https://devzone.nordicsemi.com/f/nordic-q-a/14481/secure-ble-pairing---is-it-possibleI&#39;m trying to make a BLE device that actually pairs securely. I posted this question on StackOverflow but didn&#39;t get any answers - maybe someone here knows more. As far as I know the transport encryption (using AES) is secure in all versions of BLE, onceen-USTelligent Community 13Fri, 17 Jun 2016 10:08:30 GMThttps://devzone.nordicsemi.com/thread/55288?ContentTypeID=1Fri, 17 Jun 2016 10:08:30 GMT137ad170-7792-4731-bb38-c0d22fbe4515:1c6792ad-0ece-4b98-8eaf-096ac5052b70Hung Bui<p>@Tim: as I mentioned, BluetoothSIG is the best to answer questions regarding the spec. Please send requests and questions in <a href="https://www.bluetooth.org/login/register/?_ga=1.103786953.818455267.1461587677">their portal</a>. You can join the SIG as an adopted member, it&#39;s free.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/55287?ContentTypeID=1Thu, 16 Jun 2016 11:40:16 GMT137ad170-7792-4731-bb38-c0d22fbe4515:7608b8ce-eb41-4848-ab1d-498ce47cf329Tim<p>This still doesn&#39;t really answer the question of why they kept a protocol that is so fatally flawed (and could be fixed!). A fixed pin <em>could</em> be secure if the protocol were different.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/55286?ContentTypeID=1Thu, 16 Jun 2016 10:56:48 GMT137ad170-7792-4731-bb38-c0d22fbe4515:c78125f9-747c-4f11-8230-1209f0468e3dHung Bui<p>Hi Tim,</p> <p>Your questions should be best fit for BluetoothSIG, as we are not the sole party who define BLE spec.</p> <p>Here is my opinion on your questions:</p> <ol> <li>As in the article your cited, the risk happens only when you use same passkey for multiple pairing processes. This is not suggested by the spec as it mentioned that the passkey should be randomly generated when pairing.</li> </ol> <p>I understand that in many applications, the devices don&#39;t have IO capability, and have to use static passkey such as a number printed on the device/package. If the attacker has physical access to the device, then this pairing can be compare to the same level as JustWork.</p> <p>If the attacker doesn&#39;t have physical access to the device to get the passkey he need to do brute force or eavesdrop the pairing process of the authenticated device.</p> <p>For brute force, since 4.2, we introduced the repeated request-confirm for each bit of the passkey, the attacker need to try 2^20 times, and each time he uses the wrong bit the pairing process will be terminated. So you can implement a check on the device to refuse pairing after let&#39;s say 3 consecutive fails for example.</p> <p>For eavesdropping, since we use ECDH keys, the public and private pair are required, and I don&#39;t think it&#39;s easy to inject the attacker Public key based on a recorded session of the pairing process earlier.</p> <p>Anyway, using static passkey is not recommended and for sure will reduce the authentication level of the process.</p> <p>2.You can implement another encrypting layer on application, but this require you to find a secure way to exchange the keys, or hardcode and secure the keys on both peers. We don&#39;t have an example/suggestion for this.</p> <p>3.We can&#39;t comment on specifications that are not adopted.</p><div style="clear:both;"></div>