• Interesting topic. I tried it with my SDK11 based port to DS-D6 tracker and found out that NRF.getSecurityStatus() call fails with error 'Peer Manager not compiled in'. Maybe the getSecurityStatus() can return false values to report that connection is not secure if peer manager is not in, instead of throwing exception, does it make sense? Or can I even have encrypted connection without adding Peer Manager and this pstorage nordic thing that saves bonding into flash somewhere? Something like https vs http so that two can communicate over encrypted connection without this bonding and passkey authentication stuff?

    As for Peer Manager I found the right define to add and linked also micro-ecc and other stuff and then found that peer manager api related to whitelists has changed a bit between SDK 11 and 12, which is all fixable and is not a problem/question but do I really need it?

    What if I wanted to communicate with e.g. 20 sensors without pairing/bonding them all but still wish to have the link encrypted like https does, is this scenario supported in BLE?

  • Hi @fanoush,

    What if I wanted to communicate with e.g. 20 sensors without pairing/bonding them all but still wish to have the link encrypted like https does, is this scenario supported in BLE?

    Yes, this is a valid use case. You may establish secure connection without actually bonding (think about it as a temporary bond). This is what happens when you mark characteristics as secured, but you do not initiate bonding. Bluez in this case automatically "starts" temporary secure connection and also automatically performs failed operation (read or write) with the same payload. Bear in mind that it is not very secure anyway as centra and peripheral have to exchange secure keys every time they establish connection, hence it is prone to mitm attack.

    Some good readings on that topic: https://gattack.io/

    Have a look at the whitepaper that describes many possible attacks: https://github.com/securing/docs/raw/master/whitepaper.pdf

About

Avatar for fanoush @fanoush started