• State Verified Answer
  • Replies 11 replies
  • Subscribers 76 subscribers
  • Views 1677 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 313269
Options

BLE security question

Terutaka Takeuji

Nice to meet you, I am an engineer living in Japan.

【Development environment】
"PCA10040 (nRF52832)" x 2 (center/periphery)
"SDK: 17.1.0"
"IDE: Segger Embedded Studio for ARM7.10a"

I have a question about BLE security.
I built a test environment using "PCA10040" for the central and peripheral, and tried simple communication.

I installed an app called "BLE Scanner" on my smartphone.
When I started the app, the device name advertised by the peripheral device was displayed, so when I clicked the "Connect" button, I was able to connect to the peripheral device from "BLE Scanner".

I don't want to connect my smartphone to a peripheral without entering a "password" or "passkey", so I want to increase security.

It turns out that there are four methods for authentication processing of BLE Central and Peripheral: "Just Works", "Passkey Entry", "Numeric comparison", and "Out Of Band".
I think that "Just Works" is good for this product because it is communication between devices without a screen.

question)
Please tell me the sample program of the authentication method using "Just Works".

It would be helpful if you could tell me the program code.
If there is any other better way, please let me know.

  • 0

    Hello,

    I suggest you try the Heart Rate sensor and BLE Heart Rate Collector Example. These examples support LE secure connections pairing with Just works which provides protection against passive eavesdropping (i.e. BT sniffers). Just remember to increase the security level of your Bluetooth characteristics to limit access to paired clients only. 

    Increasing the security levels of the Bluetooth characteristics in the heart rate example:

    diff --git a/main.c b/main.c
index cc98734..9434a82 100644
--- a/main.c
+++ b/main.c
@@ -493,8 +493,8 @@ static void services_init(void)
     hrs_init.p_body_sensor_location      = &body_sensor_location;
 
     // Here the sec level for the Heart Rate Service can be changed/increased.
-    hrs_init.hrm_cccd_wr_sec = SEC_OPEN;
-    hrs_init.bsl_rd_sec      = SEC_OPEN;
+    hrs_init.hrm_cccd_wr_sec = SEC_JUST_WORKS;
+    hrs_init.bsl_rd_sec      = SEC_JUST_WORKS;
 
     err_code = ble_hrs_init(&m_hrs, &hrs_init);
     APP_ERROR_CHECK(err_code);
@@ -508,9 +508,9 @@ static void services_init(void)
     bas_init.initial_batt_level   = 100;
 
     // Here the sec level for the Battery Service can be changed/increased.
-    bas_init.bl_rd_sec        = SEC_OPEN;
-    bas_init.bl_cccd_wr_sec   = SEC_OPEN;
-    bas_init.bl_report_rd_sec = SEC_OPEN;
+    bas_init.bl_rd_sec        = SEC_JUST_WORKS;
+    bas_init.bl_cccd_wr_sec   = SEC_JUST_WORKS;
+    bas_init.bl_report_rd_sec = SEC_JUST_WORKS;
 
     err_code = ble_bas_init(&m_bas, &bas_init);
     APP_ERROR_CHECK(err_code);

    Best regards,

    Vidar

  • 0 in reply to Vidar Berg

    Thank you for your answer.

    I will check the security operation with the sample program you gave me.

  • 0 in reply to Terutaka Takeuji

    Sorry for the late reply.
    Based on the sample program and advice that you gave me last week
    I have checked the operation.

    Sample program used)
    Central “ble_app_hrs_c”
    Peripheral “ble_app_hrs”

    I have confirmed that the build was successful and it is working.
    As a result, I understood as follows.

    I understand that "LE Secure Connections" is a technique for encrypting the communication after pairing is successful and making it safe, and does not determine whether the connection is possible or not by identifying the other party at the time of connection.

    Is the above understanding correct?

    question)
    I would like to use a private key at the connection stage to allow connections only from a specific central. Is there a way to do that?
    If it is technically possible, I would like to receive a sample program or program code.

    Thank you.

  • 0 in reply to Terutaka Takeuji

    You can advertise with a whitelist like we do in the BLE HID examples to only allow known peers to establish a connection with your device. 

  • 0 in reply to Vidar Berg

    Thank you for your answer.

    The problem this time is that an external smartphone is connected to the peripheral, which is a product.
    Therefore, it is necessary to deny external smartphone connections from the product's peripherals.

    I understand that connection refusal using a whitelist is a setting on the central side.

    Please let me know if there is a way to deny connections from devices including smartphones from the peripheral side.

    Thank you.

Related
Terms of service