Bluez hcidump is clear despite rfcomm security set

Question

Examine the following situation:

I have two RFCOMM programs (slave and master) whom are using libbluetooth (Bluez) and are setting the following respectively:

opt |= RFCOMM_LM;
opt |= RFCOMM_LM_AUTH;
opt |= RFCOMM_LM_ENCRYPT;
opt |= RFCOMM_LM_SECURE;

opt |= RFCOMM_LM;
opt |= RFCOMM_LM_MASTER;
opt |= RFCOMM_LM_AUTH;
opt |= RFCOMM_LM_ENCRYPT;
opt |= RFCOMM_LM_SECURE;

Hciconfig reports both adapters have encryption and auth enabled:

dev@ackbar:$ hciconfig hci0

hci0: Type: BR/EDR Bus: USB BD Address: 01:1A:07:00:47:0C ACL MTU: 310:10 SCO MTU: 64:8 UP RUNNING PSCAN AUTH ENCRYPT RX bytes:10187160 acl:66879 sco:0 events:180556 errors:0 TX bytes:1012442 acl:57039 sco:0 commands:6787 errors:0

dev@ackbar:$ hciconfig hci1

hci1: Type: BR/EDR Bus: USB BD Address: 01:1A:07:00:47:0D ACL MTU: 310:10 SCO MTU: 64:8 UP RUNNING PSCAN AUTH ENCRYPT RX bytes:2174821 acl:6303221 sco:0 events:100 errors:0 TX bytes:51000 acl:54982 sco:0 commands:3458 errors:0
Wireshark and hcidump both report that the communication between the two adapters is in cleartext. I was hoping that the security was evident via encrypted/scrambled payloads similar to looking at SSL/TLS traffic in Wireshark.

Recv: 11111111 Should be: 348djwfoisdfg78sdfsdifods2#@$%^&*ifgyuh

As per hcidump in raw mode:

> . E   . . . . @ . . . . . 1 1 1 1 1 1 1 
  1 1 1 1 1 1 1 1 . . . . . . . . . . . . 
  . . . . . . . . . . . . . . . . . . . . 
  . . . . . . . . . . . . . . . . . . . . 
  . . . . . . . . . . . . . . . . . . . . 
  . . . . . . . . . . . . . . . . . . . . 
  . . . . . . . . . . . . . . . . . . . . 
  . . . . . . . . . . . . . . . . . . . . 
  . . . . . . . . . . . . . . . . . . . . 
  . . . . . . . . . . . . . . . . . . . . 
  . . . . . . . . . . . . . . . . . . . . 
  . . . . . . . . . . . . . . . . . . . .

This begs the question:

Is confidentially even being applied with the options being set? Or is the kernel/OS sending reassembled data in cleartext via a (later) hook after decryption.

Is there a better way to verify this - clearly the traditional approach using tools is insufficient (and I do not have access to hardware sniffer)? (Pins are being checked at least with bt-agent).

score 0 · Accepted Answer · edited May 23 '17 at 11:52

0

According to this answer on StackOverflow (Does Bluetooth encrypt data?) - I believe that the data is decrypted and hcidump sees it in cleartext after that operation has occurred.

The only way to verify this would be with expensive and restricted tools (or maaaybe software defined radios such as ubertooth).

edited May 23 '17 at 11:52

Community

1
1

answered Jul 05 '16 at 23:09

mcdoomington

518
1
6
20

Bluez hcidump is clear despite rfcomm security set

1 Answers1