I have a question regarding NFC OOB pairing (SDK version 15.2):
I am using "nfc_ble_pair_init" with PAIRING_MODE_OOB. This works when I touch nfc with my mobile. I am asked if I would like to pair with the device and if I accept I get an encrypted connection (at least I get an BLE_GAP_EVT_AUTH_STATUS event).
But when I use nRF Connect with a nrf52840-Dongle and try to connect with the device while the message is on the mobile display this also works. So I am able to connect to the device without the OOB data from another source. As I am not getting the BLE_GAP_EVT_AUTH_STATUS event I assume that the connection is not encrypted but I would like to prevent that the connection is made at all.
Do I miss something about the concept of NFC OOB pairing here?
NFC is used to exchange the OOB key. By default it does not create a whitelist for advertising, so if you advertise in connectable mode, all central devices can connect. Possible solutions would be to advertise in non connectable mode (or not advertise at all) until NFC is present. Then start advertising in connectable mode. After you have bonded to a device you can use a whitelist when advertising to stop other central from connecting, but remember that it's trivial for an attacker to copy the address, so the whitelist cannot be used for authentication, only to limit connections.
Sorry, but I have to ask again:
Imaging the device is not advertising until NFC is touched. When NFC is touched OOB key is transfered over NFC and advertising is enabled in connectable mode (which I asume "nfc_ble_pair_init" from nfc_ble_pair_lib does). In this state the mobile shows the message "do you want to pair with device X". When the user takes a few seconds to decide if he wants to pair another device could connect without having the OOB key? Then connection would not be encrypted but without a whitelist it is possible for everyone to connect until the mobile makes the connection and advertising is disabled automatically?
Did I understand that correctly?
Well, you can probably do a lot of different things with NFC. We do have a couple of examples:
Experimental: BLE Pairing Using NFC - Peripheral Reference Example
Experimental: HID Keyboard Application with BLE pairing using NFC
Experimental: Heart Rate Application with BLE Pairing Using NFC Pairing Library
Seems we are supporting proper handover including the ble address. So another user should not be able to connect without having the oob key.