As Bluetooth Low Energy (Bluetooth LE) becomes more widely used, so the traffic it carries increases in value. Today, for example, the data gathered by sophisticated wearables reveals much about users’ daily habits. And tomorrow, when Bluetooth LE will be carrying payment details or medical data, the value of the information will be greater still. And value attracts hackers.
Recent versions of Bluetooth LE include good security features, but the final strength of the wireless link is determined in part by the chip maker. Some lesser chip makers can leave vulnerabilities in their firmware. In contrast, Nordic Semiconductor considers security a top priority. For example, the company’s nRF52840 System-on-Chip (SoC), an advanced Bluetooth 5-certified device, incorporates an ARM TrustZone CryptoCell-310 Cryptographic module and AES 128-bit hardware accelerator. These features support a wide range of asymmetric, symmetric, and hashing cryptographic services for secure applications.
But even the best-designed Bluetooth LE solutions face some threats from a determined hacker, and one of the biggest can occur during device initial set-up or “commissioning”.
An asymmetric encryption scheme—whereby the private key used to decrypt security information is never passed over the air—closes one vulnerability by eliminating the possibility for an eavesdropper to access the critical information needed to break into the link. Such a scheme, called “secure connections” was introduced with Bluetooth 4.2. Specifically, that revision of the specification included an algorithm that generated a private key using an ‘Elliptic Curve Diffie–Hellman’ (ECDH) key exchange method making it almost impossible to intercept.
However, another common threat to Bluetooth LE happens when devices are subject to a “man-in-the-middle” attack.
This time the solution is to move authentication away from the usual Bluetooth LE channels to an “out-of-band” (OOB) channel which remains unknown to the prospective hacker. OOB commissioning was introduced as part of Bluetooth 4.0 (which introduced Bluetooth LE) together with a “just works” (unsecured) pairing method and the passkey method. The challenge of OOB is implementing the OOB channel without complicating the connectivity solution or making things more difficult for the end user.
NFC for OOB
Engineers at the Norwegian University of Science and Technology in Trondheim, Norway, recently conducted research into the best methods for authentication using an OOB channel. The researchers found that Near Field Communication (NFC) offered the best balance of security and user-friendliness for implementing the OOB channel.
NFC devices exchange information in the 13.56 MHz ISM band at rates ranging from 106 to 424 kbps. Bidirectional interaction is established by bringing the devices within 4 to 10 cm of each other. The NFC link can then be used as the OOB channel to start the pairing process and look after the authentication. Once commissioning is complete, communication switches to the secure Bluetooth LE link.
The key to NFC’s success as an OOB channel is its very short range which makes it difficult for a would-be hacker to intercept the authentication process without revealing their intent. NFC OOB commissioning also prevents unwanted devices connecting without the user’s permission. A further advantage is that the user doesn’t need to enter or verify a passkey, simplifying the commissioning process.
Nordic’s nRF52 Series SoCs incorporate an NFC-A tag to facilitate authentication using an OOB channel. Many smartphones incorporate NFC and commissioning is as simple as touching the Nordic SoC- powered device and the mobile together. Gateways—‘edge’ devices which connect Bluetooth LE sensors to the Internet of Things (IoT)—are also adopting NFC for commissioning purposes. Because NFC commissioning doesn’t require passkey entry or verification, it is also suitable for the increasing number of Bluetooth LE sensors designed without a user interface.