OBEX Security

Object Exchange Protocol (OBEX) has the following potential security risk:

  • OBEX supports plug-in services from third-party vendors. If these extensions do not use proper security and authentication procedures, they could compromise the security of a device or local network.

OBEX is a session layer protocol that allows devices to exchange data in a simple and spontaneous manner. The protocol can be supported over a variety of transports. In Microsoft® Windows® CE .NET, the supported transports are over IrDA and Bluetooth transmission technologies. OBEX provides security support by incorporating an authentication mechanism that uses a challenge and response scheme. Any connection attempts that do not pass the authentication procedure are disallowed.

Best Practices

Turn on authentication in OBEX by default

Although authentication is an option for OBEX, Microsoft recommends that you turn authentication on by default to allow only authorized individuals to make connections and exchange data with the server.

Turn on Bluetooth encryption when running OBEX over Bluetooth

Sensitive information can be encrypted prior to being sent over the network. This prevents unauthorized users from viewing data in transmitted packets.

Use Bluetooth authentication as appropriate when transferring sensitive data

The server can ask for authentication in response to a connection request. Once a connection is established, authentication can be challenged for various requests. Both Kerberos and Secure Sockets Layer (SSL) authentication mechanisms are supported.

Default Registry Settings

You should be aware of the registry settings that impact security. If a value has security implications you will find a Security Note in the registry settings documentation.

For OBEX registry information, see OBEX Registry Settings.

Ports

No specific ports are used for OBEX.

See Also

Object Exchange Protocol

 Last updated on Friday, April 09, 2004

© 1992-2003 Microsoft Corporation. All rights reserved.