Ubuntu
bluez-utils package

Default PIN is a security issue

Bug #52422 reported by Daniel Estévez Sánchez
254
Affects Status Importance Assigned to Milestone
bluez-utils (Ubuntu)
Fix Released
Undecided
Bluetooth

Bug Description

Binary package hint: bluez-utils

/etc/bluetooth/hcid.conf comes with a default PIN 1234, so any attacker can pair a device using that PIN if bluetooth is enabled, a thing wich ubuntu does by default. The user won't be even notified and then the attacker may access to restricted services such as bemused. The solution is to change hcid.conf line 15 from "security auto;" to "security user;".

Onkar Shinde (onkarshinde)
Changed in bluez-utils:
status: Unconfirmed → Confirmed
Revision history for this message
Onkar Shinde (onkarshinde) wrote :

This is fixed in Edgy with following line in hcid.conf:

# Default PIN code for incoming connections
passkey "BlueZ"

Please note that pin BlueZ can not be entered from any device.

This should be marked as 'Fix Released' once Edgy is released.

Changed in bluez-utils:
assignee: nobody → bluetooth
Revision history for this message
Daniel Estévez Sánchez (genghis-khan) wrote :

It does not matter whether the new pin can be entered from all devices, because as it can be entered from _a_ device it is a security flaw. Default PINs are always bad, because an attacker can use them.

In the bluez stack default PINs are no use, because when using "security user" an userspace app will generate a PIN from random for that connection which is way much safer than using default PINs.

I don't know about the gnome app for this, but the kde app works very well. It just generates a random PIN (or you can enter one) and then you enter this pin in the connecting device or tell it to the connecting person if the device is not yours.

Revision history for this message
Onkar Shinde (onkarshinde) wrote :

This has been fixed in latest bluez-utils upload.

Changed in bluez-utils:
status: Confirmed → Fix Released
Revision history for this message
Marcel Holtmann (holtmann) wrote :

Starting with bluez-utils-3.7 it defaults to "security user" and this means that if no passkey agent has been registered all pairing attempts will be rejected.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.