Lars Friedrichs - 2007-08-14

Hi users,

thanks for trying/using my software. I'd like to add a security note on the usage of BlueProximity.

After developing the program I looked for testers in IRC where I actually found someone helping me. He noted that he has once written a shell script doing similar stuff and gave m a link. I searched a bit and it seems the idea must be right because there are several scripts out there. But since the standard is not only locking but also automatic unlocking I believe its better to drop some notes on that.
In a security sensitive environment you should rethink the idea of automatic unlocking. I don't see a good attack if proper values are selected and configured but I advise you to select these. Mainly this includes selecting a good channel to connect to. Channels can be seen as port numbers within TCP - you can have several services behind one machine that are differentiated by the channel number. Sadly these are not as "well-known" (read: static) as in TCP/IP. That's why bluetooth also includes a service discovery protocol (SDP). Please, if you try a certain service, take one that
a) doesn't automatically disconnect you after few seconds of inactivity. (It wouldn't be a problem to code some activity but I want to keep the battery drain as low as possible!) BlueProximity will reconnect anyway but reaction times will be much slower then.
b) does absolutely require a pairing initiated by the pc. This cannot be stressed to much. If you select a non-pairing service like VCARD/OBEX service anyone can fake your phone by setting his MAC address to the one your phone uses - and since it is unencrypted and no pairing is needed, BlueProximity must think it is your phone and accepts it and even unlocks the screen. You don't want this to happen, right? Audio Gateway is a nice service, be sure to select one that does not appear as headphones or you might have problems hearing/speaking to people on the phone or not even hear they are calling.

Please do keep this in mind.
Lars Friedrichs