Setting IO Capabilities with NCS

RE: Setting IO Capabilities with NCS

nrbrook — Tue, 16 Mar 2021 10:59:02 GMT

I managed to get it working.

# this can be left enabled
CONFIG_BT_HIDS_DEFAULT_PERM_RW_ENCRYPT=y
# we are using unauthenticated pairing
CONFIG_BT_HIDS_DEFAULT_PERM_RW_AUTHEN=n
# we do not want to enforce MITM as this requires authenticated pairing
CONFIG_BT_SMP_ENFORCE_MITM=n
# we want to overwrite old bonds from the same device (optional, security risk)
CONFIG_BT_SMP_ALLOW_UNAUTH_OVERWRITE=y

RE: Setting IO Capabilities with NCS

nrbrook — Tue, 16 Mar 2021 10:47:56 GMT

I still get the same error.

The HID over GATT spec states:

The HID Device shall use LE Security Mode 1 and either Security Level 2 or 3. All supported characteristics specified by the HID Service shall be set to Security Mode 1 and either Security Level 2 or 3.

The Bluetooth spec defines this as:

10.2.1 LE security mode 1
LE security mode 1 has the following security levels:
1. No security (No authentication and no encryption)
2. Unauthenticated pairing with encryption
3. Authenticated pairing with encryption
4. Authenticated LE Secure Connections pairing with encryption using a 128- bit strength encryption key.

So they do require pairing, but not authentication. With the nRF5 SDK this works correctly. Is unauthenticated pairing not supported in the nRF connect SDK?

RE: Setting IO Capabilities with NCS

Mttrinh — Fri, 05 Mar 2021 16:59:39 GMT

Hi,

It seems that encryption is allowed with just works, authentication is what requires higher security.

Can you check if CONFIG_BT_HIDS_DEFAULT_PERM_RW_AUTHEN is "y", if yes can you set it to "n"?

Also be aware that authentication is required in HID over GATT profile, so probably your phone, or whatever you are connecting with is enforcing that.

RE: Setting IO Capabilities with NCS

nrbrook — Thu, 04 Mar 2021 13:24:52 GMT

No, unfortunately the result is the same

RE: Setting IO Capabilities with NCS

Mttrinh — Thu, 04 Mar 2021 12:19:42 GMT

Hi,

It might be related to the CONFIG_BT_HIDS_DEFAULT_PERM_RW_ENCRYPT.

Can you try setting this to "n" in addition to the changes you already made and see what happens?

RE: Setting IO Capabilities with NCS

nrbrook — Mon, 01 Mar 2021 22:12:05 GMT

Hi, do you have any more suggestions?

RE: Setting IO Capabilities with NCS

nrbrook — Tue, 23 Feb 2021 14:27:00 GMT

That suggests I was correct in thinking that setting passkey_* and pairing_confirm callbacks to NULL would be sufficient, but then why does pairing fail with error 4? Error 4 is:

/** The requested security level could not be reached. */
	BT_SECURITY_ERR_AUTH_REQUIREMENT,

RE: Setting IO Capabilities with NCS

Mttrinh — Tue, 23 Feb 2021 13:58:50 GMT

Hi,

You can read more about it here.