Hello,
We avoid MITM attacks by using a static passkey. Does it mean that the attacker can decrypt the connection if attacker get the passkey? What I transfer or receive data will be captured by the attacker?
Hello,
We avoid MITM attacks by using a static passkey. Does it mean that the attacker can decrypt the connection if attacker get the passkey? What I transfer or receive data will be captured by the attacker?
It seems that using static passkey is not a save way, isn't it? If we want to do some BLE application in high security way, what can we do? Using OOB only or any other methods?
You can make sniffing more difficult by lowering TX power during pairing, and holding the central and peripheral very close. This is only a bandaid solution of course :)
sara: Encryption with Passkey and Just Works are both very weak if someone is able to collect all the packets when the keys are exchanged (a poor OOB system would be equally weak). If you use bonding, the keys are usually only exchanged on the first connection. As long as the link is always encrypted and the first exchange is done in a secure place (or perhaps, as Anders suggests, with low power transmissions to limit sniffing) there should be pretty good security for most applications.
Thanks for your kindly repply~
Can I return to Bill's question (2)? If we put aside problem of delivering key to host and device (by NFC,USB...), is it correct that current nRF51 SD, Android, iOS and Windows 8/10 support setting up connection by using key provided? Update: Interesting information about OOB in Android is here