ZeroPair: Bluetooth RFCOMM Authentication Bypass in Thermal Printers

🔴 Critical Vulnerability Disclosure

CVE Status: Pending Assignment
CVSS v3.1 (Estimated): 8.1 HIGH
Disclosure Date: January 25, 2026
Discovered by: CBKB (DeadlyData, Metal->Bit)

📋 Executive Summary

ZeroPair is a critical authentication bypass vulnerability affecting Bluetooth-enabled thermal printers from multiple vendors. Affected devices accept unauthenticated RFCOMM (SPP) connections, allowing nearby attackers to access printer command interfaces without pairing, authentication, or user interaction.

The vulnerability exists entirely in device firmware, is invisible to standard Bluetooth management tools, and cannot be remediated by end users.

🎯 Vulnerability Description (Pending CVE)

Bluetooth thermal printers using affected firmware improperly accept RFCOMM connections without authentication due to an insecure trust model implemented outside standard Bluetooth pairing controls. An attacker within Bluetooth range can connect to the device and inject arbitrary printer commands without prior pairing, authentication, or user interaction, leading to information disclosure and output tampering.

📊 Affected Industries

Industry	Use Case	Impact Severity	Risk Level
Healthcare	Prescription labels	🔴 CRITICAL	🔴 CRITICAL
Retail	POS receipts	🔴 HIGH	🔴 HIGH
Food Service	Order tickets	🟡 MEDIUM	🟡 MEDIUM
Logistics	Shipping labels	🟡 MEDIUM	🟡 MEDIUM
Enterprise	Badges, documents	🔴 HIGH	🔴 HIGH

🔬 Technical Analysis

Root Cause

The vulnerability stems from a persistent and implicit trust mechanism implemented at the firmware / protocol layer that operates independently from standard Bluetooth user-space management.

Affected devices expose an RFCOMM service that accepts inbound connections without enforcing authentication at connection time, regardless of the pairing state shown to the user.

┌─────────────────────────────────────────────────────┐
│  User Space (What users can see/control)            │
│  ┌──────────────────────────────────────────────┐   │
│  │ bluetoothctl / system settings               │   │
│  │ Shows: "Not paired" / "Not connected"        │   │
│  └──────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────┘
                         ▲
                         │ User believes device is secure
                         │
┌─────────────────────────────────────────────────────┐
│  Firmware / Protocol Layer (Hidden from users)      │
│  ┌──────────────────────────────────────────────┐   │
│  │ RFCOMM service accepts connections           │   │
│  │ No authentication enforced                   │   │
│  │ No re-authentication required                │   │
│  └──────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────┘

In some firmware implementations, this behavior is further amplified by a hidden or implicit trust state that persists independently of user-visible pairing controls. However, explicit pairing is not required for exploitation.

The Four-Layer Validation

The authentication bypass was validated through four independent verification methods:

bluetoothctl
Device is reported as not paired.
/var/lib/bluetooth/
No pairing keys or cached trust material are present.
hcitool con
No active Bluetooth connections are shown.
RFCOMM binding / communication
RFCOMM communication succeeds and allows bidirectional data exchange.

This confirms that the trust decision allowing access occurs outside standard Bluetooth management layers.

CWE Classifications

CWE-287: Improper Authentication
CWE-306: Missing Authentication for Critical Function
CWE-798: Use of Hard-coded Credentials
CWE-1284: Improper Validation of Security State

💥 Affected Products

Confirmed Vulnerable (Tested)

Vendor	Product	Chipset	Protocol	Deployment
Zhuhai Jieli Technology	M58-L	Jieli	ESC/POS	Retail POS
Barrot Technology	D450	Barrot	TSPL	Healthcare

Potentially Affected

Printers using similar Bluetooth firmware or RFCOMM/SPP implementations are likely affected.
Deployment spans retail, healthcare, logistics, food service, and enterprise environments, with an estimated hundreds of thousands of devices.

🧪 Tested Device Information

Device 1 — Retail POS Printer

Model:              M58-L Bluetooth Thermal Printer
Vendor:             Zhuhai Jieli Technology
Chipset:            Jieli Bluetooth SoC
Bluetooth:          Classic Bluetooth + RFCOMM
Protocol:           ESC/POS
Default PIN:        1234 (not used during testing)
Firmware:           Production firmware (January 2026)
Pairing Performed:  NO

Device 2 — Healthcare Label Printer

Model:              D450 Bluetooth Label Printer
Vendor:             Barrot Technology
Chipset:            Barrot Bluetooth SoC
Bluetooth:          Classic Bluetooth (RFCOMM/SPP)
Protocol:           TSPL
Default PIN:        0000 (not used during testing)
Firmware:           Production firmware (January 2026)
Pairing Performed:  NO

🖥️ Test Environment

Operating System:   Kali Linux 2025.x
Bluetooth Stack:    BlueZ 5.x
Adapter:            Standard laptop Bluetooth adapter
Attack Range:       Bluetooth proximity (10–100m typical)
User Interaction:  None

🚨 Real-World Attack Scenarios

Scenario 1: Healthcare - Prescription Label Tampering

Environment: Hospital pharmacy using D450 label printers
Attack Surface: Printers within Bluetooth range of public areas
Attacker Profile: Malicious actor targeting medication safety

Attack Sequence:

Phase 1: Reconnaissance
───────────────────────────────────────────────────────────────────────────
1. Attacker positions within Bluetooth range of pharmacy
   • Hospital parking lot (50-100m from pharmacy)
   • Public waiting area near pharmacy

2. Execute reconnaissance:
   $ sudo python3 zeropair.py --scan --verbose

3. Discover vulnerable D450 printer:
   [*] Found: 10:23:81:79:E6:43 (D450-BT)
   [*] Manufacturer: Barrot (2279)
   [*] Protocol: TSPL
   [!] VULNERABLE

Phase 2: Passive Monitoring
───────────────────────────────────────────────────────────────────────────
4. Monitor prescription labels:
   $ sudo python3 zeropair.py --monitor 10:23:81:79:E6:43

5. Intercept label data:
   ╔════════════════════════════════════════════════════╗
   ║ Patient: Jane Doe         MRN: 987654              ║
   ║ Medication: Warfarin      NDC: 00093-1074-01       ║
   ║ Dosage: 5mg               Qty: 30                  ║
   ║ Instructions: Take 1 tablet daily                  ║
   ║ Prescriber: Dr. Smith     RPh: Jones               ║
   ╚════════════════════════════════════════════════════╝

Phase 3: Active Attack
───────────────────────────────────────────────────────────────────────────
6. Intercept and modify label in real-time:
   $ sudo python3 zeropair.py --inject 10:23:81:79:E6:43
   [*] Modifying: Warfarin 5mg → 10mg

7. Modified label prints:
   ╔════════════════════════════════════════════════════╗
   ║ Patient: Jane Doe         MRN: 987654              ║
   ║ Medication: Warfarin      NDC: 00093-1074-01       ║
   ║ Dosage: 10mg ← DOUBLED   Qty: 30                   ║
   ║ Instructions: Take 1 tablet daily                  ║
   ║ Prescriber: Dr. Smith     RPh: Jones               ║
   ╚════════════════════════════════════════════════════╝

8. Pharmacist applies tampered label - no indication of modification
9. Patient receives DOUBLED dosage prescription

Impact Assessment:

Category	Impact	Severity
Patient Safety	Medication overdose/underdose	🔴 CRITICAL
Regulatory	HIPAA violation (PHI access)	🔴 CRITICAL
Legal	Hospital liability for med errors	🔴 CRITICAL
Detection	Zero - no audit trail	🔴 HIGH

Real-World Consequences: - Warfarin overdose → life-threatening bleeding - Underdose → stroke or blood clot risk - Attack completely undetectable in pharmacy workflow

Scenario 2: Retail POS - Receipt Fraud & Transaction Theft

Environment: Retail store using M58-L thermal printers at point-of-sale
Attack Surface: POS printers within Bluetooth range of store entrance
Attacker Profile: Organized retail crime, fraudulent return operations

Attack Sequence:

Phase 1: Receipt Harvesting
───────────────────────────────────────────────────────────────────────────
1. Attacker parks near store entrance (within Bluetooth range)

2. Scan for POS printers:
   $ sudo python3 zeropair.py --scan --filter "thermal"

3. Discover M58-L POS printers:
   [*] Register 1: 66:32:9E:2E:FD:94 (M58-L)
   [*] Register 2: 66:32:9E:2E:FD:95 (M58-L)
   [*] Register 3: 66:32:9E:2E:FD:96 (M58-L)

Phase 2: Transaction Monitoring
───────────────────────────────────────────────────────────────────────────
4. Monitor all registers simultaneously:
   $ sudo python3 zeropair.py --monitor-multiple \
     66:32:9E:2E:FD:94,95,96

5. Capture legitimate transaction:
   ════════════════════════════════════════════
              EXAMPLE RETAIL STORE
                123 Main Street
   ────────────────────────────────────────────
   Date: 01/25/2026 14:32    Trans: 789012
   Cashier: #4523            Register: 1

   Samsung Galaxy S24         $1,199.99
   Wireless Charger           $29.99
                              ─────────
   Subtotal:                  $1,229.98
   Tax (8.5%):                $104.55
   TOTAL:                     $1,334.53

   CREDIT CARD ****1234
   Auth: 123456

   Return Policy: 30 days with receipt
   ════════════════════════════════════════════

Phase 3: Fraudulent Receipt Generation
───────────────────────────────────────────────────────────────────────────
6. Create counterfeit receipt using captured format:
   $ sudo python3 zeropair.py --clone-receipt \
     --template captured.txt \
     --modify "Trans: 789099"

7. Print fake receipt on STORE'S OWN PRINTER:
   $ sudo python3 zeropair.py --print 66:32:9E:2E:FD:94 \
     --file fake_receipt.escp

8. Receipt prints using store's receipt paper
   • Matches store format exactly
   • Printed on legitimate paper
   • Indistinguishable from real receipt

Phase 4: Fraudulent Return
───────────────────────────────────────────────────────────────────────────
9. Attacker enters store with:
   • Fake receipt (printed on store's printer)
   • Stolen/purchased item

10. Employee processes return:
    • Receipt looks 100% legitimate (it IS from their printer!)
    • Transaction number may/may not be in system
    • Store issues refund to avoid confrontation

Impact Assessment:

Category	Impact	Severity
Financial Loss	Fraudulent returns, inventory shrink	🔴 HIGH
Customer Data	Credit card info exposure	🔴 HIGH
Operational	Sales disruption if printer DoS'd	🟡 MEDIUM
Detection	Extremely difficult - receipts authentic	🔴 HIGH

Scale Potential: - Organized retail crime can automate at scale - Multiple stores targeted simultaneously - High-value items specifically targeted - Receipt paper is authentic = hard to detect

🛠️ Proof of Concept: zeropair.py (Summary)

A proof-of-concept framework was developed solely to validate and demonstrate impact.

Capabilities Demonstrated:

Bluetooth device discovery
Vendor / protocol fingerprinting
Unauthenticated RFCOMM access
Output monitoring and injection
Multi-device targeting

Observed Results:

Device	Time to Access	Success Rate
M58-L	~8 seconds	100%
D450	~10 seconds	100%

The PoC does not perform pairing and does not define CVE scope.

⚙️ Exploitation Difficulty

Factor	Assessment
Technical Skill	Low
Equipment Required	Standard Bluetooth-capable system
Time to Impact	Seconds
User Awareness	None
Detection Likelihood	Very Low
Reliability	High

📅 Disclosure Timeline

Date	Event
January 20, 2026	Vulnerability discovered and validated
January 25, 2026	Vendors notified
January 25, 2026	CVE requested from MITRE
January 25, 2026	CERT/CC coordination initiated
January 25, 2026	Public disclosure

🧭 Disclosure Rationale

Immediate public disclosure was deemed appropriate due to:

Absence of user-accessible remediation
Safety-critical healthcare deployment
Large-scale retail exposure
Demonstrated authentication bypass without pairing
Same-day good-faith vendor notification

⚖️ Legal Disclaimer

This disclosure is provided for defensive security research and risk awareness purposes only.

Do not: - Test devices you do not own - Access systems without authorization - Use this information maliciously

Responsible security research by CBKB (DeadlyData, Metal->Bit)

END OF DISCLOSURE