• State Not Answered
  • Replies 2 replies
  • Subscribers 88 subscribers
  • Views 3207 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 263276
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Enabling Automatic BLE Authentication for Bonding Without manually entering passkey and with MITM Protection

Bhupendra Prajapati

Hi there!

We are using nRF52840DK development kit with nRF-Connect SDK to build a pre-production version of our product. We have added the required BLE service and characteristics and they are working fine when it comes to an insecure BLE connection. Now we have implemented the security using bonding by referring to the peripheral_lbs example in nrf-Connect SDK samples, It works fine but it requires a person to enter the passkey provided by the DK board over serial terminal to feed in to the BLE controller i.e. an Android device.

I read some community posts related to older nRF5 SDK that to avoid entering the key manually every time, we can disable the MITM flag and have a pre-shared pass key between the devices say "000000". But I wonder, if there is any better method to do it automatically without compromising the security like MITM protection. Even if we consider implementing the similar thing using nRF-Connect SDK (instead of nRF52 SDK), I am not able to find a simple step-by-step guide or at-least some proper guidelines to refer. As we have recently started our development with nRF-Connect SDK and Zephyr, this could be a naive question to ask but pardon me on this.

So can anyone please guide me to implement  secure bonding between the said DK board and android device without manual intervention (or at-least the 'OK Button' kind of pairing at Android) using nRF-Connect SDK or if possibly could point me to the right resource to learn this? It is really critical for us to come up with a solution for this ASAP.

Thanks for the support in advance!

Regards,

Bhupendra

Parents
  • 0

    Hi Prajapati, 

    What you described about "pre-shared" key was most likely what we called static passkey. This is when the passkey is pre-generated/defined prior to the connection and both sides would have this same key to be used as passkey for MITM protection. This method would compromise the security level of MITM protection a little bit but is considerred acceptable as long as the key is kept secret and the number of bond performed is limited. Note that MITM protection with legacy pairing is not considered secured.  

    However, as far as I know, there isn't a way to store this pre-defined key on the phone and tell the phone to use it to bond to a device. Unless you have full access to the phone OS. 

    You may want to think of using just work which has no MITM protection. If you do just work, and let the phone initialize the bonding (by having the phone trying to read/write to a protected characteristic, the phone will trigger bonding automatically), the bonding will be executed transparently without user interference. 

    Here you can find an example of doing static passkey with nRF Connect, but as I mentioned above, there is no way (as I know of) to force the phone to use the static passkey and skip the pop up window asking for passkey : https://devzone.nordicsemi.com/f/nordic-q-a/69202/zephyr-ble-static-passkey-between-central-and-peripheral-on-two-nrf52840s

  • 0 in reply to Hung Bui

    Thanks for your response !

    I will look into the ways I can implement a pre-shared key based bonding as you mentioned, and will let you know if I come across any further issues.

    Thanks again,

    Regards,

    Bhupendra.

Reply Children
No Data
Related