3

I am using an HC-05 bluetooth Module. How can I stop someone from pairing with my device by brute forcing the key? Failing that, and if someone does pair with my device, is there a way to authenticate the user? I was thinking of salted hash with a shared secret key. Is there anything better?

Lord Loh.
  • 183
  • 8
  • Are you thinking that a device could repeatedly try and pair with you by submitting different keys over and over? I'm not sure about the spec of bluetooth nor maximum allowable key size ... but I'm guessing that you can set a key to be at least 8 bytes in length ... which makes a brute force attack on your device no more or less likely than a brute force attack on any other password protected environment. – Kolban Jun 09 '15 at 16:46
  • Why is your device always accepting pair requests? – Ignacio Vazquez-Abrams Jun 09 '15 at 17:07
  • @Kolban HC-05 does not take any more than 4 numbers. http://www.tec.reutlingen-university.de/uploads/media/DatenblattHC-05_BT-Modul.pdf – Lord Loh. Jun 09 '15 at 17:07
  • @IgnacioVazquez-Abrams It does not. But with just 10000 pins, it is not hard to brute force. Should I add an application layer security? Nonce / salting / hashing etc? – Lord Loh. Jun 09 '15 at 17:09
  • ... But if you're not accepting pair requests then they could try 1000000000 pins and still not get in. Because you're not pairing. – Ignacio Vazquez-Abrams Jun 09 '15 at 17:52
  • 2
    @IgnacioVazquez-Abrams How do I disable pairing on an HC-05? – Lord Loh. Jun 09 '15 at 18:10
  • @LordLoh. what is your end application? Are you really sure that someone will/would want to hijack your device? If so, probably bluetooth is not the most advisable protocol (because the hijacker can just leave the device paired and you won't be able to access it again). Anyway you can't stop someone from connecting, but if there are security issues and you must use bt then encrypt the communication.. – frarugi87 Apr 05 '16 at 08:31

2 Answers2

2

Configure your Bluetooth module to AT Command Mode

Then use AT+PIN Command to change the default PAIRING PIN of the Bluetooth Module.

Visit this link for more information about how to configure bluetooth to AT Mode

AngryBird
  • 75
  • 5
  • The question was not how to change the PIN, but whether on not to trust the link layer security? For my application. – Lord Loh. Jun 09 '15 at 17:05
1

In case someone else asks the same question in the future, here's the answer...

Technically speaking, the Arduino cannot be hacked for the simple reason that it doesn't have an Operating System like other devices such as the Raspberry Pi, BeagleBone, Rock64 etc. So in as much as someone might be able to bruteforce the HC-05 pin and get access, there's pretty much nothing else they can do past that point, so my advice to you is that don't stress over it. However I would suggest adding a few security measures to your HC-05 Bluetooth module:

  1. Change the default pin (0000 or 1234) to something else.
  2. Lock the module to connect only to a specific device via the MAC Address and the AT+BIND command.

Cheers!

Neil Tsakatsa
  • 31
  • 2