Apple's MagicPairing for Bluetooth fails to enchant after mischief-making bugs found hiding in the stack

2020-05-18 20:48

In a paper [PDF] entitled "MagicPairing: Apple's Take on Securing Bluetooth Peripherals," Dennis Heinze, Jiska Classen, and Felix Rohrbach observe that Apple's MagicPairing protocol overcomes two shortcomings of Bluetooth device pairing: poor scalability and a security model that collapses if the permanent key - the Link Key or Long-Term Key - gets compromised.

The paper says that Apple's MagicPairing implementations in iOS and macOS contain a number of spelling mistakes in logging messages and, for macOS Bluetooth daemon bluetoothd, function names.

"Based on his findings I would assume that Apple did not fuzz large parts of their Bluetooth protocol stack," she said.

"Overall, we were surprised that Apple did not fix the rather simple bugs that could be fixed by adding a few checks. However, we are also a bit ahead of the originally planned timeline, as the WiSec conference is virtual this year and authors were asked to pre-publish their papers," she explained.

"Nonetheless, we informed Apple about the changed timeline and they did not disallow publication. And as even the oldest bugs are not fixed, this probably does not have to do anything with the changed timeline." .

News URL

https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/05/18/apples_bluetooth_flaws/

#apple #bluetooth

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Bluetooth		4	0	9	7	0	16