooth pairing for security Add BLE pairing and bonding for security Aug 12, 2021
@Pittconnect
Copy link

Pittconnect commented Aug 17, 2021

@goffi-contrib Its not clear to me what are you trying to pair the wasp-os with ? and which hardware watch are you using ?
Now as far as authentication goes one can use HMAC https://github.com/brschdr/python-hmac/blob/master/hmac.py

@goffi-contrib
Copy link
Author

Hello @Pittconnect , thanks for the feedback.

I'm using a PineTime.

My concern is that currently any application accessing bluetooth can have a full micropython shell on my watch without any way to notice (but the bluetooth icon). What I would like, is that the shell is not accessible without a pairing (e.g. with a number appearing on the watch that must be entered on the requesting application, so one knows that an application try to access the watch, and it can't do it without user input).

I'm not a specialist of BLE, but I think there are a couple of built-in options (see https://www.kynetics.com/docs/2018/BLE_Pairing_and_bonding/ for instance).

@daniel-thompson
Copy link
Collaborator

Would it be possible to implement it?

It would be great to have somebody implement this but I don't think it will be easy, if only because this is often discussed in the upstream micropython project and progress has been very slow.

Starting point is going to be here: https://github.com/micropython/micropython/blob/master/ports/nrf/drivers/bluetooth/ble_drv.c#L1013 but you would need to read a lot of the Softdevice example code to formuate any kind of strategy on how to tackle this work.

@plan5
Copy link

plan5 commented Apr 7, 2022

Would it be difficult to vibrate when a new device connects?

Then at least it wouldn't go unnoticed and one could turn of bluetooth temporarily.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants