Security

BLE Security Overview

Bluetooth Xpress supports Security Mode 1 (encryption) Levels 2, 3 and 4:

Note: Level 1 "No encryption" is not supported for the BGX BLE services Xpress Streaming Service and the OTA firmware update service. Therefore, to use these services new connections will always require a pairing procedure to be completed.

Bluetooth Xpress module BLE encryption and pairing are managed with three encryption variables:

Bluetooth Xpress modules support encryption using two of the possible key types, which are selected by setting variable (bl e k):

Legacy Pairing and Secure Connections

Bluetooth Xpress supports both LE Legacy Pairing (pre 4.2) and LE Secure Connections (4.2 or newer). The variable (bl e p) can be used to disable support for LE Legacy Pairing if desired.

LE Secure Connections provides the highest level of security. For use cases that do not require legacy support (such as BGX to BGX), it is recommended to set (bl e p) = secure in order to disable LE Legacy Pairing. However, support for LE Secure Connections is not universal among phones, so setting (bl e p) = any will support the widest range of phones.

The factory setting is secure.

Bonding and Pairing

Bluetooth Xpress is designed to simplify the use of Bluetooth in an application and reduce the need for detailed technical understanding of Bluetooth. However, because Bluetooth connections can fail for a number of reasons, it helps to understand the meaning of pairing and bonding.

Simply put, pairing is the exchange of encryption keys that will be used for encrypting a connection between devices.

Bonding is storing the keys that are used for pairing so that they can easily reconnect.

These two terms are often used interchangeably which can add confusion. Also, many phones will remember devices even if they have not bonded which can also cause problems.

Bluetooth Xpress and Bonding

Bluetooth Xpress modules provide support for bonding, which is configured using the variable (bl e b). When bonding is enabled the Bluetooth Xpress modules will remember the pairing information from each new device connection, so that the pairing procedure is not performed on subsequent connections with that device.

For bonding to work correctly both devices in a new connection must agree to bond. Many phones assume bonding is always enabled, so for use cases where Bluetooth Xpress is communicating with a mobile device, it is recommended to set (bl e b) = 1.

The table below provides details of the available systems.

References are to Specification of the Bluetooth System, core package version 5.0. See https://www.bluetooth.org.

Key
bl e k
AdvantagesDisadvantagesUse CaseBLE pairing procedureBLE security mode
noneSimplest to use, just works with a range of devicesDoes not protect against "Man in the Middle" attackWhen the other device has no IO capabilities to enter a pin code or when the user is not concerned about "Man in the Middle" attackJust Works Procedure (Vol 3, Part H, 2.3.5.2)bl e p any
Mode 1 Level 2.
bl e p secure
Mode 1 Level 4.
6 digit pin codeGives better protection, works best with smart phonesA 6 digit key is vulnerable to a brute force attack.When the other device has pin code input capabilities, such as a smart phonePass key entry Procedure (Vol 3, Part H, 2.3.5.3)bl e p any
Mode 1 Level 3.
bl e p secure
Mode 1 Level 4.

Solving Connection Problems

Due to the complexity of this topic and inconsistent implementations by device vendors, connection problems may occur when trying to connect BGX and another device such as a mobile phone. Connection problems can also occur between BGX-to-BGX connections if device settings are incompatible.

The most likely reasons why you may encounter a problem when connecting to a BGX are:

Here are some ways you can tell there is a connection problem:

Stale Bonding Data

Stale bonding data means that one device of a pair (BGX and BGX, or BGX and mobile phone) has stored bonding data and the other has not. This happens when devices that were previously bonded have been changed so that one of them no longer holds bonding data. This could happen for the following reasons:

Solution

When a BGX-to-BGX or phone-to-BGX connection fails due to stale data, it can almost always be resolved by clearing bonding data on both devices.

After you clear the bonding data on both devices, they should be able to connect.

Legacy Pairing

Bluetooth Xpress supports both LE Secure Connections and LE Legacy Pairing. By default, BGX is configured to require secure pairing. Some older mobile devices only support the legacy method and so they cannot connect to a BGX out of the box. This feature is controlled by the variable bl e p. The factory setting for this variable is secure which enforces secure connections.

Solution

Use a terminal or Xpress Configurator to change the value of the bl e p variable from secure to any. Then re-attempt the connection. You may need to also clear stale bonding data (see above).

BGX-to-BGX

When using a BGX-to-BGX connection, the following variables must be set the same on both devices in order to establish a connection. If you are having a problem with a BGX-to-BGX connection, verify the following settings match.