Bluetooth pairing without user confirmation

Question

Can I pair two devices over Bluetooth without a need to confirm this in user interface  accept to pair this devices  Can I exchange some extra data over  for example NFC  and then safely pair those two devices over Bluetooth without any extra user action

User · Answer

If you are asking if you can pair two devices without the user EVER approving the pairing, no it cannot be done, it is a security feature. If you are paired over Bluetooth there is no need to exchange data over NFC, just exchange data over the Bluetooth link.

I don't think you can circumvent Bluetooth security by passing an authentication packet over NFC, but I could be wrong.

User · Answer

Short answer  When I send files between devices with OBEX I am almost never prompted to pair  so it is certainly possible   1  An application and the device itself can each be set to need not-need authentication modes  so often there was no requirement for pairing   For instance most OBEX  OPP  servers don t need any authentication at all so there is not need for pairing bonding   Presumably  Wireless Designs  s answer was covering that case   2  Then if pairing was required by the device app   2 1  Prior to v2 1 for pairing then the two devices needed to have matching passphrase PINs   So this either needed user involvement  to enter the PINs  or knowledge in the softwareto know the PIN  either defined in the app if pin callback send pin  1234   or smarts in the OS like BlueZ and Win7  see Slide 20 at my Bluetooth in Windows 7 doc  which has logic like  if remotedevice headset  then expectedPin   0000    Don t know what Android does  2 2  In v2 1 Secure Simple Pairing  SSP  was added   Which changes pairing to    if  either is pre-v2 1  then    Legacy else if  Out-Of-Band channel  then    OutOfBand else if  neither have  Man-in-the-Middle Protection Required   then     i e  both have  Man-in-the-Middle Protection  Not  Required      Just-Works else    Depending on the two devices   IO Capabilities   either NumericComparison or Passkey     Passkey is used when one device has KeyboardOnly -- and the peer device  isn t  NoInputNoOutput  endif    From 32feet NET s BluetoothWin32Authentication user guide  see also the SSP sections in  1   So to have pairing be unprompted needs either  JustWorks  or  Out-of-Band  eg your NFC suggestion   Hope that helps

User · Answer

Well  this should really be broken into 2 parts    Can you pair 2 Bluetooth devices without going through a Bluetooth pairing handshake  No  you can t  That s baked into the protocol so there is no way around this  Can you perform the handshake without a user interface  Yes  you can  that s just code    I m not sure how you do it in Windows land  but in  nix land there are functions buried in the Bluez stack that let you receive notifications about when a new device appears  and send it the pairing code  clearly there have to be these functions  those are what the user interface use   Given sufficient time and experience I m sure you could figure out how to write your own version of the Bluetooth Settings app that somehow    Detected a new device had arrived Looked at the name bluetooth mac address and checked some internal database for the pairing code to use  Sent the pairing code and completed the operation   All without having to pop up a user interface   If you go ahead and write the code I d LOVE to get my hands on it

User · Answer

Yes it is possible in theory as defined by the specification  However there is no practical implementation as yet that would allow this   Refer  NFC Forum Connection Handover Technical Specification http   www nfc-forum org specs spec list   Quoting from the specification regarding the security -   The Handover Protocol requires transmission of network access data and credentials  the carrier configuration data  to allow one device to connect to a wireless network provided by another device  Because of the close proximity needed for communication between NFC Devices and Tags  eavesdropping of carrier configuration data is difficult  but not impossible  without recognition by the legitimate owner of the devices  Transmission of carrier configuration data to devices that can be brought to close proximity is deemed legitimate within the scope of this specification

User · Answer

This need is exactly why createInsecureRfcommSocketToServiceRecord   was added to BluetoothDevice starting in Android 2 3 3  API Level 10   SDK Docs    before that there was no SDK support for this   It was designed to allow Android to connect to devices without user interfaces for entering a PIN code  like an embedded device   but it just as usable for setting up a connection between two devices without user PIN entry   The corollary method listenUsingInsecureRfcommWithServiceRecord   in BluetoothAdapter is used to accept these types of connections   It s not a security breach because the methods must be used as a pair   You cannot use this to simply attempt to pair with any old Bluetooth device   You can also do short range communications over NFC  but that hardware is less prominent on Android devices   Definitely pick one  and don t try to create a solution that uses both   Hope that Helps   P S  There are also ways to do this on many devices prior to 2 3 using reflection  because the code did exist   but I wouldn t necessarily recommend this for mass-distributed production applications   See this StackOverflow

User · Answer

BT version 2 0 or less - You should be able to pair bond using a standard PIN code  entered programmatically e g  1234 or 0000  This is not very secure but many BT devices do this   BT version 2 1 or greater - Mode 4 Secure Simple Pairing  just works  model can be used  It uses elliptical encryption  whatever that is  and is very secure but is open to Man In The Middle attacks  Compared to the old  0000  pin code approach it is light years ahead  This doesn t require any user input   This is according to the Bluetooth specs but what you can use depends on what verson of the Bluetooth standard your stack supports and what API you have

[android] Bluetooth pairing without user confirmation

Examples related to android

Examples related to bluetooth

Examples related to nfc