Saturday 15 March 2014

Security options

Here's some information about security options available for InputStick:

1) Protocol encryption. 

Even though Bluetooth connection between smartphone and InputStick is already encrypted, it is possible to use AES-128 encryption on InputStick protocol level. I started working on this some time ago, but to make it efficient and reliable I had to make some changes to InputStick protocol. Using encryption adds additional 0.5ms latency, so if latency is a top priority (like in case of game controllers), you should carefully think if encryption is really necessary.

2) Access control.

If you leave InputStick plugged into USB port, there is a possibility that someone may try to connect to it and as a result gain access to USB host using InputStick as a keyboard and mouse. To solve this problem I've introduced additional option: "Force encryption". If set, remote device must prove that it knows encryption key before InputStick will accept any USB data.

3) Password recovery. 

Just like with any other password protected system it is necessary to take into account situation when someone simply forgets the password. In this case it would permanently lock InputStick device, so I decided that there must be a way for user to remove password protection:
  1. Plug InputStick into USB host which comes with a keyboard (preferably PC).
  2. Use smartphone to connect to InputStick and initiate restore procedure.
  3. Once every 6 minutes you will be asked to set a certain state of NumLock, CapsLock and ScrollLock. This step will be repeated 10 times.
  4. Password protection is now removed, however before you can use InputStick again you must physically unplug it form the USB port and then plug it again.
As you can see, this requires you to have physical access to USB host, USB port and InputStick for at least an hour. During such period of time one may do many more potentially dangerous things than just resetting InputStick password protection.

4) Utility application.

Opening device details screen allows to choose new security-related options:

Here you can set encryption password and choose if it must be used before sending any other data. If you choose this option, it is necessary to enter this password on any Android device that is paired with this particular InputStick device.

This activity will guide you through restoring process:


  1. Quite ingenious, I like it. Also, you're clearly working too late in the night... ;)

    1. Well I'm clearly a night-person type :) But enough is enough, going to sleep now, there is still a lot of work waiting for me during this weekend