RE: Re-bonding issue with Android and S110

michael — Fri, 25 Aug 2017 14:11:32 GMT

Thank you. Toggling Bluetooth on and off won't help. In the meantime we tried IOS and it seems that IOS can rebond without problems. I think I understand now why this is a security issue even when using whitelisting and it makes sense to have to delete the bond on both devices. It is a bit of a problem to delete a single specific bond if the device only has a single button and allows to bond with up to 8 smartphones. The only viable option in this case is to delete all bonds at once. But then all other 7 smartphones need to delete their bonds and rebond again, too. That is quite painfull for many users.

RE: Re-bonding issue with Android and S110

run_ar — Fri, 25 Aug 2017 12:53:17 GMT

I don't know why Android tries to encrypt using the previous exchanged keys, if you have actually deleted them. Did you try to toggle bluetooth off/on on Android to see if that helps?

Regardless. An existing previous bond should only be authenticated based on the Long term key, so if this is deleted on the peer it is no way for a device to know if this is indeed the bonded device reconnecting or an attacker. This is why you have to delete the bond on both peers. Note that the old sdk has a //bond/key refresh feature (which is actually a security issue), that would allow the android device to create a new bond, overwriting the existing one if it only tried to do so.