This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

How to achieve adverting toward only central devices in the same application?

We would like to achieve following:
  1. Only peripheral devices should advertise data toward only central devices in the same application.  
  2. advertising data by peripheral devices should be protected from malicious people.
  • Advertising packets sent by a BLE device can be easily captured by any BLE scanner and there is really no way to prevent that. Anybody with a laptop or phone with some basic BLE scanner app can easily scan whatever is broadcast on the BLE advertising channels.

    If you need to protect the data that is being advertised, then you could encrypt the data using whatever algorithm you seem fit for the job. There are certain rules on how the advertising packet content must be specified, this is defined in the Bluetooth spec. In vendor specific data, the AD type is 0xFF and it is followed by a 16-bit company ID. After this common header, you can freely choose how the remaining bytes are formatted. They can contain e.g. a 16-byte pattern that has been run through AES encryption.

    More info on manufacturer specific data e.g. here : https://devzone.nordicsemi.com/f/nordic-q-a/23406/rules-for-manufacturer-specific-advertisement-data

  • Thank you for your response.
    So, any BLE scanner can scan data in payload if the packet is ADV_IND.
    That means all the IDs in the payload can be scanned and possibly those IDs scanned by malicious people can be misused? I think that UUIDs are also in the payload. If UUIDs are scanned by unrecognized device, it could be potential risk to the application itself? 

    Also, that any BLE central scan advertising data does not mean central devices connecting to any devices, right?
    Peripheral devices should be connected by only central devices in the same application.

  • Yes, anything you put into the advertising packets can be easily detected by any other user who has just the basic knowledge of BLE and a phone. If there are some sensitive data in the advertisements that you do not want to expose to everybody, then the only way around that is encrypting the data somehow.

    Have a look at this blog about advertising and other BLE basics:
    https://devzone.nordicsemi.com/nordic/nordic-blog/b/blog/posts/bluetooth-smart-and-the-nordics-softdevices-part-1

    There is a section that talks about whitelisting. It answers your second question, about limiting who can connect to your peripheral. Even if the advertisements can be heard by any other device in the range of your peripheral, you can still use whitelisting to limit which devices are allowed to connect.

    The limitation with whitelisting is that you need to know in advance the addresses of the "trusted" devices. If you do not have that information available, then an alternative solution could be to implement some application level security check. For example: whenever a central connects to your peripheral, you require some custom passkey exchange or similar to be executed, before the central is allowed to get access to any sensitive data. If the passkey exchange (or whatever handshake mechanism you define) fails, then the peripheral can drop the connection.

Related