Serialio

Bluetooth Low Energy (BLE) Security

Many of our customers want to know just how secure Bluetooth Low Energy (BLE) — or Bluetooth Smart/Bluetooth 4.0 — communication is. In response, we’ve made this article to provide basic information about the BLE standard, what it entails and what it means for your security concerns.

The BLE Pairing Process

How does Bluetooth Low Energy pairing work? Generally, the process of pairing two BLE or Bluetooth Smart devices consists of three phases; the information exchange, key generation and transport-specific key generation.

Phase One: Information Exchange

The first phase consists of the initial pairing request and an exchange of information regarding various capabilities and requirements for each device. This information exchange includes (but is not limited to) information regarding each device’s I/O (input/output) capabilities, authentication requirements bonding requirements and security protections (such as Man-In-The-Middle prevention).

I/O Capabilities

I/O or input/output capabilities refers to the specifics of the device’s input and output capabilities. For example, this information exchange includes whether or not each device has keyboard input, a display, buttons or no input methods.

Authentication Requirements

This information exchange includes details regarding the supported or preferred authentication methods for each device. Some of the common authentication details that are exchanged in this phase are described below.

Out-of-Bound Data Flag (OOB DF)

OOB authentication exchanges information to be used in phase two through an external means of communication. OOB authentication commonly uses NFC (Near Field Communication), but can use any wireless standard to send/receive the pairing information.

Bonding Flags (BF)

Bonding is the implementation of permanent security between devices using Long Term Keys (LTK). Pairing must occur before bonding can be established.

“Initiator” and “Responder” Key Distribution

“Initiator” refers to the BLE device that initiated the connection, while “responder” refers to the BLE device that responded to the initiator’s request. Both the initiator and the responder generate and share their keys during Phase One so that they can be used in Phase Two.

Phase Two: Key Generation

The specifics of Phase Two depends on the information exchanged during Phase One. Both devices (the “initiator” and the “responder”) must decide upon a pairing method based on the two devices’ shared capabilities and requirements.

LE Legacy Pairing & LE Secure Connections

Before we go into definitions, “LE” stands for “Low Energy” — as in “Bluetooth Low Energy.” LE Legacy Pairing uses Short Term Key (STK) generation. Despite sporting the term “legacy,” this method is still relatively new and is commonly used. LE Secure Connections use Long Term Key (LTK) generation.

Temporary Key (TK) Generation

As mentioned above, LE Legacy Pairing utilizes the exchange of a Temporary Key (TK). The Temporary Key is a value randomly generated by each of the two devices. If either devices has a display screen, this value may be a 6-digit passkey displayed on the device with the display screen. This value will then need to be manually input into the other device. If the other device does not have a keyboard or numerical keypad, this Temporary Key method will likely not be used.

Short Term Key (STK) Generation

Once the Temporary Key Exchange has occurred, both devices will generate a Short Term Key (STK) by using the Temporary Key (TK) and a random value from the generated from each device; the Srand and the Mrand. Ideally, each of the two devices will generate the same STK. The devices will then compare their STK’s. If the independently generated Short Term Keys match, this value will be used to encrypt the connection (and communication) between the two devices.

Phase Three: Transport Specific Key Generation

Phase three is optional and is only used when the devices exchanged bonding requirements during Phase One. Devices undergoing this face exchange additional keys that are specific to transport requirements.

Bluetooth Smart Security

What security measures are in place for Bluetooth Low Energy communication?

Encryption

Once the initial pairing process is complete,BLE connections are encrypted end-to-end. This means that the data exchanged between the paired devices is private; if any one or any thing attempts to eavesdrop on the encrypted communication, they would find packets of data that look like nonsense.

Limited Opportunity

Due to the nature of Bluetooth pairing, the risk of a Man-In-The-Middle attack is minimized. This is because there is only a small window of time — when the devices are initiating the pairing process — in which there exists any opportunity to intercept the communication.

Proximity

Most BLE devices need to be within 30 feet of each other in order to establish communication, let alone pair with each other. In order for the communication between two BLE devices to be breached, the entity attempting to access the data will have to stay within 30 feet of the actual devices. In addition to this, if there is anything obstructing the space between the potential attacker and the BLE devices the range will be further reduced. Bluetooth Smart devices will also use OOB authentication (as mentioned above).

Point-to-Point (PPP) Communication

Bluetooth connections are point-to-point connections, meaning that the information transferred between the paired devices doesn’t have to travel through the Internet or even a large network. This way, the data transferred between the paired devices isn’t exposed to nearly as many potential threats as data that is sent through miles of data cable and numerous networks before it reaches its intended destination.