CYW43455 reject BLE connection based on security mode

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
KeVo_4728286
Level 2
Level 2
10 replies posted 5 replies posted 10 sign-ins

Is there a way to reject BLE connection based on security mode? I want to accept only connections with Security Mode 1, Level 4.

0 Likes
1 Solution

I think you can ask Murata to see if they have a new FW for it.

View solution in original post

0 Likes
16 Replies
Owen_Zhang123
Moderator
Moderator
Moderator
5 questions asked 500 solutions authored 250 sign-ins

You need to configure the IO capabilities in your application.

0 Likes
KeVo_4728286
Level 2
Level 2
10 replies posted 5 replies posted 10 sign-ins

This is the setting I used when connecting.

p_event_data->pairing_io_capabilities_ble_request.local_io_cap = BTM_IO_CAPABILITIES_DISPLAY_ONLY;
p_event_data->pairing_io_capabilities_ble_request.oob_data = BTM_OOB_NONE;
p_event_data->pairing_io_capabilities_ble_request.auth_req = BTM_LE_AUTH_REQ_SC_MITM_BOND;
p_event_data->pairing_io_capabilities_ble_request.max_key_size = 0x10;
p_event_data->pairing_io_capabilities_ble_request.init_keys = BTM_LE_KEY_PENC | BTM_LE_KEY_PID;
p_event_data->pairing_io_capabilities_ble_request.resp_keys = BTM_LE_KEY_PENC | BTM_LE_KEY_PID;

I use a nRF52840 Bluetooth USB dongle to connect. It can change its IO and security settings. If I configure the nRF52840 with LE Secure Connection, Keyboard, and Display, the connection will be Security Mode 1, Level 4. If I configure the nRF52840 without LE Secure Connection, Keyboard, and Display, the connection will be Security Mode 1, Level 2. I want the Bluetooth stack to reject this connection.

0 Likes
KeVo_4728286
Level 2
Level 2
10 replies posted 5 replies posted 10 sign-ins

I found this page that has a function (wiced_bt_ble_get_security_state) to check the security. It indicates if the connection is encrypted and paired with MITM. But it doesn't indicate if the connection is LE Secure. Is there any data structure or other API to check if a connection is LE Secure?

https://community.infineon.com/t5/Knowledge-Base-Articles/Handling-GATT-attribute-security-permissio...

There is a function called wiced_bt_gatt_disconnect(). Where should I put it? It doesn't work when I put it under case BTM_PAIRING_COMPLETE_EVT.

I'm trying to check if a connection is LE Secure. If it isn't, then the device should initiate a disconnect.

0 Likes

Please try to set the security_requirement_mask to BTM_SEC_SECURE_CONNECTION in the wiced_bt_cfg.c file. I think this will force the connection to use a secure connection.

You can put the wiced_bt_gatt_disconnect() after the gatt connection event. Please make sure you are using the correct connection id.

 

0 Likes

The security_requirement_mask is BTM_SEC_SECURE_CONNECTION. I tried changing it to different values but it doesn't make a difference.

I got the disconnect to work by putting wiced_bt_gatt_disconnect()  in wiced_bt_gatt_server_request_handler.

The firmware I'm using is BCM4345C0_003.001.025.0172.0344.

0 Likes

I found this comment that says:

The .security_requirement_mask is not used for LE, so you can omit it.

https://community.infineon.com/t5/Wi-Fi-Combo/secure-connection-pairing-with-BLE/td-p/214005

Can you confirm this?

I'm using ble_hellor_sensor application with BCM4345C0_003.001.025.0172.0344.

0 Likes

Sorry for the mistake in the last reply. The security_requirement_mask is only used for BT application.

Could your problem resolved by wiced_bt_gatt_disconnect() as a workaround?

0 Likes

I can use wiced_bt_gatt_disconnect() but there is no method to differentiate security level 3 and level 4. When I use wiced_bt_ble_get_security_state(), they get the same value for the security flag. Also, wiced_bt_gatt_disconnect() only works after the device is connected. It is better if the stack can reject the connection before entering the passkey.

0 Likes

Which host and stack are you using? Could you see the API wiced_bt_dev_configure_secure_connections_only_mode?

0 Likes

I'm using ble_hellor_sensor application with BCM4345C0_003.001.025.0172.0344. The project is for NXP RT1052 chip. How do I check the stack version? I don't see the API wiced_bt_dev_configure_secure_connections_only_mode in wiced_bt_dev.h.

0 Likes

Are you using the BSA? Where did you get it?

0 Likes

What is BSA?

I got the project from Murata support. The library being used is libwicedble.a.

0 Likes
KeVo_4728286
Level 2
Level 2
10 replies posted 5 replies posted 10 sign-ins

Is there any update? Is there a version of libwicedble.a with wiced_bt_dev_configure_secure_connections_only_mode?

0 Likes

I am not sure if you can use the following lower level API. Because it may not in the FW.

You can try the following  code:

extern void BTM_SetSecurityMode (uint8_t security_mode);

 

wiced_result_t hello_sensor_management_cback( wiced_bt_management_evt_t event, wiced_bt_management_evt_data_t *p_event_data )

{

....

....

        case BTM_ENABLED_EVT:

            BTM_SetSecurityMode (6);

            hello_sensor_application_init();

....

....

0 Likes

I added BTM_SetSecurityMode(6) and the code compiled. I ran it but the change didn't block non secure connection.

0 Likes

I think you can ask Murata to see if they have a new FW for it.

0 Likes