https://devzone.nordicsemi.com/f/nordic-q-a/6571/device-securityWe have a BLE peripheral that has a button interface and nothing else. We would like to add some security so only certain smartphones can send/receive commands from it. An example use case is when a user gets this device, they can pair with it. We woulden-USTelligent Community 13Mon, 27 Apr 2015 09:08:24 GMThttps://devzone.nordicsemi.com/thread/22948?ContentTypeID=1Mon, 27 Apr 2015 09:08:24 GMT137ad170-7792-4731-bb38-c0d22fbe4515:4ef76f75-9794-4131-8fef-731c5e214013Hung Bui<p>@Ash: Of course it&#39;s possible. What needed for the device to set up whitelist mode is to have the central device&#39;s address if it&#39;s public or static address or the IRK if it&#39;s random resolvable address.</p> <p>Note that &quot;whitelist mode&quot; is only available when advertising.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/22947?ContentTypeID=1Fri, 24 Apr 2015 20:30:42 GMT137ad170-7792-4731-bb38-c0d22fbe4515:0d9425ae-c5ff-4627-89c3-63480e52e29fAsh<p>Hung, would it be possible to have our device enter &quot;whitelist mode&quot; upon successfully writing a particular sequence of characters to a specific characteristic?</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/22946?ContentTypeID=1Tue, 21 Apr 2015 09:29:19 GMT137ad170-7792-4731-bb38-c0d22fbe4515:3a2f82cb-c6d4-4e81-b8b6-de6c159ffbd5Hung Bui<p>@Ash: It&#39;s not common to send a Long term key from one central to use on another. The LTK is bounded to the connection between a particular central and a peripheral.</p> <p>I would suggest you have a look at the Bluetooth Core spec v4.2 for more information regarding whitelist , security, bonding and pairing. (Section 4.2.2 Part A Vol 1 to has an overview on whitelist, chapter 10 Part C Vol 3 on security aspects )</p> <p>I would also recommend the Bluetooth Low Energy - The developer Handbook by Robin Heydon.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/22945?ContentTypeID=1Mon, 20 Apr 2015 18:45:37 GMT137ad170-7792-4731-bb38-c0d22fbe4515:907bed4b-7071-422d-b976-dbced23e1da2Ash<p>Thanks for the response. What would the process look like for authorizing a device to be on the whitelist? Is it possible to have one device generate a LongTermKey and store that key in our servers? Then when the wife wants to pair, her husband can transfer this key to her.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/22944?ContentTypeID=1Mon, 20 Apr 2015 11:49:06 GMT137ad170-7792-4731-bb38-c0d22fbe4515:416cfe93-0fd0-47fe-906a-953dc7ffcf7bHung Bui<p>@Ash: You can use whitelist to block other central devices that not in the list to connect to your device. You can have an option to enter non-whitelist mode to allow the husband/wife phone to connect and bond and be added to the whitelist.</p> <p>Note that attacker can always clone an address to pass through the whitelisting (but won&#39;t be able to re-bond to the device because he doesn&#39;t have the LongTermKey)</p> <p>Secondly, pairing procedure without out of band (OOB) key should be done in a protected environment that can avoid eavesdropping.</p><div style="clear:both;"></div>