OOB with NUS client and device

Hi,

When two BLE devices connect, their connection is unencrypted and completely open to eavesdroppers. To encrypt the link you need to perform pairing, typically followed by bonding which essentially stores the necessary data from the pairing. The problem is that "Just Works" pairing is susceptible to eavesdroppers and MITM attacks. There are a few options to solve this.

To get MITM and eavesdrop protection you have to either use LESC, OOB or ship the devices with bonding data already present in flash.

LESC has the advantage of being flexible since customers don't need to get devices produced in pairs. The first time the products are turned on they start looking for each other and connect over MITM. There is an LESC example in the nRF5 SDK which is a good starting point for this.

OOB has the advantage of being very simple. In the factory pairs of devices are being flashed with matching OOB data which they will use to pair automatically when they are turned on. These are the same data that you could transfer over NFC, but now you ship the device with the data on them instead of transferring them over NFC. The NFC example shows how these data are used, but you can of course ignore the NRF hardware parts of it. You just need the OOB pairing.

The final option is to ship the devices with bonding data already present in flash. You can create a scheme where the devices get flashed on the factory with bonding data as if they had at some point been turned on and performed pairing and bonding. I find this option to be a more technically complex solution that the OOB option, but it's a viable option if you prefer it.

Best regards,
Rune Holmgren

Ok thank you.