- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a way to reject BLE connection based on security mode? I want to accept only connections with Security Mode 1, Level 4.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to configure the IO capabilities in your application.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is the setting I used when connecting.
p_event_data->pairing_io_capabilities_ble_request.local_io_cap = BTM_IO_CAPABILITIES_DISPLAY_ONLY;
p_event_data->pairing_io_capabilities_ble_request.oob_data = BTM_OOB_NONE;
p_event_data->pairing_io_capabilities_ble_request.auth_req = BTM_LE_AUTH_REQ_SC_MITM_BOND;
p_event_data->pairing_io_capabilities_ble_request.max_key_size = 0x10;
p_event_data->pairing_io_capabilities_ble_request.init_keys = BTM_LE_KEY_PENC | BTM_LE_KEY_PID;
p_event_data->pairing_io_capabilities_ble_request.resp_keys = BTM_LE_KEY_PENC | BTM_LE_KEY_PID;
I use a nRF52840 Bluetooth USB dongle to connect. It can change its IO and security settings. If I configure the nRF52840 with LE Secure Connection, Keyboard, and Display, the connection will be Security Mode 1, Level 4. If I configure the nRF52840 without LE Secure Connection, Keyboard, and Display, the connection will be Security Mode 1, Level 2. I want the Bluetooth stack to reject this connection.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found this page that has a function (wiced_bt_ble_get_security_state) to check the security. It indicates if the connection is encrypted and paired with MITM. But it doesn't indicate if the connection is LE Secure. Is there any data structure or other API to check if a connection is LE Secure?
There is a function called wiced_bt_gatt_disconnect(). Where should I put it? It doesn't work when I put it under case BTM_PAIRING_COMPLETE_EVT.
I'm trying to check if a connection is LE Secure. If it isn't, then the device should initiate a disconnect.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please try to set the security_requirement_mask to BTM_SEC_SECURE_CONNECTION in the wiced_bt_cfg.c file. I think this will force the connection to use a secure connection.
You can put the wiced_bt_gatt_disconnect() after the gatt connection event. Please make sure you are using the correct connection id.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The security_requirement_mask is BTM_SEC_SECURE_CONNECTION. I tried changing it to different values but it doesn't make a difference.
I got the disconnect to work by putting wiced_bt_gatt_disconnect() in wiced_bt_gatt_server_request_handler.
The firmware I'm using is BCM4345C0_003.001.025.0172.0344.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found this comment that says:
The .security_requirement_mask is not used for LE, so you can omit it.
https://community.infineon.com/t5/Wi-Fi-Combo/secure-connection-pairing-with-BLE/td-p/214005
Can you confirm this?
I'm using ble_hellor_sensor application with BCM4345C0_003.001.025.0172.0344.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry for the mistake in the last reply. The security_requirement_mask is only used for BT application.
Could your problem resolved by wiced_bt_gatt_disconnect() as a workaround?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can use wiced_bt_gatt_disconnect() but there is no method to differentiate security level 3 and level 4. When I use wiced_bt_ble_get_security_state(), they get the same value for the security flag. Also, wiced_bt_gatt_disconnect() only works after the device is connected. It is better if the stack can reject the connection before entering the passkey.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Which host and stack are you using? Could you see the API wiced_bt_dev_configure_secure_connections_only_mode?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm using ble_hellor_sensor application with BCM4345C0_003.001.025.0172.0344. The project is for NXP RT1052 chip. How do I check the stack version? I don't see the API wiced_bt_dev_configure_secure_connections_only_mode in wiced_bt_dev.h.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you using the BSA? Where did you get it?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is BSA?
I got the project from Murata support. The library being used is libwicedble.a.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there any update? Is there a version of libwicedble.a with wiced_bt_dev_configure_secure_connections_only_mode?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not sure if you can use the following lower level API. Because it may not in the FW.
You can try the following code:
extern void BTM_SetSecurityMode (uint8_t security_mode);
wiced_result_t hello_sensor_management_cback( wiced_bt_management_evt_t event, wiced_bt_management_evt_data_t *p_event_data )
{
....
....
case BTM_ENABLED_EVT:
BTM_SetSecurityMode (6);
hello_sensor_application_init();
....
....
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I added BTM_SetSecurityMode(6) and the code compiled. I ran it but the change didn't block non secure connection.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you can ask Murata to see if they have a new FW for it.