This article shows how the Bluetooth Smart security features can be used in Simplicity Studio C SDK for Blue Gecko products.
First we give some basic info about Bluetooth Smart security features then we highlight and explain the most important code snippets from the attached sample application. The sample application implements a characteristic which can be read if the connection secured by pairing and bonding.
Bluetooth Smart security features
The most common threats in wireless communications are:
Bluetooth Smart defines 5 distinct security features against these threats:
These features implemented in the different layers of the Bluetooth Smart stack. The figure below highlights the layers involved.
Pairing & Bonding
Bluetooth Smart uses Secure Simple Pairing (SSP) pairing model
Note – Random address feature not yet supported in the current Blue Gecko stack.
Bluetooth 4.2 Security Features
Note - Bluetooth 4.2 Security Features not yet supported in the current Blue Gecko stack.
The application is built with the Simplicity Studio Bluetooth Smart C SDK ver. 1.0.4
The application is built to the Blue Gecko SoC Starter Kit (SLWSTK6020A) but it should work with BGM111 and BGM113 targets with minimal changes.
The sample application implements a characteristic which can be read only if the connection secured by pairing and bonding. To achieve this we need to do following steps:
1. Set up the attribute permissions in GATT
The example has a my_secret characteristic. It can be read only through an encrypted connection because the authenticated_read property set to true.
2. Enable bonding
To enable secure connection first we need to allow bonding. The bonding process stores the keys which are used during secure communication. We can enable the bonding on the GUI.
This setting will call gecko_cmd_sm_set_bondable_mode(1) API function after the boot.
3. Set up the security manager
We have to use the gecko_cmd_sm_configure(flags, io_capabilities) API to set up the security configuration.
The flags parameter bit 0:
The flags parameter bit 1:
The flags bit 2 to 7 are reserved and they should be 0
The capabilities parameter tells what kind of user input and output methods are available on our device. The different io capabilities leads to different pairing method.
The gecko_cmd_sm_configure API called after the boot.
When sm_io_capability_displayonly or sm_io_capability_displayyesno io capabilities used, the pin will be printed on the UART console and you have to enter this pin on the phone/tablet.
When sm_io_capability_keyboardonly or sm_io_capability_keyboarddisplay io capabilities used, the pin will be printed on phone/tablet and you have to enter this pin on UART console.
Do not use sm_io_capability_noinputnooutput because MITM can’t work with this setting and the pairing and bonding will fail.
4. Increase the security level when connection opened
In the connection opened event handler we have to call the gecko_cmd_sm_increase_security API function. This will trigger the pairing process. In some iOS version this step should be skipped because the iOS device initiate the pairing.
The gecko_cmd_sm_increase_security API function called automatically if the pairing enabled on the GUI.
5. Implement the callback function for the gecko_evt_sm_passkey_display_id event
The gecko_evt_sm_passkey_display_id event indicates a request to display the passkey to the user. In the example this event triggers the MyService_PasskeyDisplayCbk. This callback prints the passkey to the console with the standard printf.
6. Implement the callback function for the gecko_evt_sm_passkey_request_id event
The gecko_evt_sm_passkey_request_id event indicates a request for the user to enter the passkey displayed on the remote device. In the example this event triggers the MyService_PasskeyDisplayCbk. This callback initiates the passkey reading from the console. The actual passkey reading implemented in the MyService_PasskeyRead function. When the reading done the function calls the sm_enter_passkey API command to push the received passkey to the stack.
If the passkey was valid and the bonding completed the stack raise a gecko_msg_sm_bonded_evt_t. If the passkey was invalid or the bonding failed because of any other reason the stack will raise a gecko_evt_sm_bonding_failed_id event.
Testing the example
For testing the project we used the Blue Gecko app which can be downloaded from here:
Follow this step for testing:
7. If everything went well you should read the GATT with the app and you will get the Bonding completed message on the terminal.
Hi, when I open .isc file, I can't find more tabs except General? Why?
And how can I enable the Pairing and Bonding?
Thanks a lot!
This is my simpilicity version:
Since BLE SDK v2.0.0 the plugin system dropped, so the code examples are much simpler. However you cannot set security features on Application Builders UI as in the older BLE SDK versions.
In the new SDK versions you have to configure settings via API calls.
Here are the relevant updates regarding security:
Thanks a lot.
Now I am successful following the new example!