I posted a post that expressed concerns about board settings data(beside chess settings there are WiFi Credentials and chess.com credentials) being shared to everyone over bluetooth connection(Anyone can connect to your board without passcode). I asked if the development team can add a button in the board setting to optionally turn off bluetooth(for users who like to be more secure in their environment)
That post was deleted from this forum! That action only increased concern for this issue!
Note: if you delete this post again, there are other places that we can write about this that are not under your control. Including writing to chess.com and telling them they are promoting a board that compromises everyone’s security
The post is not deleted - it is unlisted from the main forum view. I will also unlist this post soon.
There is no security issue with bluetooth and the info you provided is not accurate. I answered it and you can still view it.
Because the content is incorrect, we just unlist the post, but leave the answer for the original author to view.
You can see it here:
You are welcome to spread the news are far as you want. There is no security issue with allowing a device to connect via bluetooth without strong pairing. It is in fact supported by bluetooth governing body.
We unlist posts that are incorrect but still reply to the author.
We will not be changing anything about the bluetooth connection routine.
~~
With that said, I understand you are concerned. I assure you - there is no security issue with the bluetooth pairing. If you want to research bluetooth further, please see their website:
The app allows changing the board settings does it not?
What prevents my neighbor from changing my board settings? If he installs the ChessUp app the app will automatically connect to the nearest board(i tested it, it works up to 15 meters away from a different room)
So anyone in the vicinity can mess up the board settings and at the very least delete saved credentials and interrupt matches
They would need to be within 3~6 feet to connect, be aware that the board is powered on and is open for connections, and then - they can’t even really use the product in a way that interferes with you. They can only see their own accounts in their own app. The accounts on the board are only used via the board touchscreen. So the person would need possession of the board - and then the most harm they could do is play chess / use the product / sign you out.
Nothing related to credentials is readable. And beyond that it is also encrypted.
Our team thought of all this and I promise there is nothing at risk.
An ill intentioned person could theoretically launch a game, or dim the light level on the chessup - but the solution is just to ask the person in the room not to do that. And again, they would be doing so with their app and accounts.
The product is meant to be easy to use, so there is no strong password pairing - exactly because nothing is exposed and at risk.
And posts are removed that are disparaging and inaccurate. Your original post read “Vulnerability” and “needs to be addressed ASAP”. Which is false and disparaging. I know you did not intend it that way, so I answered the question, but I am still going to protect the truth and our reputation and unlist the post.
I used to retitle stuff to accurate titles and leave it up, but then the forum is full of incorrect proposals and theories - and it is supposed to be a resource for people to use the product better and more enjoyable. So now I just unlist but still respect the poster and reply to where they can read.
Welcome to the forum. Please understand it is a place for accurate and honest discussion with our team.
Thank you so much for this long reply and going into detail! much much appreciated! I apologize for my alarming title in the first post, it was partially miss leading I understand now.
Still I would like to leave a suggestion that a bluetooth off switch should be implemented. If nothing maybe for the scenarios when you are with the roommates who also bought the board, or if you bring one on a meetup or tournament
We may still implement it in a different way - as we also have to consider people who don’t realize they turned off bluetooth and report a broken board. We are always considering these tradeoffs.
How it works now is it is done by signal strength (proximity more or less) and also first to access. So you can start up the boards in sequence and once paired they stay paired until app or board is closed.
We also considered the ability to name your ChessUp.
Turning off bluetooth or a setting for stronger pairing is another approach.
I trust @Richard to take the suggestions in and also prioritize vs other work and weigh in.
We may also leave as is.
But yes suggestion is noted and the team will put it in the tracking list. Thanks
