Paper 2021/083

The Bluetooth CYBORG: Analysis of the Full Human-Machine Passkey Entry AKE Protocol

Michael Troncoso and Britta Hale


In this paper, we computationally analyze Passkey Entry in its entirety as a cryptographic authenticated key exchange (AKE) - including user-protocol interactions that are typically ignored as out-of-band. To achieve this, we model the user-to-device channels, as well as the typical device-to-device channel, and adversarial control scenarios in both cases. In particular, we separately capture adversarial control of device displays on the initiating and responding devices as well as adversarial control of user input mechanisms using what we call a CYBORG model. The CYBORG model enables realistic real-world security analysis in light of published attacks on user-mediated protocols such as Bluetooth that leverage malware and device displays. In light of this, we show that all versions of Passkey Entry fail to provide security in our model. Finally, we demonstrate how slight modications to the protocol would allow it to achieve stronger security guarantees for all current variants of passkey generation, as well as a newly proposed twofold mode of generation we term Dual Passkey Entry. These proof-of-concept modications point to improved design approaches for user-mediated protocols. Finally, this work points to categories of vulnerabilities, based on compromise type, that could be exploited in Bluetooth Passkey Entry.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. MINOR revision.NDSS 2021
BluetoothAuthenticated Key Exchange (AKE)Secure ConnectionsSecure Simple PairingPasskey EntryUser Interface
Contact author(s)
michael troncoso @ nps edu
britta hale @ nps edu
2021-02-08: last of 2 revisions
2021-01-27: received
See all versions
Short URL
Creative Commons Attribution


      author = {Michael Troncoso and Britta Hale},
      title = {The Bluetooth CYBORG: Analysis of the Full Human-Machine Passkey Entry AKE Protocol},
      howpublished = {Cryptology ePrint Archive, Paper 2021/083},
      year = {2021},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.