This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Pairing passkey , cancel pairing on android side still give access to characteristic

Hi ,

I'm working on nrf52833, s113.

I have trouble to secure my system. It has no kayboard or screen, and with 6digit fixd pathkey( no other choice).

That's mean it advertise once wake up with accelerometre.

I want to protect access to my 4 characteristics. So i enable bounding and MITM. to have the passkey popup on android. Without MITM, i don't have passkey pop up. But then the strange stuff appar:

My program is based on hrs example + dfu merging.

I was thinking that, by using pairing protection with 6 digit fixed pathkey( no other choice cause no IO), i would not be able to read/write my characteriqtics. But with nrfConnect, if you are fast enough, when bounding window pops up , and you click cancel and really fast after, you are able to click on the row to read a characteristics, the connexion is maintained and you have access to all , without been securly paired !!! Note that here, my charac are in OPEN. I juste relly on the fact that the passkey will avoid to go next step...

I know i can protect each caracteristic by using : BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM , what i did.

But a side effect appears: after first pairing on the phone by writing the 6 digit passkey, the same windows pops up FOR EACH characteristic you read ( only the first time) ... so it s a bit anoying because you have the feeling to have paired at connexion step , but in fact it has absolutely no impact on security.

If you click cancel you are still connected and if fast enough you can even have access to all. If you paired successfully, you will have to enter this same path key for each characteristic you have protected, what give a strange effect to the final user, he has the feeling that first pairing didn't worked.

What i need is :First, ask pairng after connect. If yes 6digit ok , no more asked user to enter pathkey. If no or cancel, close connexion or retry but doesn't give access. Only paired device should have access.

Hope to have been clear :)

Top Replies

Parents

0 Olfox over 4 years ago

I have added code in main to print all ble GAP event that occurs.

static void ble_evt_handler(ble_evt_t const * p_ble_evt, void * p_context)
{
uint32_t err_code = NRF_SUCCESS;

switch (p_ble_evt->header.evt_id)
{

case BLE_GAP_EVT_CONN_PARAM_UPDATE : NRF_LOG_INFO ( " BLE_GAP_EVT_CONN_PARAM_UPDATE " ) ; break ;
case BLE_GAP_EVT_SEC_PARAMS_REQUEST : NRF_LOG_INFO ( " BLE_GAP_EVT_SEC_PARAMS_REQUEST " ) ; break ;
case BLE_GAP_EVT_SEC_INFO_REQUEST : NRF_LOG_INFO ( " BLE_GAP_EVT_SEC_INFO_REQUEST " ) ; break ;
case BLE_GAP_EVT_PASSKEY_DISPLAY : NRF_LOG_INFO ( " BLE_GAP_EVT_PASSKEY_DISPLAY " ) ; break ;
case BLE_GAP_EVT_KEY_PRESSED : NRF_LOG_INFO ( " BLE_GAP_EVT_KEY_PRESSED " ) ; break ;
case BLE_GAP_EVT_AUTH_KEY_REQUEST : NRF_LOG_INFO ( " BLE_GAP_EVT_AUTH_KEY_REQUEST " ) ; break ;
case BLE_GAP_EVT_LESC_DHKEY_REQUEST : NRF_LOG_INFO ( " BLE_GAP_EVT_LESC_DHKEY_REQUEST " ) ; break ;
case BLE_GAP_EVT_AUTH_STATUS : NRF_LOG_INFO ( " BLE_GAP_EVT_AUTH_STATUS " ) ; break ;
case BLE_GAP_EVT_CONN_SEC_UPDATE : NRF_LOG_INFO ( " BLE_GAP_EVT_CONN_SEC_UPDATE " ) ; break ;
case BLE_GAP_EVT_RSSI_CHANGED : NRF_LOG_INFO ( " BLE_GAP_EVT_RSSI_CHANGED " ) ; break ;
case BLE_GAP_EVT_SEC_REQUEST : NRF_LOG_INFO ( " BLE_GAP_EVT_SEC_REQUEST " ) ; break ;
case BLE_GAP_EVT_SCAN_REQ_REPORT : NRF_LOG_INFO ( " BLE_GAP_EVT_SCAN_REQ_REPORT " ) ; break ;
case BLE_GAP_EVT_PHY_UPDATE : NRF_LOG_INFO ( " BLE_GAP_EVT_PHY_UPDATE " ) ; break ;
case BLE_GAP_EVT_DATA_LENGTH_UPDATE_REQUEST : NRF_LOG_INFO ( " BLE_GAP_EVT_DATA_LENGTH_UPDATE_REQUEST " ) ; break ;
case BLE_GAP_EVT_DATA_LENGTH_UPDATE : NRF_LOG_INFO ( " BLE_GAP_EVT_DATA_LENGTH_UPDATE " ) ; break ;

When i click in pop up windows on Cancel, i catch BLE_GAP_EVT_AUTH_STATUS. This flag is treated by this piece of code in security_dispatcher.c :

/**@brief Function for processing the @ref BLE_GAP_EVT_AUTH_STATUS event from the SoftDevice.
 *
 * @param[in]  p_gap_evt  The event from the SoftDevice.
 */
static void auth_status_process(ble_gap_evt_t const * p_gap_evt)
{
    switch (p_gap_evt->params.auth_status.auth_status)
    {
        case BLE_GAP_SEC_STATUS_SUCCESS:
            auth_status_success_process(p_gap_evt);
            break;

        default:
            auth_status_failure_process(p_gap_evt);
#if PM_RA_PROTECTION_ENABLED
            ast_auth_error_notify(p_gap_evt->conn_handle);
#endif // PM_RA_PROTECTION_ENABLED
            break;
    }
}

I note that a piece of code is disabled because PM_RA_PROTECTION_ENABLED is cleared to 0 in my sdk_config.h , what avoid re pairing.

So it could be the source of my issue ? because i already paired this phone once, it is in my autorized list in the nrf52833 and then even if i cancel it works ?

I have enabled this flag but same behavior of the app.

So is it to me to manage via BLE_GAP_EVT_AUTH_STATUS, and try to ask for a new pairing code, or close connextion may be ? How it done usually. I find this strange that by default this case is not cover, it is a basic security fault in this state, i hope it comes from my code.

Reply