Bluetooth keyboard security checklist This list of tests can be used to characterize the security of a Bluetooth keyboard. For more information, see http://ossmann.com/shmoo-2010/ The tests are to be done without the link key except where noted. The tests are to be done while the device and host are "virtually cabled." Each unit (both devices and hosts/dongles) should be tested. If a dongle or other host adapter supports USB emulation mode, it should be tested in both modes (see hid2hci). discoverability 1. While the unit's partner is powered off, is the unit discoverable with the General Inquiry Access Code (hcitool inq --iac=giac) immediately after being powered on? 2. While the unit's partner is powered off, is the unit discoverable with the Limited Inquiry Access Code (hcitool inq --iac=liac) immediately after being powered on? 3. While the unit's partner is powered off, is the unit discoverable with the General Inquiry Access Code (hcitool inq --iac=giac) more than three minutes after being powered on? 4. While the unit's partner is powered off, is the unit discoverable with the Limited Inquiry Access Code (hcitool inq --iac=liac) more than three minutes after being powered on? 5. Is the unit discoverable with the General Inquiry Access Code (hcitool inq --iac=giac) while the unit is actively connected to its partner? 6. Is the unit discoverable with the Limited Inquiry Access Code (hcitool inq --iac=liac) while the unit is actively connected to its partner? connectability 7. While the unit's partner is powered off, is the unit connectable (hcitool name ) from any source address immediately after being powered on? 8. While the unit's partner is powered off, is the unit connectable (hcitool name ) from any source address more than three minutes after being powered on? 9. While the unit's partner is powered off, is the unit connectable (hcitool name ) from the partner's source address immediately after being powered on? 10. While the unit's partner is powered off, is the unit connectable (hcitool name ) from the partner's source address more than three minutes after being powered on? 11. Is the unit connectable (hcitool name ) from any source address while the unit is actively connected to its partner? 12. Is the unit connectable (hcitool name ) from the partner's source address while the unit is actively connected to its partner? HID channel availability 13. While the unit's partner is powered off, is the unit's HID Control channel available (psm_scan -c -s 17 -e 17 ) from any source address immediately after being powered on? 14. While the unit's partner is powered off, is the unit's HID Control channel available (psm_scan -c -s 17 -e 17 ) from any source address more than three minutes after being powered on? 15. While the unit's partner is powered off, is the unit's HID Control channel available (psm_scan -c -s 17 -e 17 ) from the partner's source address immediately after being powered on? 16. While the unit's partner is powered off, is the unit's HID Control channel available (psm_scan -c -s 17 -e 17 ) from the partner's source address more than three minutes after being powered on? 17. Is the unit's HID Control channel available (psm_scan -c -s 17 -e 17 ) from any source address while the unit is actively connected to its partner? 18. Is the unit's HID Control channel available (psm_scan -c -s 17 -e 17 ) from the partner's source address while the unit is actively connected to its partner? The following tests may require spoofing the unit's partner with link key or initiating a new pairing from the test platform. encryption 19. Does the unit support encryption (hcitool info )? 20. When opening an HID Control channel to the unit (psm_scan -c -s 17 -e 17 ), does the unit initiate encryption (hcidump -V)? superfluous PSMs 21. While connected to the unit such that the HID Control channel is available, are any PSMs accessible other than 1 (SDP), 17 (HID Control), and 19 (HID Interrupt) (psm_scan -c )?