bluetooth: Default to discoverable off

Try to not expose bluetooth devices to external devices unless the user
explicitly configures it, like any other radio/network device.  Bluetooth
has a long history of security problems and it is probably best to keep it
disabled if not needed.

Users who do use the bluetooth device should enable "discoverable" in
bluetooth.device.conf(5) after this change.

Keep in mind that bluetooth addresses can be discovered by passive
monitoring or whole address-space scans[0], so a safety conscious user
should also disable "connectable" in bluetooth.device.conf(5).

[0]: https://www.sans.edu/cyber-research/security-laboratory/article/bluetooth

Reviewed by:	emax, hselasky
Security:	maybe
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D12831

2 files changed, 2 insertions, 2 deletions

diff --git a/etc/defaults/bluetooth.device.conf b/etc/defaults/bluetooth.device.conf
index 6e6a9811bccf..330548f97bb5 100644
--- a/etc/defaults/bluetooth.device.conf
+++ b/etc/defaults/bluetooth.device.conf
@@ -65,7 +65,7 @@
 # NO  or 0	do not scan for inquiry requests;
 # YES or 1	scan for inquiry requests (default).
 
-# discoverable="YES"
+# discoverable="NO"
 
 # The encryption_mode parameter controls if the device requires encryption
 # to the remote device at connection setup. At connection setup, only the
diff --git a/etc/rc.d/bluetooth b/etc/rc.d/bluetooth
index 5f5a8343408c..ac10719861ae 100755
--- a/etc/rc.d/bluetooth
+++ b/etc/rc.d/bluetooth
@@ -287,7 +287,7 @@ bluetooth_start()
 	bluetooth_device_authentication_enable="0"
 	bluetooth_device_class="ff:01:0c"
 	bluetooth_device_connectable="1"
-	bluetooth_device_discoverable="1"
+	bluetooth_device_discoverable="0"
 	bluetooth_device_encryption_mode="0"
 	bluetooth_device_hci_debug_level="3"
 	bluetooth_device_l2cap_debug_level="3"