Skip to content

feat.: add BLE security via 4-digit auth code#163

Open
Rampage270906 wants to merge 3 commits into
fossasia:masterfrom
Rampage270906:security-feature
Open

feat.: add BLE security via 4-digit auth code#163
Rampage270906 wants to merge 3 commits into
fossasia:masterfrom
Rampage270906:security-feature

Conversation

@Rampage270906

@Rampage270906 Rampage270906 commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Closes #72
The badge's BT-PAIRING mode accepted bitmap transfers from any nearby device i.e anyone running the app within BLE range could overwrite the display without the owner's knowledge or consent. Added an application-layer authentication gate on top of the existing BLE connection flow. When the badge enters BT-PAIRING mode, it generates a random 4-digit code and displays it on the LED matrix. Any device attempting to transfer data must first send the correct code before the badge will accept a 'wang' transfer and without it, all writes are rejected.

Reviewer's Guide:
fossasia/badgemagic-app#1783 (comment)
This feature is dependent on the app and requires the above PR to be merged in the badgmagic-app repo

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry @Rampage270906, you have reached your weekly rate limit of 500000 diff characters.

Please try again later or upgrade to continue using Sourcery

@Rampage270906 Rampage270906 marked this pull request as ready for review June 29, 2026 19:23

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry @Rampage270906, you have reached your weekly rate limit of 500000 diff characters.

Please try again later or upgrade to continue using Sourcery

@weberval weberval self-requested a review July 4, 2026 09:03

@weberval weberval left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a breaking change!
Not only the flutter app will be affected by this, but also the Rust, Go and Python libraries.

To lower the impact and enable other developers to incorporate the changes, I would like to see some documentation about the new protocol extension.

Also, to be backward compatible to the proprietary firmware, we would need a way to keep insecure pairing. Maybe by pressing a button in pairing mode?

@Rampage270906

Copy link
Copy Markdown
Contributor Author

Will look into this and add the following at the earliest.

  • protocol.md documenting the auth packet format and lifecycle
  • A KEY4 bypass in BT-PAIRING mode that allows legacy firmware users to connect without PIN
  • Security mode defaults to OFF so existing users/libraries are unaffected until they explicitly enable it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Security option

2 participants