ESP32 Forum

ESP32 Official Forum
http://esp32.io/

Bluetooth NimBLE security: Allow connection only after pressing button

http://esp32.io/viewtopic.php?f=13&t=40816

Page 1 of 1

Bluetooth NimBLE security: Allow connection only after pressing button

Posted: Wed Jul 10, 2024 9:14 am
by MikeCode
Hi,

I've written an application based on the NimBLE Peripheral Example (exampled\bluetooth\nimble\bleprph) and connection and exchanging data works fine.

My only problem is, that every device in the range of the ESP32-S3 is able to connect, which is a big security issue.

What is the conventional method to prevent unauthoriced devices to the ESP32-S3?

I was thinking of a method where the device is only visible for 30 seconds when pressing a pairing button.

Once paired no other device should be able to pair to the ESP32-S3.

Is this the correct way? And is there an example which already has included this security features?

Thank you and best regards,
Mike

Re: Bluetooth NimBLE security: Allow connection only after pressing button

Posted: Thu Jul 18, 2024 5:07 am
by irahul
> I was thinking of a method where the device is only visible for 30 seconds when pressing a pairing button

You can opt for limited discovery , where advertising is done only for limited period of time. After that advertising stops, so remote devices cannot find your device or initiate connection.

Re: Bluetooth NimBLE security: Allow connection only after pressing button

Posted: Thu Jul 18, 2024 11:36 am
by MikeCode
>You can opt for limited discovery , where advertising is done only for limited period of time. After that advertising stops, so remote devices cannot find your device or initiate connection.

The problem when opting in for limited discovery the ESP32 will only be visible for 30 seconds and after that time it is impossible for already bonded devices to connect, because for establishing a connection, the device still has to be discoverable.

The ESP32 should still be connectable after the 30 seconds, but ONLY for already bonded devices.

Devices, that are not already bonded, should either not see the ESP32 (which does not seem to be possible) or not be able to connect to the ESP32 (I could not find a way to only allow bonded devices to the ESP32).

Re: Bluetooth NimBLE security: Allow connection only after pressing button

Posted: Fri Jul 19, 2024 4:01 pm
by irahul
The devices you want to allow to connect, you can add to whitelist . Once whitelist is generated, you can apply the setting to allow connection from filter list . This way, only connections from address which are present in the whitelist would be accepted and rest would be dropped.

Re: Bluetooth NimBLE security: Allow connection only after pressing button

Posted: Mon Jul 22, 2024 10:31 am
by MikeCode
The problem with this approach is, that some devices for example an iPhone are changing their bluetooth device address every 30 minutes. So whitlisting specific device addresses will not work with iPhones and other client devices.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/