I use the technic described here to capture the Bluetooth paquets exchanged between my Android phone and a device (a very simple device).
I can capture a lot of scanning and the pairing between the two devices, but I can't see any of the later exchanges, only the scanning.
Moreover, just after the pairing there is a huge gap in the time, and other gaps later when I think data are exchanged between the device.
For exemple, the timeline is in this form:
0-8s: scanning (LE Set Scan)
8-15s: pairing
80-120s: scanning
180-200s:scanning
I'm sure that the gaps correspond with data exchanges, but I don't know why I can't see the paquets.
I've tried simple file exchange between the phone and a computer, and I've been able to see the paquets containing the file.
I assume you are using the BLE and you are sniff the air log. According to your description, you can scan the advertisement(and scan) and the pair procedure(I assume after the pair you can see nothing).
Did you entered the LTK(long term key)? it is just something like the link key in the classic Bluetooth, with out this you can not decrypt the encrypted packages. The best method to observer the log would be check the btsnoop.log.
You said you can see the paquets between PC and your mobile phone, should be you are using classic Bluetooth actually? or you did not pairing?
Related
So far I am able to do things two different ways.
I can advertise a service on the Pi, connect from an Android app, and read/write characteristics. From my understanding, this communication is not encrypted.
I have been able to do the same thing adding pairing and bonding to the mix. I advertise a service on the Pi with an agent, connect from an Android app, and as soon as I try to read/write a characteristic I get a prompt on my phone asking to pair. From my understanding, after pairing is succesful the communication is encrypted.
That last part is great. However, I am looking to pair without bonding, mainly because I don't want to end up with a huge list of devices on my bluetooth settings. Android seems to use this term interchangeably, which just makes everything more confusing.
I know it's possible to do it as per this video. I just haven't figured out how to actually do it myself.
Any help is appreciated.
This is totally possible according to the Bluetooth protocol specification. If at least one device sets "bonding flags" to "no bonding" in the AuthReq field of the Pairing Request or Pairing Response, no bonding information shall be permanently stored.
If you're using BlueZ, I'm not sure if it allows you to configure this though.
For Android, people report that Android does not respect this flag and creates a bond anyway (Why does Android bond even when asked not to bond?).
Technically speaking, pairing is the process of exchanging the keys with a remote device, while bonding is the process of storing these keys. Some devices use the terminology "pairing" to indicate the the keys are exchanged and the connection is encrypted, but the keys will not be stored for future use. On Android this is not possible as far as I'm aware, and you always need to store the keys. This can be seen in the link below (see the section Bonding with a BLE Device):-
The Ultimate Guide to Android BLE
Some other useful links:-
Android BluetoothDevice API
Should One Create a Bond with a BLE Device
BLE Pairing and Bonding
I would have to build two apps (Android and iOS) and control some equipment via Bluetooth. For clarification, i cannot just use OS device discovery to connect to the equipment because there's hundreds of them and their position is very important (as well as the user's position when issuing commands), thus it's less of a hassle for operators to just point the phone's camera at a QR code and connect than having to go through a long list of devices with mangled names.
I haven't found many details about specifically using a QR code for bluetooth connections, but i figured that people experienced with this kind of communication will be able to say if it can be done. Please correct me if i'm wrong, but my understanding is that a bluetooth socket is not that different from a TCP one and a connection could be established by knowing the server's credentials.
Can I use a QR code to store device credentials that I can use to establish a connection? It doesn't really matter how much information needs storing, the QR code can contain any sensitive information.
Is there anything more, apart from the UUID, that would need storing on the QR code?
Is it simpler to configure the device as a server and the phone as a client for this specific request? There will be multiple operators that will need to work with these devices.
This is specific to Android and iOS, but if the points above were possible, would I get an OS pop-up window for each connection? Would skipping the discovery step save the operator the hassle of having to confirm the connection to the OS?
If the target device is configured as a server, each with its UUID as the QR code, can i scan that code and open a socket to that very device without manually connecting to it from the phone's menu?
I'm a little bit confused with BLE. I read that the BLE pairing process has three options and the one I'm interested in is the Passkey Entry.
My goal is to have a sensor on the field and the Android App will scan and find this sensor then it will request to pair with the sensor before they can exchange data. The user app is either running on a cell phone or tablet.
Is the BLE pairing the same as Bluetooth Classic? I mean is the Android API BluetoothDevice.setPin used for both BLE and Classic and the driver will do the rest under the hood?
I'm confused because I read somewhere that for BLE I can set a PIN or a Passphrase but BT Classic only accepts a 4 digit PIN.
Pairing in BLE is just a way of setting up an encrypted link. The devices need to agree on an encryption key and they do this either by just works (which set the key to all zeroes), passkey entry (up to six digits) or out of band (keys distributed over NFC or some other channel).
If you use passkey that means a "snooper" cannot pair with your sensor unless he can see the pass key on the device. (Either printed or on a display)
You can also combine a pairing with bonding where the devices distribute keys after encrypting the link making it possible to reconnect with the same device without having to renter a key.
You then want to set up your database on the sensor to only allow reading the sensor data over an encrypted link. (You don't want your snooper to simple connect to the device and read out the data himself).
The one problem with this approach is that the pass key entry only uses 6 digits. That is not enough entropy to really protect you against someone eavesdropping. The key generated after a passkey entry can be brute forced in milliseconds and all the commercial Bluetooth sniffers does this as part of their normal operation. They do however have to sniff the pairing procedure to do this, so if nobody was eavesdropping when the devices was bonded your usually good.
Also using out of band data is safe, since you cannot easily brute force a random 128 bit AES key.
A PIN type of passkey is not used in BTLE as far as I understand the specification. Legacy Bluetooth devices used a fixed PIN passkey that was hardcoded into the device or entered by the application. This method of pairing was replaced by SSP (Secure Simple Pairing) in the next round of Bluetooth. BTLE came later and uses only SSP. The passkeys in SSP (when man-in-the-middle protection is enabled) are generated randomly by the Bluetooth software usually at pretty low levels. One SSP option is 'just works' and the entire passkey generation is internal. Great for the user but it is possible for Man-In-The-Middle (MITM) attacks. So in the end, for your Bluetooth LE application you will never use the 4-digit PIN.
So pairing with BTLE devices on the Android can be done in exactly the same way as one pairs standard Bluetooth devices. If the BTLE device is using an SSP option beyond 'just works', you will get a popup menu asking for you to either
verify a number displayed on the device and/or provide a number
that you must verify on the device (yes-no and display-only combos)
require that you enter a number that it displayed on the device
and/or display a number that you must enter on the device (keyboard)
The built-in pairing feature works for both BTLE and BT devices in spite of the fact under the hood the mechanisms are very different. BTLE devices transmit advertisements that client devices scan for (BTLE 'discovery') whereas BT devices scan for transmissions from the client (BT discovery) when it is looking for devices.
Alternatively one can use the BluetoothAdapter.startLeScan(LeScanCallback callback) method to scan for BTLE-only devices. This method will give you a list of BTLE devices that one can then select and attempt to connect to. In this scenario, your application will need to take care of pairing when it is required. Usually pairing is not required on BTLE devices until one attempts to enable notifications or indications. Service discovery, reading the Device Information Service and other tidbits often do not require pairing and if memory serves me right one can never require pairing for service discovery.
So to make life easier for my application I link to the standard Android provided tool for the discovery/pairing of any device that requires pairing and for those BTLE devices that do not require pairing (and there are a number of such devices) I use the startLeScan() APIs and do a BluetoothDevice.connectGatt() to one of the 'discovered' devices. If I use this approach and the device actually requires pairing I will get a security error. In theory I should be able to use the pairing APIs provided by Android to then pair with the device. Unfortunately my inept programming skills have led to the fact that I have yet to succeed in implementing it correctly.
I'm asking because I've been facing that issue for weeks.
I need to develop an Android application that can be able to perform an Bluetooth Connection and send data to an Bluetooth Hardware.
Ok, so here's the point:
is it possible to perform a RFCOMM connection to an 'unknown' device?
I mean, is it possible to do this without having any information about the hardware code?
Because i'm only able to modify the AndroidDevice (cellphone) code, for SENDING purposes.
I want to send a byte and make sure it was received, but there's only a sending code.
Could we have some more details? Is the other device accessible by you, as in can the other device know information about the Android device? And what do you mean by a "sending code"?
The Android device can pick up any active Bluetooth device in its range, and know the name and address of those devices. So, if the Android device doesn't know anything about the Bluetooth device it wants to connect to, you can always sort through the list of devices in range, and get its hardware code through that.
See the documentation about Bluetooth, specifically the Finding Devices section:
http://developer.android.com/guide/topics/connectivity/bluetooth.html
I've done a fair amount of Bluetooth work with Android devices and Arduinos, and the Bluetooth library might be a bit of a pain to work with, but it is powerful.
With bluetooth the two devices have a UUID. If you a writing a program that runs on both devices you have them listen for that UUID. When they connect as a client or a server you have a dataInputStream and a dataOutputStream. Then you can push and pull bytes out of those.
I am developing an application which connects devices over bluetooth and exchanges messages. It works fine for paired devices, but I would also like it to automatically pair devices that are not paired. Like for example it could store and use the same PIN for pairing requests, I just dont know how to manage this request programatically in my applciation, how to automatically set and send the PIN when you get a pairing request and how to initiate such a request with the predefined PIN code.
Any snippets or thoughts would be highly appreciated! :)
EDIT:
I know its risky, I am developing this app for emergency situations only where no other means but bluetooth is available. Also is there maybe a way of premature pairing with devices without even connecting to them? Like lets say there is a list of MAC Addresses of those devices and I can use them to generate a bond with that devices so that they appear paired on my device?
You can't do this. To do what you want to do would create a huge security risk. Think about it, my device just comes anywhere in bluetooth range of yours and now I can send you anything I want without you knowing? You can't really do this and I highly recommend not trying to subvert it.
Reflecting the setPin method allowed me to send the pin automatically to the other device. I had to implement it in a broadcast receiver that is listening for pairing requests. Although I cant get rid of the dialog it just stucks there on the screen and I dont know how to close it (programatically) and continue the bonding procedure since this dialog is called from inside connect() which is a blocking method. I am not giving up on it yet though :)
With Bluetooth version 2.1 and above there is a method of pairing called the 'just works' association model. This is the lowest security method of pairing and has no protection against man-in-the-middle attacks.
However, this will provide a secure, encrypted link without the need to exchange pin numbers or verify device ID.
The API on different platforms may differ but the underlying HCI messages require that you indicate that your device (or one of the devices) has the following IO capabilities:
No Keyboard, No Display.
As you might have guessed, this is a mode for very
simple devices that use Bluetooth, such as a speaker or headphones.
If you can find the API to configure that, then the 'just works' association mode of Secure Simple Pairing will be used for pairing.
The next step is to store the link keys e.g. bonding. Many devices e.g. mobile phones, will still create a dialogue box to the user to ask if they want to 'remember this device', as user authorisation is specified by the BT specifications... but that's another problem.