Hello,
Here is my setup:
- Hardware
- nRF52840 development kit - Qty: 2
- One in Central Role
- One in Peripheral Role
- Android Phone (Google Pixel 4a)
- nRF52840 development kit - Qty: 2
- Software
- SDK 15.2 (Using old SDK because I am making changes to an old project)
- SoftDevice: s140_nrf52_6.1.0
I have a few questions that I think I know the answer to, but can't find a definitive answer online. The questions are listed at the bottom of this post. To preface, I have read many posts on the Nordic devzone regarding this very topic. At present, my existing project performs directed advertising using an address type of BLE_GAP_ADDR_TYPE_RANDOM_STATIC. This works without issue between two nRF52840 development kits. The Central can connect to the Peripheral with this configuration, and I can see the directed advertisements in Wireshark with a Nordic devkit as a BLE sniffer. The directed advertisement packets list the "Target Address" as the static address of the Central. This is expected.
Now, I am trying to use an Android phone as the Central while the Peripheral directly advertises to it without having to bond. The reason I don't want to bond is because our project does not currently use the peer manager. Integrating the peer manager into an existing project that is already in the field is not a trivial task and poses significant risk of breaking the current design and introducing bugs. Our device uses directed advertising to the Central so "average" users can't see the advertising packets on their phones, tablets, etc. I realize directed advertising provides no security and an attacker can see the directed advertisements and spoof the Central's BLE address. It's more of a way to filter out the advertising traffic since multiples of these devices can be in close proximity.
Here is what I understand about direct advertising to an Android (and iPhone):
- Android uses a BLE MAC type of BLE_GAP_ADDR_TYPE_RANDOM_PRIVATE_RESOLVABLE
- This is a security feature to prevent location tracking
- This results in the phone changing is BLE MAC at a defined interval (Usually every 15 minutes but can vary)
- The Identity Resolving Key (IRK) allows the Peripheral to resolve the identity of the Android phone, which is shared during the standard BLE bonding process.
To achieve directed advertising to an Android phone without bonding, my plan was to do the following:
- Obtain the IRK from the Android phone manually.
- I have already done this using a nRF52840 development kit.
- As far as I know, the IRK stays the same for the life of the phone. Please correct me if I am wrong.
- Inject the phone IRK into the Peripheral and use this to advertise to the Android phone.
- Using a similar process as seen in this post: Directed advertising with pre-shared IRK and "Variant #1" in this bounce diagram: https://infocenter.nordicsemi.com/index.jsp?topic=%2Fcom.nordic.infocenter.s132.api.v3.0.0%2Fgroup___b_l_e___g_a_p___p_r_i_v_a_c_y___a_d_v___d_i_r___p_r_i_v___m_s_c.html&cp=2_3_0_1_1_2_1_3_9_1
Questions:
- Is it possible for a nRF52840 to directly advertise (and connect) to an Android phone with a pre-shared IRK without bonding to it as proposed above?
- How does the Peripheral know what BLE MAC to insert into the direct advertising packet if the Android phone changes its MAC every 15 minutes?
Thanks,
Derek
