This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

NFC pairing NFC_PAIRING_MODE_OOB

Hi,

I have a question regarding NFC OOB pairing (SDK version 15.2):

I am using "nfc_ble_pair_init" with PAIRING_MODE_OOB. This works when I touch nfc with my mobile. I am asked if I would like to pair with the device and if I accept I get an encrypted connection (at least I get an BLE_GAP_EVT_AUTH_STATUS event).

But when I use nRF Connect with a nrf52840-Dongle and try to connect with the device while the message is on the mobile display this also works. So I am able to connect to the device without the OOB data from another source. As I am not getting the BLE_GAP_EVT_AUTH_STATUS event I assume that the connection is not encrypted but I would like to prevent that the connection is made at all.

Do I miss something about the concept of NFC OOB pairing here?

Thanks,

Andreas

Parents

0 run_ar over 4 years ago

Hi,

NFC is used to exchange the OOB key. By default it does not create a whitelist for advertising, so if you advertise in connectable mode, all central devices can connect. Possible solutions would be to advertise in non connectable mode (or not advertise at all) until NFC is present. Then start advertising in connectable mode. After you have bonded to a device you can use a whitelist when advertising to stop other central from connecting, but remember that it's trivial for an attacker to copy the address, so the whitelist cannot be used for authentication, only to limit connections.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 run_ar over 4 years ago

Hi,

NFC is used to exchange the OOB key. By default it does not create a whitelist for advertising, so if you advertise in connectable mode, all central devices can connect. Possible solutions would be to advertise in non connectable mode (or not advertise at all) until NFC is present. Then start advertising in connectable mode. After you have bonded to a device you can use a whitelist when advertising to stop other central from connecting, but remember that it's trivial for an attacker to copy the address, so the whitelist cannot be used for authentication, only to limit connections.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 Andreas48752 over 4 years ago in reply to run_ar

Sorry, but I have to ask again:

Imaging the device is not advertising until NFC is touched.
When NFC is touched OOB key is transfered over NFC and advertising is enabled in connectable mode (which I asume "nfc_ble_pair_init" from nfc_ble_pair_lib does).
In this state the mobile shows the message "do you want to pair with device X". When the user takes a few seconds to decide if he wants to pair another device could connect without having the OOB key?

Then connection would not be encrypted but without a whitelist it is possible for everyone to connect until the mobile makes the connection and advertising is disabled automatically?

Did I understand that correctly?

Thanks.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 run_ar over 4 years ago in reply to Andreas48752

Well, you can probably do a lot of different things with NFC. We do have a couple of examples:

Experimental: BLE Pairing Using NFC - Peripheral Reference Example

Experimental: HID Keyboard Application with BLE pairing using NFC

Experimental: Heart Rate Application with BLE Pairing Using NFC Pairing Library

Seems we are supporting proper handover including the ble address. So another user should not be able to connect without having the oob key.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel