• State Verified Answer
  • Replies 8 replies
  • Subscribers 74 subscribers
  • Views 2249 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 265107
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Setting IO Capabilities with NCS

nrbrook

I've tried searching for some documentation on pairing IO capabilities with NCS/Zephyr but can't find any. I'm trying to modify the peripheral_hids_keyboard example to use "just works" pairing (no input no output device). Looking at the docs for bt_conn_auth_cb I thought simply removing the passkey_* and pairing_confirm callbacks would be sufficient, but pairing fails and I get "Security failed: <addr> (public) level 1 err 4" in the console output. The only reference I can see to IO capabilities is the "CONFIG_BT_SMP_ENFORCE_MITM" option (which is enabled in the example):

"With this option enabled, the Security Manager will set MITM option in the Authentication Requirements Flags whenever local IO Capabilities allow the generated key to be authenticated."

But I can't find any docs that detail how to specify those local IO capabilities.

What else do I need to do? Where is the documentation for this?

  • 0 in reply to nrbrook

    Hi,

    It seems that encryption is allowed with just works, authentication is what requires higher security.

    Can you check if CONFIG_BT_HIDS_DEFAULT_PERM_RW_AUTHEN is "y", if yes can you set it to "n"?

    Also be aware that authentication is required in HID over GATT profile, so probably your phone, or whatever you are connecting with is enforcing that.

  • 0 in reply to Mttrinh

    I still get the same error.

    The HID over GATT spec states:

    The HID Device shall use LE Security Mode 1 and either Security Level 2 or 3. All supported characteristics specified by the HID Service shall be set to Security Mode 1 and either Security Level 2 or 3.

    The Bluetooth spec defines this as:

    10.2.1 LE security mode 1
    LE security mode 1 has the following security levels:
    1. No security (No authentication and no encryption)
    2. Unauthenticated pairing with encryption
    3. Authenticated pairing with encryption
    4. Authenticated LE Secure Connections pairing with encryption using a 128- bit strength encryption key.

    So they do require pairing, but not authentication. With the nRF5 SDK this works correctly. Is unauthenticated pairing not supported in the nRF connect SDK?

  • +1 in reply to nrbrook

    I managed to get it working.

    # this can be left enabled
CONFIG_BT_HIDS_DEFAULT_PERM_RW_ENCRYPT=y
# we are using unauthenticated pairing
CONFIG_BT_HIDS_DEFAULT_PERM_RW_AUTHEN=n
# we do not want to enforce MITM as this requires authenticated pairing
CONFIG_BT_SMP_ENFORCE_MITM=n
# we want to overwrite old bonds from the same device (optional, security risk)
CONFIG_BT_SMP_ALLOW_UNAUTH_OVERWRITE=y

Related
Terms of service