Bluetooth NimBLE security: Allow connection only after pressing button

MikeCode
Posts: 14
Joined: Wed Apr 20, 2022 10:25 am

Bluetooth NimBLE security: Allow connection only after pressing button

Postby MikeCode » Wed Jul 10, 2024 9:14 am

Hi,

I've written an application based on the NimBLE Peripheral Example (exampled\bluetooth\nimble\bleprph) and connection and exchanging data works fine.

My only problem is, that every device in the range of the ESP32-S3 is able to connect, which is a big security issue.

What is the conventional method to prevent unauthoriced devices to the ESP32-S3?

I was thinking of a method where the device is only visible for 30 seconds when pressing a pairing button.

Once paired no other device should be able to pair to the ESP32-S3.

Is this the correct way? And is there an example which already has included this security features?

Thank you and best regards,
Mike

irahul
Posts: 46
Joined: Fri Jun 18, 2021 10:07 am

Re: Bluetooth NimBLE security: Allow connection only after pressing button

Postby irahul » Thu Jul 18, 2024 5:07 am

> I was thinking of a method where the device is only visible for 30 seconds when pressing a pairing button

You can opt for limited discovery , where advertising is done only for limited period of time. After that advertising stops, so remote devices cannot find your device or initiate connection.

MikeCode
Posts: 14
Joined: Wed Apr 20, 2022 10:25 am

Re: Bluetooth NimBLE security: Allow connection only after pressing button

Postby MikeCode » Thu Jul 18, 2024 11:36 am

>You can opt for limited discovery , where advertising is done only for limited period of time. After that advertising stops, so remote devices cannot find your device or initiate connection.

The problem when opting in for limited discovery the ESP32 will only be visible for 30 seconds and after that time it is impossible for already bonded devices to connect, because for establishing a connection, the device still has to be discoverable.

The ESP32 should still be connectable after the 30 seconds, but ONLY for already bonded devices.

Devices, that are not already bonded, should either not see the ESP32 (which does not seem to be possible) or not be able to connect to the ESP32 (I could not find a way to only allow bonded devices to the ESP32).

irahul
Posts: 46
Joined: Fri Jun 18, 2021 10:07 am

Re: Bluetooth NimBLE security: Allow connection only after pressing button

Postby irahul » Fri Jul 19, 2024 4:01 pm

The devices you want to allow to connect, you can add to whitelist . Once whitelist is generated, you can apply the setting to allow connection from filter list . This way, only connections from address which are present in the whitelist would be accepted and rest would be dropped.

MikeCode
Posts: 14
Joined: Wed Apr 20, 2022 10:25 am

Re: Bluetooth NimBLE security: Allow connection only after pressing button

Postby MikeCode » Mon Jul 22, 2024 10:31 am

The problem with this approach is, that some devices for example an iPhone are changing their bluetooth device address every 30 minutes. So whitlisting specific device addresses will not work with iPhones and other client devices.

Who is online

Users browsing this forum: Majestic-12 [Bot] and 151 guests