BT issues

[mato]

Iain Hibbert wrote:
> On Mon, 31 Mar 2008, mato wrote:
>
>   
>> However, Windows can manage this as it asks for PIN key when connection
>> initiation fails.  While I don't expect FreeBSD asking for a PIN, it might be
>> quite useful if it could automatically (upon a connection establishing
>> failure) throw away its stored link key and recreate it from PIN as Windows
>> does.
>>     
>
> btw That would be the wrong thing to do. The stored link key is the
> 'password' for the remote BDADDR to connect to your services and it is
> possible on many devices to change the bluetooth device address (BDADDR)
>
> You don't want to make it so that a remote attacker can just cause a
> 'password' reset by pretending to be an authorised device, and this is the
> reason PINs should not be permanently stored..
>
> iain
>   

Well, I haven't thought of this and you've got a point.
On the other hand, stored link key doesn't have to be reset.  I can 
imagine that if the link key didn't work FreeBSD could fall back to PIN 
as it does in the beginning and only if PINs matched new link key would 
be stored.  Thus attacker would need to know the PIN which is normally 
not likely.  Also, PIN can and should be longer and even composed of 
alphanumerals.
Well, at least this is what Windows do AFAIK -- when link key was 
changed they pop up dialogue asking for (new) PIN.
The only problem I see now is with devices with predefined or, worse, 
set-in-stone PINs. :-/

Regards,

Martin