Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable Bluetooth by default to minimize attack vectors #1856

Closed
rspeed opened this issue Dec 19, 2023 · 7 comments
Closed

Disable Bluetooth by default to minimize attack vectors #1856

rspeed opened this issue Dec 19, 2023 · 7 comments
Assignees
@Ralim

Comments

@rspeed
Copy link

rspeed commented Dec 19, 2023

Description

Bluetooth is enabled by default, which presents a potential attack vector due to the lack of authentication. Potential attacks range from pranks like setting a low temperature to an attacker potentially causing an unattended iron to start a fire.

Steps to Reproduce

  1. Reset all settings.
  2. Pair with the soldering iron via Bluetooth.
  3. Change settings without physical access.

Expected Behavior

Bluetooth would either be disabled by default, or an authentication step would occur during pairing.

Device Details

  • Pinecil v2
  • IronOS 2.22
@Ralim
Copy link
Owner

Ralim commented Dec 19, 2023
edited
Loading

We can default the blue interface off; however it then caused confusion for people when apps didn't work 😢.
Its probably the only viable solution here though, so will plan that for the next release.

@rspeed
Copy link
Author

rspeed commented Dec 19, 2023

Wouldn't that simply mean telling people to enable it?

ia added a commit to ia/IronOSf that referenced this issue Dec 19, 2023
@ia
Settings: disable Bluetooth LE by default (for PinecilV2) Ralim#1856
ec02a18
@Ralim
Copy link
Owner

Ralim commented Dec 19, 2023

Yeah it would, but if there is something we have learned, is that the average user doesn't read half the time and instead prefers to just rant on review sites >_<.

But I do agree, even though the risk is super minimal; it is safer to default off.

@ia
Copy link
Collaborator

ia commented Dec 19, 2023

I got this ;)

@ia ia mentioned this issue Dec 19, 2023
Merged
2 tasks
Ralim pushed a commit that referenced this issue Dec 19, 2023
@ia
Settings: disable Bluetooth LE by default (for PinecilV2) #1856 (#1857)
9931afd
@ia
Copy link
Collaborator

ia commented Dec 19, 2023

Wouldn't that simply mean telling people to enable it?

the average user doesn't read half the time and instead prefers to just rant on review sites >_<.

I'm not android app developer myself but probably from the point of better user experience it would be nice if in PineSAM (is that how it's called, right?) there would be the flow like this:

  • user opens app and scans for Pinecil;
  • if there is no any connection then show notification, something like: "Please, make sure that BLE function is on on your Pinecil";
  • or showing this warning to a user right before the scanning/pairing attempt.

@Ralim Ralim closed this as completed Dec 19, 2023
@doubletaco
Copy link

Hello

I'm a blind user and really enjoy the integrations offered by the BLE functionality in the Pinecil. Community tools like Pinesam and Pine Tool allow me to set and monitor my tip temperatures, as well as change device settings that I otherwise could not perceive.

Is there a documented set of button presses to re-enable BLE after this update? e.g., starting from power on, how do I get to and enable BLE? And can this be setting persist across reboots?

I understand the need to disable the feature by default as a security measure. For those that rely on it, though, we should document how to re-enable it as it offers some fantastic accessibility options.

@ia
Copy link
Collaborator

ia commented Jan 24, 2025

Hello, @doubletaco .

First of all, thank you for this feedback and, please, sorry for any inconvenience which may happened by disabling Bluetooth by default.

Is there a documented set of button presses to re-enable BLE after this update? e.g., starting from power on, how do I get to and enable BLE?

This is very good hint about documenting it, since even @Ralim did notice that a lot of people may be confused by not being able to make a Bluetooth pairing.

And can this be setting persist across reboots?

Yes, of course! So, please, don't worry! Every time you change any setting in the menu, it will be saved on every exit from the menu. On top of that, your custom settings should be persisted even between flash updates (unless there wasn't a really big rework on setting routines in the code). So the fact that now Bluetooth is disabled by default, doesn't mean that when at the next time you flash/update your Pinecil with the next stable build, your setting of Bluetooth will be off. If you have Bluetooth enabled now, this setting should survive not only reboots/turn offs, but the flash update to the next stable version.

we should document how to re-enable it as it offers some fantastic accessibility options.

Could you, please, participate in the review, then? I'm not sure how to address getting into Settings menu in the step 1, since it depends in which state the iron is (soldering mode vs sleeping/hibernating/cooling off mode). But what do you think if the instruction will be sounded something like this:

To enable Bluetooth back:

  • go to Settings menu;
  • press -/B button four times to scroll the menu for Advanced settings;
  • press +/A button to open submenu;
  • press +/A button to toggle/enable Bluetooth feature;
  • press -/B and hold it for just more than 5 seconds to exit from the Settings menu.

@ia ia mentioned this issue Feb 2, 2025
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Ralim Ralim

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ia @rspeed @Ralim @doubletaco