- marked as minor
- edited description
- changed title to [OpenID4VP over BLE] Active MITM can violate injective agreement
- marked as proposal
[OpenID4VP over BLE] Active MITM can violate injective agreement
Issue #1997
new
An active MITM can intercept a verification session as the VP is not bound to the BLE key. The attack works as follows:
- The MITM establishes a connection with a verifier (pretending to be a wallet).
- The MITM establishes a connection with a wallet (pretending to be a verifier).
- The MITM forwards the verifier’s signed request to the wallet. They can do that because the signed request is not bount to the BLE channel.
- The MITM forwards the wallet’s VP to the verifier.
- The verifier now believes the MITM holds a valid credential.
This attack can be mitigated by including a hash of the shared key in the signed request from the verifier. This should be easy to add, provided the app can access this key. Tom Jones pointed out via email that it might not be.
Comments (4)
-
reporter
-
- changed status to new
-
- changed component to BLE profile
-
This is a good finding. While the TLS has a similar issue it makes it tough to attack due to the trusted x509 certificate.
I think including the hash of the shared key is a good idea.
- Log in to comment
