Setting IO Capabilities with NCS

Hi,

You can read more about it here.

That suggests I was correct in thinking that setting passkey_* and pairing_confirm callbacks to NULL would be sufficient, but then why does pairing fail with error 4? Error 4 is:

/** The requested security level could not be reached. */
	BT_SECURITY_ERR_AUTH_REQUIREMENT,

Hi,

It might be related to the CONFIG_BT_HIDS_DEFAULT_PERM_RW_ENCRYPT. 

Can you try setting this to "n" in addition to the changes you already made and see what happens?

No, unfortunately the result is the same

Hi,

It seems that encryption is allowed with just works, authentication is what requires higher security.

Can you check if CONFIG_BT_HIDS_DEFAULT_PERM_RW_AUTHEN is "y", if yes can you set it to "n"?

Also be aware that authentication is required in HID over GATT profile, so probably your phone, or whatever you are connecting with is enforcing that.

I still get the same error.

The HID over GATT spec states:

The HID Device shall use LE Security Mode 1 and either Security Level 2 or 3. All supported characteristics specified by the HID Service shall be set to Security Mode 1 and either Security Level 2 or 3.

The Bluetooth spec defines this as:

10.2.1 LE security mode 1
LE security mode 1 has the following security levels:
1. No security (No authentication and no encryption)
2. Unauthenticated pairing with encryption
3. Authenticated pairing with encryption
4. Authenticated LE Secure Connections pairing with encryption using a 128- bit strength encryption key.

So they do require pairing, but not authentication. With the nRF5 SDK this works correctly. Is unauthenticated pairing not supported in the nRF connect SDK?

I managed to get it working.

# this can be left enabled
CONFIG_BT_HIDS_DEFAULT_PERM_RW_ENCRYPT=y
# we are using unauthenticated pairing
CONFIG_BT_HIDS_DEFAULT_PERM_RW_AUTHEN=n
# we do not want to enforce MITM as this requires authenticated pairing
CONFIG_BT_SMP_ENFORCE_MITM=n
# we want to overwrite old bonds from the same device (optional, security risk)
CONFIG_BT_SMP_ALLOW_UNAUTH_OVERWRITE=y

I managed to get it working.

# this can be left enabled
CONFIG_BT_HIDS_DEFAULT_PERM_RW_ENCRYPT=y
# we are using unauthenticated pairing
CONFIG_BT_HIDS_DEFAULT_PERM_RW_AUTHEN=n
# we do not want to enforce MITM as this requires authenticated pairing
CONFIG_BT_SMP_ENFORCE_MITM=n
# we want to overwrite old bonds from the same device (optional, security risk)
CONFIG_BT_SMP_ALLOW_UNAUTH_OVERWRITE=y