• State Not Answered
  • Replies 1 reply
  • Subscribers 72 subscribers
  • Views 865 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 241543
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Best practices for BLE communications

KMathias001

We are developing a small BLE device and want to make sure we follow reasonable security standards.  What type of communication security would a typical device like headphones or speakers use?  If you have any advice or documents to reference it would be greatly appreciated.  I'm familiar with several documents from NIST and others that describe different ways for high security communications but we are interested to know what are the most practical security measures. The actual payload will be SHA encrypted.

  • 0

    Hello,

    As you may be aware of, Bluetooth headphone and speakers are not using Bluetooth Low Energy(BLE). nRF chips only support BLE.

    However, there are similar means of encryption in BLE. 

    -The first option is to not use encryption. This way, it is possible for others to sniff the BLE packets going back and forth. 

    -The first option of encryption is something called "Just Works" encryption. The way that works is that the two devices will agree on some keys, which are sent over the air, and later used to encrypt the link. If someone were there at the point of the key exchange, they will be able to decrypt the messages, but if they werent around when the devices paired, they will not be able to listen in to the connection.

    - The next option is to use MITM (Man in the Middle protection). To do this, you need to agree on the keys Out of Band (OOB). This is typically what is used when you need to enter a 6-digit key on one of the devices,  that is either displayed on a screen of the other device, or is printed on a sticker on the package. This is typically used when pairing with BLE Keyboards.

    - Another option is to use LESC (LE Secure Connection), which uses Diffie Hellman to agree upon a secret key, but this key is never sent over the air. You usually need some sort of screen or output to determine that it actually is the correct device you are connected to, if you are concerned about privacy.

    Now, I don't know how Bluetooth speakers do it. You typically don't have to enter a code, so either they use something equivalent to "Just works", or they use Diffie Hellman.

    As I mentioned, computer keyboards using BLE usually require you to enter a passkey,  so they use MITM protection, where the keyboard is the input, and the computer screen is the displayer of the key.

    When pairing a computer mouse, on the other hand, there usually isn't any keys to enter. Perhaps because mouse data isn't as sensitive as keyboard data. Knowing how the mouse moves don't contain vulnerable information, such as a keyboard entering some account credentials.

    So you should consider how sensitive your data is, and base your security requirement on this.

    In addition, there is something called bonding, which you may or may not use. If you choose to bond, this will make the devices store the bonding information between the connections. This means that they already know the keys for the next time that they connect. This also means that if you use some MITM protection, you don't need to manually enter the 6-digit key every time you turn on your keyboard. The keys that they derived is stored from previous connections.

    I hope this helped a bit, at least getting started on BLE encryption.

    Best regards,

    Edvin

Related
Terms of service