C2C seems not to have a session counter

u-blox / ubxlib

Portable C libraries which provide APIs to build applications with u-blox products and services. Delivered as add-on to existing microcontroller and RTOS SDKs.

Apache License 2.0

287 stars 82 forks source link

C2C seems not to have a session counter #220

Closed abattistello-secpat closed 3 months ago

abattistello-secpat commented 3 months ago

Up to tag v1.2.0, the example code provided for the chip 2 chip security, does not mention a session counter, or alternatively some random nonce used to differentiate one session from another. It thus seems possible to replay previous messages exchanged during a legitimate session, to reissue the same commands.

RobMeades commented 3 months ago

Thanks for the interest but the chip to chip security feature was removed back in commit 26392366cd9723826b915506e28c5a8c046d63ab, mid 2023.

RobMeades commented 3 months ago

I will close this: please feel free to re-open if there is more to discuss.