Reply to post: Re: Party Like It's 1993!

Impersonating users of 'protest' app Bridgefy was as simple as sniffing Bluetooth handshakes for identifiers

Anonymous Coward
Anonymous Coward

Re: Party Like It's 1993!

"the encoding method utilized (PKCS#1) by the app was introduced in 1993 and deprecated in 1998"

As an explanation rather than an excuse, this likely a combination of library defaults (it looks like the MessagePack serializer defaults to PKCS#1) and compatibility (based on experience supporting BYOD deployments in HK/India, supporting older mobile OS's was likely considered a high priority). While it can be decrypted (via Bleichenbacher’s attack), its still requires a significant number of messages to be sent (~1 million) before that is possible.

The reality is that this isn't even the key issue as message decryption is only an issue if you aren't already in the groups - anonymizing user information (my assumption is device information is mandatory for BLE comms) by authenticating to groups and using group key rotation would likely be sufficient to make decryption difficult in real-time/near real-time and prevent users being identified directly other than by their device identifier.

Which then leads to the device identifier showing you were present unless you use disposable phones or utils to alter the Bluetooth MAC - which is likely to be practical for organisers at least.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021