Security Level 4 in Bluetooth LE connection
Protection of private information is essential for every wireless low energy device, from fitness bands to payment systems. Privacy mechanisms prevent devices from being tracked by untrusted devices.
Secure communications keep data safe while also preventing unauthorized devices from injecting data to trigger the system’s unintended operation.
In Bluetooth Low Energy (BLE), devices connected to a link can pass sensitive data by setting up a secure encrypted connection, which means making the data unreadable to all but the Bluetooth master and slave devices.
A BLE connection is said to operate at a specific Security mode. Within each mode are several security levels. The required security mode/level of a connection may change from time to time, leading to procedures to increase that level.
To keep it simple, when two devices that initially do not have security wish to do something that requires security, the devices must pair first. This process could be triggered, for example, by a central device that is attempting to access a data value (a “characteristic”) on a peripheral device that requires authenticated access.
Pairing involves authenticating the identity of two devices, encrypting the link using a Short-Term Key (STKs), and then distributing Long-Term Keys (LTKs) (for faster reconnection in the future, i.e., bonding) used for encryption.
The new security level of the connection is based on the method of pairing performed and this is selected based on the I/O capabilities of each device. The security level of any subsequent reconnections is based on the level achieved during the initial pairing.
Each device’s role is defined in the Security Manager (SM) portion of the BLE stack. They are:
- Initiator: Always corresponds to the Link Layer Master and the GAP central.
- Responder: Always corresponds to the Link Layer Slave and the GAP peripheral.
Security by means of encryption contains four levels
- Level 1: No Security (No authentication and no encryption)
- Level 2: Unauthenticated pairing with encryption
- Level 3: Authenticated pairing with encryption
- Level 4: Authenticated LE Secure Connections pairing with encryption
BleuIO‘s security feature can handle all four security levels to establish a secure BLE connection. Users can use Numeric Comparison, Just Works or Passkey Entry to make data transmission more secure when working with Bluetooth low energy applications using BleuIO.
- Numeric Comparison: In this scenario, both devices have a display unit capable of displaying a six-digit number. Both displays output the same number, and the user is asked to confirm that these numbers match.
- Passkey Entry: The Passkey Entry is primarily intended for the case that one device has a keyboard, but no display unit and the other device has at least a display unit, for example, a PC and a BLE keyboard scenario. The user is shown a six-digit number (from “000000” to “999999”) on the device with a display and then is asked to enter the number on the other device. If the value entered on the second device is correct, the pairing is successful.
- Just Works: This model is primarily intended for the most constrained devices in I/O. The Just Works association model uses the Numeric Comparison protocol, but the user is never shown a number, and the application may ask the user to accept the connection. This method doesn’t offer protection against a Man in the Middle (MITM) attack, but it provides the same protection level against passive eavesdropping as the Numeric Comparison.
The table below is a reference for determining the pairing method based on the two devices I/O capabilities and each device’s role in the process.
Use the following AT commands to make your BLE connection more secure.
AT Commands :
- AT+SETPASSKEY for setting or querying set passkey for passkey authentication.
- AT+ENTERPASSKEY for entering the 6-digit passkey to continue the pairing request.
- AT+SECLVL for setting or querying minimum security level used when connected to other devices.
- AT+NUMCOMPA accepts a numeric comparison authentication request or enables/disabling auto-accepting numeric comparisons.
- AT+GAPADDRTYPE Sets or queries what address type the dongle will use. Changing address type cannot be done while advertising or while connected to other devices. Read more at https://www.bleuio.com/getting_started/docs/commands/#atgapaddrtype
Following video shows how two BleuIO dongles can connect using passkey over security level 4.
In this example, the central dongle is using GAP IO CAPABILITY 2, which is ‘Keyboard only’ and the peripheral dongle is using GAP IO CAPABILITY 0, which is ‘display only’.
The following table explains Input/Output Capabilities and supported security levels.