Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.
User profile for user: PoeticKinetics
PoeticKinetics Author
User level: Level1 20 points
When I run a System Report in OSX, under Bluetooth it lists an incoming serial port. I'm aware that this serial port is for sending/receiving raw data via a terminal, but I have no idea what service or app installed it. Given that it is an incoming port and it does not require authentication, this leaves me a little worried that it might be a security risk, a way that someone could connect to my Mac and execute commands.
Incoming Serial Ports:
Bluetooth-Incoming-Port:
RFCOMM Channel: 3
Requires Authentication: No
I could just be paranoid, but I'd rather be safe and remove the serial port. I'm running Sierra, and it seems that you can't remove serial ports the way you used to through Sys Pref / Networking.
My question is, what is the correct way to remove or disable this serial port?
Can I simply delete /dev/tty.Bluetooth-Incoming-Port, or is this needed by the system to create new serial ports in the future for legit purposes?
I've checked 2 Macs and they both have the same incoming Port/Channel listed, so I'm not sure if this is a system serial connection, or if it has been installed by something common like hotspotting from your mobile phone?
Cheers all 🙂
MacBook Air, iOS 10.1.1
Posted on Jan 9, 2017 3:54 AM
13 replies
Loading page content
Page content loaded
User profile for user: John Galt
John Galt
User level: Level10 142,292 points
Jan 17, 2017 9:44 AM in response to PoeticKinetics
I don't think you're being paranoid at all. I'd like to try those apps myself so that I can determine what they're capable of.
https://itunes.apple.com/us/app/lightblue/id557428110
Do you have a link to the other one?
Link
User profile for user: PoeticKinetics
PoeticKinetics Author
User level: Level1 20 points
Jan 16, 2017 11:00 PM in response to PoeticKinetics
Thank you. My concern arose since I used a couple of iOS apps TPSerialMon and LightBlue Explorer, which were able to easily connect to my Mac Air, without bluetooth being in discovery mode and without prompting to enter a pin code or displaying any warning on the laptop, other than the BT icon in the menu extra bar changing to connected. It only connects temporarily, and you are able to scan the list of services available on the laptop. TPSerialMon looks like it can even send data to the device/laptop. I'm concerned that an app or BLE device could connect to my laptop in a similar manner to issue commands without me being able to prevent it?
I'm prob just being paranoid, but I would like to lock my system down from any vulnerable aspects.
Link
User profile for user: John Galt
Jan 18, 2017 6:56 AM in response to PoeticKinetics
Thanks.
I can't get too excited about the ability of those apps to accomplish very much, since all they do is discover and communicate with available BTLE devices in much the same way as a Wi-Fi enabled device might be capable of. That communication is limited to the services granted by the host device. In terms of device security, they can be used to discover BT devices within range, but that's all. The host device (macOS in this case) passes connection requests according to its configuration. If its user (you in this case) were to permit that connection and establish a service, that enables the two-way communications that make BT useful.
Securing macOS as well as all other information on your Mac depends upon additional protections separate from those already incorporated in the BTLE specification. You can, for example, use Bluetooth to send and receive files to and from other Bluetooth devices, but you must first establish a trusted connection between your Mac and that device. Each of its users must agree to that connection before it can occur, and before any meaningful data transfer can take place.
For these apps to be able to connect to the laptop without having even previously paired with it seems like it could be a security risk to me.
Yes, it could be, but the devices have to be found before they can be paired. The only way to prevent that is to turn BT "off"... and you can certainly do that on the MBA.
Although the nature of wireless devices makes them inherently less secure than devices that would otherwise exist in total isolation — able to connect to one another only with physical cables — device security has been a fundamental aspect of the Mac's operating system since its inception. I certainly would not be any more concerned about BT's ability to "discover" your MacBook Air than any other means of determining its existence for the purpose of exploiting its vulnerabilities... and there are far easier ways of doing that.
The full BT specification is here: Core Version 5.0
Link
User profile for user: PoeticKinetics
PoeticKinetics Author
User level: Level1 20 points
Jan 21, 2017 12:34 PM in response to PoeticKinetics
Hi John,
Thank you so much for your detailed reply, I appreciate it 🙂
That all makes sense to me. So even though the phone/app can connect and pair with the laptop without a pincode or prompt, it is only paired temporarily in a restricted operational mode which allows for service discovery only, with no potential additional communication(?)
I would have initially thought that the app could initiate a scan of the publicly listed services of a device just by scanning it rather than actually connecting to it? Kind of like with Wifi you can scan and see a public or BSSID of a router and probably other IP/Port Scans without having to actually know the PWD for the Wifi network and also without actually connecting to the network at all? Or is it that a form of connection Is actually made to the router directly, but that nothing comes up in the Wifi menu as a connected network?
I was under the impression that discovery mode is activated either clicking on the BT icon in the menu extra bar to display the menu, or alternatively opening Sys Pref / Bluetooth.
However TPSerialMon can discover and connect to a device which is not operating in 'discovery mode' at all.
It would be nice to be able to disable device discovery of Bluetooth in OSX, while still keeping BT enabled for existing paired devices. Or does the BT spec stipulate that devices need to be in a constant connectible / discovery mode?
Thanks again for your input, you're a great contributor to this forum.
~ Gethen
Link
User profile for user: PoeticKinetics
PoeticKinetics Author
User level: Level1 20 points
Jan 21, 2017 12:50 PM in response to PoeticKinetics
Also would you have any idea what these manufacturer specified custom services are?
I can't seem to find any reference to them online. As they are custom UUID's, they aren't listed in the BT Services / Characteristics lists. https://www.bluetooth.com/specifications/gatt/services https://www.bluetooth.com/specifications/gatt/characteristics
Service 1:
9FA480E0-4967-4542-9390-D343DC5D04AE
AF0BADB1-5B99-43CD-917A-A77BC549E3CC
Write / Notify
Service 2:
D0611E78-BBB4-4591-A5F8-487910AE4366
8667556C-9A37-4C91-84ED-54EE27D90049
Write / Notify
My discovery apps don't give me any useful service descriptions 😟
Link
User profile for user: John Galt
John Galt
User level: Level10 142,292 points
Jan 23, 2017 10:19 AM in response to PoeticKinetics
It's not possible to determine exactly what those services are. Given the broad capabilities of BT services though I don't think it really matters. I understand you are concerned about breaching its security protocols to exploit BT-enabled devices in general, and a Mac in particular.
I'm still using that app to determine the extent to which I can potentially use BT to exploit Macs as well as other devices, and I admit I haven't had much time to do that.
Link
User profile for user: CodeJingle
CodeJingle
User level: Level1 8 points
Apr 10, 2017 7:56 PM in response to PoeticKinetics
Pairing is a legacy concept dating back to before Bluetooth 4.0 and Bluetooth Low Energy (BLE). It is fundamental to the BLE specification to be able to connect to other BLE devices without having to formally pair. The concept of 'pairing' is replaced with 'connecting'. Bluetooth 5.0 expands this further to the point that two devices can communicate with each other without even needing a connection. Pairing is only required in specific circ*mstances. Most of the functionality for two-way communication will be enabled without requiring a legacy pairing. This is baked into the Bluetooth standard.
An ill-formed BLE device has no hope of retrieving important data from your computer, as your computer does not expose Bluetooth services for access to sensitive information. You would have to be a Bluetooth developer, and design & implement a BLE Gatt Server that contained those services, then run that Gatt Server on your machine to voluntarily expose access to sensitive information for consumption by physically nearby BLE client peripherals. Outside of this scenario I don't understand your security concern?
Link
User profile for user: John Galt
John Galt
User level: Level10 142,292 points
Jan 9, 2017 5:08 AM in response to PoeticKinetics
That is a normal Bluetooth port required by macOS. Make no attempt to remove it.
Link
User profile for user: PoeticKinetics
PoeticKinetics Author
User level: Level1 20 points
Jan 16, 2017 2:10 AM in response to PoeticKinetics
Thanks for that. Do you have further details on the purpose of it?
Cheers.
Link
User profile for user: John Galt
John Galt
User level: Level10 142,292 points
Jan 16, 2017 9:03 AM in response to PoeticKinetics
Sure, it's part of the Bluetooth transport layer. It provides a way to adapt legacy serial port communication protocols for BT devices.
Link
User profile for user: PoeticKinetics
PoeticKinetics Author
User level: Level1 20 points
Jan 17, 2017 9:05 PM in response to John Galt
Hi John, that's the correct link for LightBlue, and here is the other link;
BLE Serial Monitor for TelePower by TelePower
Link
User profile for user: PoeticKinetics
PoeticKinetics Author
User level: Level1 20 points
Jan 17, 2017 10:47 PM in response to PoeticKinetics
For these apps to be able to connect to the laptop without having even previously paired with it seems like it could be a security risk to me.
Link
User profile for user: dmg15
dmg15
User level: Level1 4 points
Nov 16, 2017 5:47 AM in response to CodeJingle
Literally a month after this conversation the BlueBorne malware started making headlines... which one of you was it?
Link
Remove Incoming Bluetooth Serial Port
