• State Verified Answer
  • Replies 22 replies
  • Subscribers 74 subscribers
  • Views 5323 views
  • Users 0 members are here
Attachments (2) Download All
Nordic Case Info
  • Case ID: 264461
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Pairing passkey , cancel pairing on android side still give access to characteristic

Olfox

Hi ,

I'm working on nrf52833, s113. 

I have trouble to secure my system. It has no kayboard or screen, and with 6digit fixd pathkey( no other choice).

That's mean it advertise once wake up with accelerometre. 

I want to protect access to my 4 characteristics. So i enable bounding and  MITM. to have the passkey popup on android. Without MITM, i don't have passkey pop up. But then the strange stuff appar:

My program is based on hrs example + dfu merging.

I was thinking that, by using pairing protection with 6 digit fixed pathkey( no other choice cause no IO), i would not be able to read/write my characteriqtics. But with nrfConnect, if you are fast enough, when bounding window pops up , and you click cancel and really fast after, you are able to click on the row to read a characteristics, the connexion is maintained and you have access to all , without been securly paired !!! Note that here, my charac are in OPEN. I juste relly on the fact that the passkey will avoid to go next step...

I know i can protect each caracteristic by using : BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM , what i did. 

But a side effect appears: after first pairing on the phone by writing the 6 digit passkey, the same windows pops up FOR EACH characteristic you read ( only the first time) ... so it s a bit anoying because you have the feeling to have paired at connexion step , but in fact it has absolutely no impact on security.

If you click cancel you are still connected and if fast enough you can even have access to all. If you paired successfully, you will have to enter this same path key for each characteristic you have protected, what give a strange effect to the final user, he has the feeling that first pairing didn't worked.

What i need is :First, ask pairng after connect. If yes 6digit ok , no more asked user to enter pathkey. If no or cancel, close connexion or retry but doesn't give access. Only paired device should have access.

Hope to have been clear :)

Parents
  • 0

    Here is my console trace when i click on cancel and wait ( no fast click on characteristic):

    <info> app: ADVERTISING ! Wait connexion or TIMEOUT...
<debug> nrf_sdh_ble: BLE event: 0x10.
<info> peer_manager_handler: Peer data updated in flash: peer_id: 0, data_id: Peer rank, action: Update, no change
<debug> nrf_ble_gatt: Requesting to update ATT MTU to 247 bytes on connection 0x0.
<info> app: CONNECTED

<debug> nrf_sdh_ble: BLE event: 0x3A.
<debug> nrf_ble_gatt: ATT MTU updated to 247 bytes on connection 0x0 (response).
<debug> nrf_sdh_ble: BLE event: 0x12.

<info> app: 	  BLE_GAP_EVT_CONN_PARAM_UPDATE	
<debug> nrf_sdh_ble: BLE event: 0x23.
<debug> nrf_ble_gatt: Peer on connection 0x0 requested a data length of 251 bytes.
<debug> nrf_ble_gatt: Updating data length to 27 on connection 0x0.
<info> app: 	  BLE_GAP_EVT_DATA_LENGTH_UPDATE_REQUEST	
<debug> nrf_sdh_ble: BLE event: 0x24.
<debug> nrf_ble_gatt: Data length updated to 27 on connection 0x0.
<debug> nrf_ble_gatt: max_rx_octets: 27
<debug> nrf_ble_gatt: max_tx_octets: 27
<debug> nrf_ble_gatt: max_rx_time: 2120
<debug> nrf_sdh_ble: BLE event: 0x12.
<info> app: 	  BLE_GAP_EVT_CONN_PARAM_UPDATE	
<debug> nrf_sdh_ble: BLE event: 0x19.
<info> app: 	  BLE_GAP_EVT_AUTH_STATUS	
<debug> nrf_sdh_ble: BLE event: 0x12.
<info> app: 	  BLE_GAP_EVT_CONN_PARAM_UPDATE	
<debug> nrf_sdh_ble: BLE event: 0x11.
<info> app: DISCONNECTED

<info> app: try to advertise...
<info> app: ADVERTISING ! Wait connexion or TIMEOUT...

    Here the trace if i do nothing when pop up 6 digit happens:

    <info> app: try to advertise...
<info> app: ADVERTISING ! Wait connexion or TIMEOUT...
<debug> nrf_sdh_ble: BLE event: 0x10.
<info> peer_manager_handler: Peer data updated in flash: peer_id: 0, data_id: Peer rank, action: Update, no change
<debug> nrf_ble_gatt: Requesting to update ATT MTU to 247 bytes on connection 0x0.
<info> app: CONNECTED

<debug> nrf_sdh_ble: BLE event: 0x3A.
<debug> nrf_ble_gatt: ATT MTU updated to 247 bytes on connection 0x0 (response).
<debug> nrf_sdh_ble: BLE event: 0x12.
<info> app: 	  BLE_GAP_EVT_CONN_PARAM_UPDATE	
<debug> nrf_sdh_ble: BLE event: 0x23.
<debug> nrf_ble_gatt: Peer on connection 0x0 requested a data length of 251 bytes.
<debug> nrf_ble_gatt: Updating data length to 27 on connection 0x0.
<info> app: 	  BLE_GAP_EVT_DATA_LENGTH_UPDATE_REQUEST	
<debug> nrf_sdh_ble: BLE event: 0x24.
<debug> nrf_ble_gatt: Data length updated to 27 on connection 0x0.
<debug> nrf_ble_gatt: max_rx_octets: 27
<debug> nrf_ble_gatt: max_tx_octets: 27
<debug> nrf_ble_gatt: max_rx_time: 2120
<debug> nrf_ble_gatt: max_tx_time: 2120
<info> app: 	  BLE_GAP_EVT_DATA_LENGTH_UPDATE	
<debug> nrf_sdh_ble: BLE event: 0x12.
<info> app: 	  BLE_GAP_EVT_CONN_PARAM_UPDATE	
<debug> nrf_sdh_ble: BLE event: 0x12.
<info> app: 	  BLE_GAP_EVT_CONN_PARAM_UPDATE	
<debug> nrf_sdh_ble: BLE event: 0x19.
<info> app: 	  BLE_GAP_EVT_AUTH_STATUS	
<debug> nrf_sdh_ble: BLE event: 0x11.
<info> app: DISCONNECTED
<info> app: try to advertise...
<info> app: ADVERTISING ! Wait connexion or TIMEOUT...
<debug> nrf_sdh_ble: BLE event: 0x26.
<debug> app: ADVERTISING TIMEOUT, ADV_SET_TERMINATED :(
<info> app: ACCEL IN LOW POWER

  • 0 in reply to Olfox

    So i have tested with BLE_GAP_CONN_SEC_MODE_SET_ENC_WITH_MITM . I still have cancel pairing no impact effect. But i don't have pop up windows for each char. Because i think in flash this phone is memorized .

    So i did a test, I erase all my flash. Programm debug bootloader, settings page, Softdevice s113 and run the fw. Scan on android, connect. First, no pop up to enter 6 digit appears. I see all my char. When i try to read, the pop up 6 digit ask for the passkey. If i enter it , i can read the char and three other too.

    Now i diconnect and unbound on android side. Re connect. And here pop up window appear ! It was not the case at the first trial, idon't know why. May be because now , it is bounded in my flash, so it ask after connexion . I don't enter the code, and it runs for a while, keeping the connexion but doing nothing on android side ( just a circular row running in loop telling me it is waiting for something indefinitively).

    So i disconnect. I re connect, it ask for the paskey, i enter it successfully . I can read my char without re entering passkey.

    If i disconnect, and reconnect, now it is succesfully bounded, so no more pop and everything is fine.

    Conclusion, there is something not robust at pairing phase when nobody knows each others, and i click cancel.

  • 0 in reply to Olfox

    Here a comparaison between the two console of this two case. Left, first connexion from scratch ( no bounded , nrf52833 erased) where no passkey pop up after connexion, but only when i try to read a char. And the right one, after disconnected and reconnect again where passkey pop up appears after connexion and no more after when reading char.

     

  • 0 in reply to Olfox

    Did you set enable SEC_PARAM_MITM and SEC_PARAM_LESC in peer_manager_init()?

    If you use the main.c of hrs example, you need to modify as the following: 

    #define SEC_PARAM_MITM 1 /**< Man In The Middle protection not required. */
    #define SEC_PARAM_LESC 1 /**< LE Secure Connections enabled. */

    -Amanda H.

Reply Children
  • 0 in reply to Amanda Hsieh

    I did for MITM not for LESC as i thought it was one or the other

    #define SEC_PARAM_BOND 1 /**< Perform bonding. */
    #define SEC_PARAM_MITM 1 /**< Man In The Middle protection not required. */
    #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */

    Si have enable it, but an error 16 happens.

    <info> app: CONNECTED
<info> app: In ble_ircam_eeprom_value_update. 

<info> app: Init Ircam and tpms sensors done, Run.
<debug> nrf_sdh_ble: BLE event: 0x3A.
<debug> nrf_ble_gatt: ATT MTU updated to 247 bytes on connection 0x0 (response).
<debug> nrf_sdh_ble: BLE event: 0x12.
<info> app: 	  BLE_GAP_EVT_CONN_PARAM_UPDATE	
<debug> nrf_sdh_ble: BLE event: 0x23.
<debug> nrf_ble_gatt: Peer on connection 0x0 requested a data length of 251 bytes.
<debug> nrf_ble_gatt: Updating data length to 27 on connection 0x0.
<info> app: 	  BLE_GAP_EVT_DATA_LENGTH_UPDATE_REQUEST	
<debug> nrf_sdh_ble: BLE event: 0x24.
<debug> nrf_ble_gatt: Data length updated to 27 on connection 0x0.
<debug> nrf_ble_gatt: max_rx_octets: 27
<debug> nrf_ble_gatt: max_tx_octets: 27
<debug> nrf_ble_gatt: max_rx_time: 2120
<info> app: 	  BLE_GAP_EVT_DATA_LENGTH_UPDATE	
<debug> nrf_sdh_ble: BLE event: 0x12.
<info> app: 	  BLE_GAP_EVT_CONN_PARAM_UPDATE	
<debug> nrf_sdh_ble: BLE event: 0x13.
<error> peer_manager_sm: Could not perform security procedure. smd_params_reply() or smd_link_secure() returned NRF_ERROR_INVALID_ADDR. conn_handle: 0
<error> peer_manager_handler: Unexpected fatal error occurred: error: NRF_ERROR_INVALID_ADDR
<error> peer_manager_handler: Asserting.
<error> app: ERROR 16 [NRF_ERROR_INVALID_ADDR] at C:\nordic\nRF5SDK160098a08e2\components\ble\peer_manager\peer_manager_handler.c:294

  • 0 in reply to Olfox

    The same if i fully erased the device, each time it should pop up the passkey window it crash. I notice that it didn't solve the probleme of not poping up the windows after erased memory, i can reach characteristic and error 16 occurs when i try to read the char.

  • 0 in reply to Olfox

    Hi Florian, 

    Do you add pm_handler_secure_on_connection to ble_evt_handler function to handle the connection? The function is for securing a connection when it is established. You can refer to ble_app_gls on how to use it. 

    -Amanda H.

  • 0 in reply to Amanda Hsieh

    Ha no , i just compare both code and i don't have the same  in main. I have this : 

    static void pm_evt_handler(pm_evt_t const * p_evt)
{
    pm_handler_on_pm_evt(p_evt);
    pm_handler_flash_clean(p_evt);
}

    So by going deeper i see there is some check in peer_manager_handler.c , but it doesn't disconnect if it wasn't a mitm connexion like in gls code.

    Here is the management in my handler:

    void pm_handler_on_pm_evt(pm_evt_t const * p_pm_evt)
{
    pm_handler_pm_evt_log(p_pm_evt);

    if (p_pm_evt->evt_id == PM_EVT_BONDED_PEER_CONNECTED)
    {
        conn_secure(p_pm_evt->conn_handle, false);
    }
    else if (p_pm_evt->evt_id == PM_EVT_ERROR_UNEXPECTED)
    {
        NRF_LOG_ERROR("Asserting.");
        APP_ERROR_CHECK(p_pm_evt->params.error_unexpected.error);
    }
}

    At first connect, user has not yet pairing with the code, so will the connexion be closed ?

    Thanks a lot , i hope it is the weak point in my system

  • +1 in reply to Olfox

    You need pm_handler_disconnect_on_sec_failure() function as the  ble_app_gls example to disconnect when the connection could not be secured.

    -Amanda H.

Related
Terms of service