https://devzone.nordicsemi.com/f/nordic-q-a/100556/ble-connection-securityI have an application that allows for FOTA using the SMP Service. That all works fine. But I&#39;ve been asked &quot;is the connection encrypted and secure?&quot; I&#39;ve had a search through the DevZone but can&#39;t really find a clear answer to: 1. Is the DFU viaen-USTelligent Community 13Fri, 09 Jun 2023 07:09:07 GMThttps://devzone.nordicsemi.com/thread/430121?ContentTypeID=1Fri, 09 Jun 2023 07:09:07 GMT137ad170-7792-4731-bb38-c0d22fbe4515:1ae06015-6559-4183-bb16-275000b15485AHaug<p>Hi,</p> [quote user="AHaug"]This corresponds to my understanding as well, but I will ask with a colleague of mine when I get to the office tomorrow (Friday 9th) just to be sure we&#39;re not missing any available options for your design.[/quote] <p>I have discussed this item with a colleague of mine and I can confirm that your understanding is correct, and &quot;Just works&quot; is the only option with the configuration you mention. You could add a static passkey to your app, but that won&#39;t do much for security other than ensuring that you connect to the correct device more easily.</p> <p>Kind regards,<br />Andreas</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/430060?ContentTypeID=1Thu, 08 Jun 2023 18:03:02 GMT137ad170-7792-4731-bb38-c0d22fbe4515:925b4020-8602-4c4c-b3b3-b33c1b062dddAHaug<p>Hi Mike,</p> [quote user="Mike Austin (LPI)"]This&nbsp;might seem like a dumb question, but how do I setup BLE connections in my device to require the Client to Pair?[/quote] <p>No such thing as a dumb question, so no worries. The<a href="https://academy.nordicsemi.com/courses/bluetooth-low-energy-fundamentals/"> BLE fundamentals course at academy.nordicsemi.com</a>&nbsp;showcases both how to do this and some theory for how to do this. Spefically <a href="https://academy.nordicsemi.com/lessons/lesson-3-bluetooth-le-connections/">lesson 3 </a>takes you through the Connection process and <a href="https://academy.nordicsemi.com/lessons/lesson-5-bluetooth-le-security-fundamentals/">lesson 5</a> takes you through the pairing process&nbsp;</p> <p>I do believe that taking this course <em>should&nbsp;</em>answer your questions, but please feel free to ask follow up questions in case you still have any questions left unanswered after&nbsp;having a look at the topics in the BLE course</p> [quote user="Mike Austin (LPI)"]We’ve implemented Private/Public key signing of the firmware, but as I understand it that will only prevent someone trying to put unauthorized firmware into our device. It won’t stop them “sniffing” the image file being sent across to our device and taking that. Is that correct?[/quote] <p>Your understanding is 100% correct. There will be ways to get access to the firmware if you only do signing of the image, but signing the image stops a large portion of the malicious activities regarding getting access to the product.&nbsp;</p> [quote user="Mike Austin (LPI)"]Our device has no user input or display method, so the only security we can implement is the Just Works option if I understand things correctly. Longer term we might look at OOB pairing with NFC.[/quote] <p>This corresponds to my understanding as well, but I will ask with a colleague of mine when I get to the office tomorrow (Friday 9th) just to be sure we&#39;re not missing any available options for your design.</p> <p>I&#39;ll get back to you tomorrow regarding the last item</p> <p>Kind regards,<br />Andreas</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/429858?ContentTypeID=1Wed, 07 Jun 2023 21:17:51 GMT137ad170-7792-4731-bb38-c0d22fbe4515:6bbcc5d2-b560-4d69-9872-397b361d53e0Mike Austin (LPI)<p>Thanks Andreas.</p> <p>This&nbsp;might seem like a dumb question, but how do I setup BLE connections in my device to require the Client to Pair?</p> <p>We&rsquo;ve implemented Private/Public key signing of the firmware, but as I understand it that will only prevent someone trying to put unauthorized firmware into our device. It won&rsquo;t stop them &ldquo;sniffing&rdquo; the image file being sent across to our device and taking that. Is that correct?</p> <p>We&rsquo;re probably not at the point where we are able to develop our own encryption/decryption solution just yet.</p> <p>Our device has no user input or display method, so the only security we can implement is the Just Works option if I understand things correctly. Longer term we might look at OOB pairing with NFC.</p> <p>Regatds,</p> <p>Mike</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/429787?ContentTypeID=1Wed, 07 Jun 2023 13:00:27 GMT137ad170-7792-4731-bb38-c0d22fbe4515:acccff51-b318-4111-b2cd-1be2fe6e4d81AHaug<p>Hi Mike,</p> [quote user=""]1.&nbsp; Is the DFU via SMP Service a secure, encypted connection by default?[/quote] <p>The connection is not encrypted<span>&nbsp;</span>by default unless you pair/bond the devices. If the case is that the devices are paired, then the BLE link is encrypted</p> <p>Regarding 2. and 3. I need to know a bit more about what your goals are regarding the encryption</p> <ol> <li>If your aim is to tamperproof your DFU-procedure, I would recommend you to have a look at how to sign the firmware. This will ensure that any firmware that has been tampered with will be revoked in the DFU procedure</li> <li>If your aim is to perform encrypted DFU, then we unfortunately don&#39;t have support for this and you will have to create your own proprietary solution&nbsp;</li> </ol> <p>Let me know if this answers your questions and feel free to ask follow up questions regarding this topic</p> <p>Kind regards,<br />Andreas</p><div style="clear:both;"></div>