BLE Pairing and security stack implementation

RE: BLE Pairing and security stack implementation

Einar Thorsrud — Fri, 22 Oct 2021 10:05:50 GMT

[quote user="shwetank vishnu"]Okay, so when you say scan response packets, you are talking about the pairing sequence?[/quote]

No. The pairing has nothing to do with peer being able to see services. What I was referring to was the scan response packet, which is an "extra" advertising packet. The point was that it is optional which (if any) service UUIDs you include there. But other than that, any peer that connects and does service discovery can see all available services.

[quote user="shwetank vishnu"]UART_BLE example code which sets the nRF in peripheral mode and can be easily connected using the nRF connect app, what do I need to do to enable a pairing method?[/quote]

The UART/Serial Port Emulation over BLE example does not support pairing out of the box, so you need to add support for that. That involves adding the peer manager library to your code, as well as modules it depends on (like FDS). I suggest you refer to an example that allready has peering to see how this is done and which files you need to include etc, and the sdk_config.h configuration. A good such example is the Heart Rate Application.

[quote user="shwetank vishnu"]The device is battery operated, so power cycle method is a bit out of picture.[/quote]

Yes, unless you can remove and re-insert the battery.

[quote user="shwetank vishnu"]I can use make a sequence that enables the device to pair with a mobile and if the mobile unpairs it, then we can restart the whole pairing process.[/quote]

You cannot know from the nRF side if the phone has deleted the bonding information or not, so this method will not work in practice. You either need to allow pairing all the time, or alternatively have a method which you use to make the device enter pairing mode.

[quote user="shwetank vishnu"]4. Then what can be the best implementation to avoid any such attacks?[/quote]

There is no standard way to implement MITM protection without buttons or display. You can use a static passkey for instance which is unequal for each device, but this can be easily hacked, so it will only provide protection against someone accidentally connecting to your device. A malicious attacker can easily circumvent this.

[quote user="shwetank vishnu"]I came across security modes and levels and I think I am looking for a security mode 1 level 4 communication.[/quote]

As your device doe snot have I/O capabilities you can only achieve security mode 1 level 2 (though you can trick it by using a static pass key, but that does not give you any real protection as described above). Also, note that for level 4 you need to use LE Secure Connections.

[quote user="shwetank vishnu"]Firstly am I thinking this in a wrong way? what is the right approach here?[/quote]

I am not sure. I think you need to establish what the required minimum security level is for your product. If you need proper MITM protection, then you need to modify your HW. This may also the case if you need to limit when the device can be in pairing mode.

RE: BLE Pairing and security stack implementation

shwetank vishnu — Thu, 21 Oct 2021 13:18:31 GMT

[quote userid="7377" url="~/f/nordic-q-a/80876/ble-pairing-and-security-stack-implementation/335292#335292"]No, there is no way to "hide" services. Once a device connects it can discover all services. There is no need to include the service(s) in advertising packets or scan response packets, though.[/quote]

Okay, so when you say scan response packets, you are talking about the pairing sequence? I am using a modified UART_BLE example code which sets the nRF in peripheral mode and can be easily connected using the nRF connect app, what do I need to do to enable a pairing method?

[quote userid="7377" url="~/f/nordic-q-a/80876/ble-pairing-and-security-stack-implementation/335292#335292"]That is entirely application specific, and up to you. What fits your product? Is it possible to power cycle or reset it to put it in pairing mode, for instance?[/quote]

The device is battery operated, so power cycle method is a bit out of picture. I can use make a sequence that enables the device to pair with a mobile and if the mobile unpairs it, then we can restart the whole pairing process.

Okay will look into this

4. Then what can be the best implementation to avoid any such attacks?

I hope the application is somewhat clear. To reiterate below is the exact application I am implementing

1. I have some sense data that will be communicated to the mobile application

2. Mobile applications generate some triggers(not periodic, about 50 over 24Hours lets say) to operate a couple of peripherals that are part of a different characterstic

3. Now as soon as the device boots up, currently it waits for any central (mobile connection), I am using the nRF-connect APP for demo purpose, and then I am able to see and control the characteristics as required.

4. All I want to do is to add a provisioning/ pairing process in the same and make the overall communication secure. I came across security modes and levels and I think I am looking for a security mode 1 level 4 communication.

Firstly am I thinking this in a wrong way? what is the right approach here?

Thanks for the reply, much appreciated.

RE: BLE Pairing and security stack implementation

Einar Thorsrud — Thu, 21 Oct 2021 12:00:44 GMT

Hi,

[quote user=""]1. The BLE device at factory reset will be active to pair and send/ receive data via the services, These services are currently open and I used nrf connect APP to communicate, can I make then hidden so that no one else can see those?How?[/quote]

No, there is no way to "hide" services. Once a device connects it can discover all services. There is no need to include the service(s) in advertising packets or scan response packets, though.

[quote user=""]2. At the time when device is not bonded with any central, what should be the architecture to enable pairing. Note that the device is headless and does not have any HMI. Is there any application note or literature that I can follow to do the same?[/quote]

That is entirely application specific, and up to you. What fits your product? Is it possible to power cycle or reset it to put it in pairing mode, for instance?

[quote user=""]3. Once the pairing is complete, I want the communication to be encrypted, I guess the nordic supports AES encryption, is there any example or literature I can follow?[/quote]

The nRF SDKs support standard Bluetooth pairing, both legacy pairing and LE Secure Connections. Regardless of how you pair, a secured link is always encrypted with 128 bit AES-CCM (according to the Bluetooth specification). I suggest you check out the peer manger library in nRF5 SDK 12.3.

[quote user=""]4. Also should the authorisation process involve a digital certifacate method to make sure the pairing is safe and avoids any MITM. [/quote]

There is no use of certificates in the bluetooth specification. However, there are MITM protection features supported as defined in the Bluetooth specification, but all those depends on having a HMI of some sort. Without it, Bluetooth does not provide any way to guarantee MITM protection.