Secure Ble or Bluetooth pairing


I want to use ble when particle is not accessible (think a moving vehicle), however the client should be paired with a code so that random passers by can perform operations.

I have seen most of the tutorials for ble use advertised services and characteristics, but insecurely. I can’t see in the SDK any way to perform pairing.

Any thoughts?


@wschilpzand pairing is only insecure during the initial connection phase. Once the devices sync up the connection should be secure. I haven’t looked at the implementation in DeviceOS closely but they probably have used the “Just works” configuration. There are currently no other ways to establish a connection.

One thing that you can do, that’s a bit more clever, is you can use an asymmetric key share over BLE. The handshake is secure and once it occurs, all data is encrypted. The hard part is making sure that the keys on each device stay secure. Espressif had this approach for their OTA functionality. (Link below)

There’s some extra work to do there but I think it’s possible to put something together that is MITM resilient.

I’m not an expert on cryptography/security so take all of this with a grain of salt. :slight_smile:

Added note: there may be a clever way to get OOB (out of band) auth to work as well. It all depends on your application. As far as I know these features are within the Nordic SDK but not exposed in DeviceOS’s

Thanks Jared. I’m less worried about the radio security and more the authorisation.

BLE Beacon style use of services doesn’t require any kind of authorisation. Anyone can access the services and characteristics.

In my application, only the device owner should be able to perform actions. In standard Bluetooth, the pairing process an be done with a preset or user programmed code to prevent unauthorised connections.

That’s what I’d like to be able to do.

I guess I could work around this by requiring a security token on calls to services. But it is a work around.

Hi! Just jumping in on the conversation as I was wondering this myself (I am very new to Bluetooth in general). I am developing an application where an Argon will communicate over Bluetooth with a mobile device and potentially with other Xenons as well.

From what I understand of both your explanations:

  • My application is not beacon-style, it requires direct communication between paired devices only.
  • Therefore, If I have control over the pairing process, communication afterwards between Particle devices and a mobile device will happen securely. It’ll be MITM resilient.

Is this correct?

Thanks a lot!