PIN pairing impersonation attack

Description

PIN pairing impersonation attack

Risk Assesment: 5.4

CWE

863

CVE

26555

Attack Surfaces

Controller Implementation (MITRE EMB3D PID-11)

Legacy pairing

Key agreement

Attack Vectors

Authentication challenge reflection (MITRE EMB3D TID-221)

Defenses

Do not allow legacy pairing, Enable Secure Simple Pairing and disable pin-code pairing, Enforce Secure Connections Only Mode

Restrict accepted public keys, Do not accept/initiate connections with remote devices claiming the same BT address, Do not accept/initiate connections with remote devices with a null key