Question about BLE Mesh "No OOB" OOB type

Hi,

I am trying to make push button OOB the only available OOB type for my Mesh device. Even if i write bt_mesh_prov in such a way, that no output or input OOBs are accepted, I still get the option to provision it with "No OOB" method in the nRF Mesh app.

Could you clarify if you're actually able to provision the device with "No OOB" if you write bt_mesh_prov in such a way that no output or input OOBs are accepted?

Kind regards,
Andreas

Hello and thanks for the reply

Using the following struct:

After clicking "provision" on the nRF mesh app, it instantly goes into the provisioning state window, skipping a pop-out window in which the user would select an OOB method, such as "input OOB". The device is successfully provisioned.

I am a bit confused about the use of OOB methods in BLE Mesh. How would I go about making a device "secure" by using an OOB method if i can provision a device successfully that would use an input push button OOB method? Why does the user have the ability to just select "No OOB" and successfully provision a device?

When I am trying to use the push button method, I get the option of selecting "Input OOB" in the nRF Mesh app and I am able to successfully provision a device using this method. But this also works fine when using "No OOB", is this the way it's supposed to be or am I missing something?

As an analogy, the way I am currently seeing is to be able to do something to a device you might need a password. You can put a password, but it's not really necessary, as you'd be able to do the same thing with a device without a password. So I want to make the password entry absolutely necessary to make it secure.

Thank you for your time.

Hi,

Thank you for clarifying. The analogy you've used makes perfect sense and I do understand the need for it. After looking around in the spec and having a discussion with our Mesh developers, we landed on the following

Currently in Mesh v1.0 there are no options to prohibit No OOB on provisionee without breaking the devices qualification. If you want to, you may add your own hook here:  

github.com/.../prov_device.c like it is done here: github.com/.../prov.c But don't enable CONFIG_BT_MESH_OOB_AUTH_REQUIRED

Do note that this is not a standard compliant way and I want to emphasize that this breaks the devices qualification once more. This request also needs a bit further exploration. An important aspect for the developer to ensure that even if an unprovisioned device could be provisioned by malicious third party to gain access to users data, then the unprovisioned device should not have any data of material significance within itself, even when it gets provisioned. All the data that this device is supposed to obtain should be added explicitly by user afterwards and such data should get erased once the device is unprovisioned.

Kind regards,
Andreas

AHaug  This file no longer contains the hooks you have mentioned. How would I proceed with this?

Could you explain what you mean? 

If you're referring to some content that were in the tags at the time I posted how to do this and the warning regarding that this is not a standard compliant way, then you need to check out that specific tag 

If this is a new issue, please create a new ticket with your inquiry

Kind regards,
Andreas

Could you explain what you mean? 

If you're referring to some content that were in the tags at the time I posted how to do this and the warning regarding that this is not a standard compliant way, then you need to check out that specific tag 

If this is a new issue, please create a new ticket with your inquiry

Kind regards,
Andreas