Best practices for BLE communications

Hello,

As you may be aware of, Bluetooth headphone and speakers are not using Bluetooth Low Energy(BLE). nRF chips only support BLE.

However, there are similar means of encryption in BLE. 

-The first option is to not use encryption. This way, it is possible for others to sniff the BLE packets going back and forth. 

-The first option of encryption is something called "Just Works" encryption. The way that works is that the two devices will agree on some keys, which are sent over the air, and later used to encrypt the link. If someone were there at the point of the key exchange, they will be able to decrypt the messages, but if they werent around when the devices paired, they will not be able to listen in to the connection.

- The next option is to use MITM (Man in the Middle protection). To do this, you need to agree on the keys Out of Band (OOB). This is typically what is used when you need to enter a 6-digit key on one of the devices,  that is either displayed on a screen of the other device, or is printed on a sticker on the package. This is typically used when pairing with BLE Keyboards.

- Another option is to use LESC (LE Secure Connection), which uses Diffie Hellman to agree upon a secret key, but this key is never sent over the air. You usually need some sort of screen or output to determine that it actually is the correct device you are connected to, if you are concerned about privacy.

Now, I don't know how Bluetooth speakers do it. You typically don't have to enter a code, so either they use something equivalent to "Just works", or they use Diffie Hellman.

As I mentioned, computer keyboards using BLE usually require you to enter a passkey,  so they use MITM protection, where the keyboard is the input, and the computer screen is the displayer of the key.

When pairing a computer mouse, on the other hand, there usually isn't any keys to enter. Perhaps because mouse data isn't as sensitive as keyboard data. Knowing how the mouse moves don't contain vulnerable information, such as a keyboard entering some account credentials.

So you should consider how sensitive your data is, and base your security requirement on this.

In addition, there is something called bonding, which you may or may not use. If you choose to bond, this will make the devices store the bonding information between the connections. This means that they already know the keys for the next time that they connect. This also means that if you use some MITM protection, you don't need to manually enter the 6-digit key every time you turn on your keyboard. The keys that they derived is stored from previous connections.

I hope this helped a bit, at least getting started on BLE encryption.

Best regards,

Edvin

Hello,

As you may be aware of, Bluetooth headphone and speakers are not using Bluetooth Low Energy(BLE). nRF chips only support BLE.

However, there are similar means of encryption in BLE. 

-The first option is to not use encryption. This way, it is possible for others to sniff the BLE packets going back and forth. 

-The first option of encryption is something called "Just Works" encryption. The way that works is that the two devices will agree on some keys, which are sent over the air, and later used to encrypt the link. If someone were there at the point of the key exchange, they will be able to decrypt the messages, but if they werent around when the devices paired, they will not be able to listen in to the connection.

- The next option is to use MITM (Man in the Middle protection). To do this, you need to agree on the keys Out of Band (OOB). This is typically what is used when you need to enter a 6-digit key on one of the devices,  that is either displayed on a screen of the other device, or is printed on a sticker on the package. This is typically used when pairing with BLE Keyboards.

- Another option is to use LESC (LE Secure Connection), which uses Diffie Hellman to agree upon a secret key, but this key is never sent over the air. You usually need some sort of screen or output to determine that it actually is the correct device you are connected to, if you are concerned about privacy.

Now, I don't know how Bluetooth speakers do it. You typically don't have to enter a code, so either they use something equivalent to "Just works", or they use Diffie Hellman.

As I mentioned, computer keyboards using BLE usually require you to enter a passkey,  so they use MITM protection, where the keyboard is the input, and the computer screen is the displayer of the key.

When pairing a computer mouse, on the other hand, there usually isn't any keys to enter. Perhaps because mouse data isn't as sensitive as keyboard data. Knowing how the mouse moves don't contain vulnerable information, such as a keyboard entering some account credentials.

So you should consider how sensitive your data is, and base your security requirement on this.

In addition, there is something called bonding, which you may or may not use. If you choose to bond, this will make the devices store the bonding information between the connections. This means that they already know the keys for the next time that they connect. This also means that if you use some MITM protection, you don't need to manually enter the 6-digit key every time you turn on your keyboard. The keys that they derived is stored from previous connections.

I hope this helped a bit, at least getting started on BLE encryption.

Best regards,

Edvin