Skip to main content

Insufficient data authenticity validation - Device Binding

Description

Insecure device pairing results in an insecure communication between two physical devices. Device-pairing protocols configured are vulnerable to the misbinding attacks, it arises from the lack of verifiable identifiers.

Impact

  • Spoof, intercept and modify messages in the network in arbitrary ways.
  • Allow malicious behavior by one of the intended communication endpoints.

Recommendation

  • Establish a shared cryptographic key between two or more communication endpoints to use the shared key for protecting communication integrity and confidentiality.
  • Specify security properties as correspondence assertions in addition to basic authentication properties, it can help to detect subtle flaws that might otherwise go unnoticed.

Threat

Attacker may impersonate one of the device communication endpoints or set itself as a man in the middle (MitM) between them.

Expected Remediation Time

โŒš 300 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 6.5
    • Temporal: 6.5
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

The bluetooth connections are validated before being authorized in these case

private val mmServerSocket: BluetoothServerSocket? by lazy(LazyThreadSafetyMode.NONE) {
bluetoothAdapter?.listenUsingInsecureRfcommWithServiceRecord(NAME, MY_UUID)
}

override connectDevice run(){
establish_ssh_connection_key();
var shouldLoop = true
while (shouldLoop) {
val socket: BluetoothSocket? = try {

mmServerSocket?.accept();
} catch (e: IOException) {
...
}
socket?.also {
manageMyConnectedSocket(it);
mmServerSocket?.close();
shouldLoop = false;
}
}
}

Non compliant code

The application allow sconnection to bluetooth device without any authentication

private val mmServerSocket: BluetoothServerSocket? by lazy(LazyThreadSafetyMode.NONE) {
bluetoothAdapter?.listenUsingInsecureRfcommWithServiceRecord(NAME, MY_UUID)
}

override connectDevice run(){
var shouldLoop = true
while (shouldLoop) {
val socket: BluetoothSocket? = try {
mmServerSocket?.accept();
} catch (e: IOException) {
...
}
socket?.also {
manageMyConnectedSocket(it);
...
}
}
}

Details

https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05j-testing-resiliency-against-reverse-engineering#owasp-masvs

Requirements