RE: Wireshark can't decrypt data when the connection is LE secure encrypted

Kenneth — Wed, 18 Aug 2021 14:54:37 GMT

Hi,

There is no direct way to decrypt this data no, since the intention of LE secure connection is that this should not be possible. Not even Ellisys or Fronline can do this.

Though I was under the impression it should be possible to set a debug key for LE secure connection, and it may be possible that (at least some sniffers will try to use the debug keys to decrypt the communication by default). How to do this depends slightly on whether you are using NCS or nRF5 SDK:

https://devzone.nordicsemi.com/f/nordic-q-a/37078/lesc_debug_mode-define-in-ble_app_multirole_lesc-nrf5-sdk-15-0-0

https://developer.nordicsemi.com/nRF_Connect_SDK/doc/1.9.1/kconfig/CONFIG_BT_DEBUG_KEYS.html

Alternatively, if that does not work, then you would to output the LTK from either the peripheral or central (e.g. on UART), and insert the LTK in wireshark. This should be possible it seems from the latest release notes:

https://www.nordicsemi.com/Products/Development-tools/nRF-Sniffer-for-Bluetooth-LE/Download#infotabs

"Added support for key input for LESC paring and improved key support for legacy pairing."

I have not tested this myself, but hopefully the sniffer usage show this done:
https://infocenter.nordicsemi.com/topic/ug_sniffer_ble/UG/sniffer_ble/action_bonded.html

I am never sure if it's MSB or LSB first, so try both is my suggestion. The LTK can be entered in the input key field as shown in Figure 1 here:
https://infocenter.nordicsemi.com/topic/ug_sniffer_ble/UG/sniffer_ble/sniffer_usage.html

Hope that works,
Kenneth