BLE Security Overview
Bluetooth Xpress supports Security Mode 1 (encryption) Levels 2, 3 and 4:
- Level 2 : Unauthenticated/"Just works" encryption with no passkey
- Level 3 : Authenticated encryption with a passkey
- Level 4 : Authenticated LE Secure Connections pairing with encryption
Note: Level 1 "No encryption" is not supported for the BGX BLE services Xpress Streaming Service and the OTA firmware update service. Therefore, to use these services new connections will always require a pairing procedure to be completed.
Bluetooth Xpress module BLE encryption and pairing are managed with three encryption variables:
Bluetooth Xpress modules support encryption using two of the possible key types, which are selected by setting variable (bl e k):
- "Just Works" (keyless)
- 6 digit pin code (passkey)
Legacy Pairing and Secure Connections
Bluetooth Xpress supports both LE Legacy Pairing (pre 4.2) and LE Secure Connections (4.2 or newer). The variable (bl e p) can be used to disable support for LE Legacy Pairing if desired.
LE Secure Connections provides the highest level of security. For use cases
that do not require legacy support (such as BGX to BGX), it is recommended to
set (bl e p) =
secure in order to disable LE Legacy
Pairing. However, support for LE Secure Connections is not universal among
phones, so setting (bl e p) =
any will support the
widest range of phones.
The factory setting is
Bonding and Pairing
Bluetooth Xpress is designed to simplify the use of Bluetooth in an application and reduce the need for detailed technical understanding of Bluetooth. However, because Bluetooth connections can fail for a number of reasons, it helps to understand the meaning of pairing and bonding.
Simply put, pairing is the exchange of encryption keys that will be used for encrypting a connection between devices.
Bonding is storing the keys that are used for pairing so that they can easily reconnect.
These two terms are often used interchangeably which can add confusion. Also, many phones will remember devices even if they have not bonded which can also cause problems.
Bluetooth Xpress and Bonding
Bluetooth Xpress modules provide support for bonding, which is configured using the variable (bl e b). When bonding is enabled the Bluetooth Xpress modules will remember the pairing information from each new device connection, so that the pairing procedure is not performed on subsequent connections with that device.
Number of bonded devices: Up to 14 devices can be stored in the BGX internal bonding table. After 14 devices have been stored, new bonds will overwrite the bond in the bonding table that has not been used in the longest amount of time. Therefore, new devices can always be bonded, but it will remember a maximum of 14, and less used devices are forgotten as new devices are added.
For bonding to work correctly both devices in a new connection must agree
to bond. Many phones assume bonding is always enabled, so for use cases where
Bluetooth Xpress is communicating with a mobile device, it is recommended to
set (bl e b) =
The table below provides details of the available systems.
References are to Specification of the Bluetooth System, core package version 5.0. See https://www.bluetooth.org.
bl e k
|Advantages||Disadvantages||Use Case||BLE pairing procedure||BLE security mode|
|none||Simplest to use, just works with a range of devices||Does not protect against "Man in the Middle" attack||When the other device has no IO capabilities to enter a pin code or when the user is not concerned about "Man in the Middle" attack||Just Works Procedure (Vol 3, Part H, 22.214.171.124)|
Mode 1 Level 2.
Mode 1 Level 4.
|6 digit pin code||Gives better protection, works best with smart phones||A 6 digit key is vulnerable to a brute force attack.||When the other device has pin code input capabilities, such as a smart phone||Pass key entry Procedure (Vol 3, Part H, 126.96.36.199)|
Mode 1 Level 3.
Mode 1 Level 4.
Solving Connection Problems
Due to the complexity of this topic and inconsistent implementations by device vendors, connection problems may occur when trying to connect BGX and another device such as a mobile phone. Connection problems can also occur between BGX-to-BGX connections if device settings are incompatible.
The most likely reasons why you may encounter a problem when connecting to a BGX are:
- Stale bonding data in one device
- Mobile device only supports legacy pairing
- BGX-to-BGX: both devices do not have the same settings
Here are some ways you can tell there is a connection problem:
- you see a
BOND_FAILmessage on the BGX terminal console
- BGX Commander shows you a message about insufficient encryption
Stale Bonding Data
Stale bonding data means that one device of a pair (BGX and BGX, or BGX and mobile phone) has stored bonding data and the other has not. This happens when devices that were previously bonded have been changed so that one of them no longer holds bonding data. This could happen for the following reasons:
clrb(clear bonding) command has been issued to the BGX
fac(factory reset) command has been issued to BGX
- mobile device was commanded by user to "forget" the BGX device
- mobile device incorrectly implements storage of bonding data
When a BGX-to-BGX or phone-to-BGX connection fails due to stale data, it can almost always be resolved by clearing bonding data on both devices.
- BGX: issue
clrbcommand on a terminal
- phone: instruct phone to
forgetthe BGX device
After you clear the bonding data on both devices, they should be able to connect.
Bluetooth Xpress supports both LE Secure Connections and
LE Legacy Pairing. By default, BGX is configured to require secure pairing.
Some older mobile devices only support the legacy method and so they cannot
connect to a BGX out of the box. This feature is controlled by the variable
bl e p. The factory setting for this variable is
secure which enforces secure connections.
Use a terminal or Xpress Configurator to change the value of the
bl e p
any. Then re-attempt the connection. You may
need to also clear stale bonding data (see above).
When using a BGX-to-BGX connection, the following variables must be set the same on both devices in order to establish a connection. If you are having a problem with a BGX-to-BGX connection, verify the following settings match.