This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Change Characteristics' Read/Write Permissions While Connected

Greetings, and thank you ahead of time to anyone willing to lend some advice.

I'm implementing application-layer security by requiring central devices to supply a user-configurable password. This is being done in order to maintain compatibility with a security scheme used to connect to the device through means other than BLE. Once a valid password has been supplied to the peripheral, certain characteristics will be changed from being completely inaccessible to read / write or from read-only to read / write, depending on the characteristic. I know this kind of functionality can be achieved through read / write authorization, however this would require that the security state be analyzed at each read / write event. What I wish to do is set the characteristics' read / write permissions to their appropriate levels at once when a valid password is supplied (similar to how they are assigned when initially adding the characteristics). However, I have so far been unable to determine a way to accomplish this. Is this behavior possible with the S110 soft device? If so, do you know how I can access the data structures that must be manipulated to accomplish this? Thanks!

EDIT: I forgot to mention that the connection between the peripheral and central cannot be broken while changing the read / write permissions.

  • What you want is in itself not currently possible, since you can't change already added services or attributes. However, I think there are at least two possible ways to work around this:

    1. Don't use the data you receive in the events, or populate the GATT Table with valid data before the peer device has been authenticated. Since all the activities done from the Peripheral side is controlled from the app, the only result of this should be that an attacker would be able to read 0s or write random data, but which will have no effect.

    2. Don't add the protected services before the peer device have been authenticated. Although you can't change already added services, you can add new services, so if you start off with just the authentication service, you could add the other services only after authentication have passed. Beware that you'll most likely have to send a Service Changed indication to the peer device for this to work properly, to let the Central know that new the GATT Table have changed.

  • Hi, using the solution 2, how can I remove the "protected" service from the GATT Table when the Central device disconnects from the Peripheral? I think that if I don't remove the "protected" service when the Central disconnects, then at the next connection the Central is able to discover the "protected" service, is that right?

  • The only way to clear the GATT Table is to disable and re-enable the softdevice, and then not add it back in. There are no API function to remove a service. I would however rather recommend going with the first approach, simply to avoid this hassle.

  • Hello. I would like to adopt approach 1 suggested above in a similar case. Could you point out how to handle GATT table updates. Currently any value written automatically updates the value in the characteristic in the peripheral. I would like to not do that unless the central has been validated

  • Hello. Is this still true with SD130 and SDK 11 ? Can I connect and do pairing and bonding and then perform an app level authentication and then add a service or chars ?. My experience is that when I add chars to my app, i have to reset bonding and pairing on both sides to be able to bond again and discover the new services. I am using the device manager, not peer manager.

Related