18

I wonder if the BLE (v4.0) traffic is encrypted by default or by design, or is it just optional? If the former, is the traffic encrypted using a key derived just from the pairing pin or is there some kind of session key as well - like with WPA2? If the former, would the encryption key be a long-term key then which doesn't seem so secure?

EDIT:

I read on Wikipedia that AES-128 is supported, and chips like the CC2540 provides hardware acceleration, but it's not clear if AES encryption is an option or mandatory by design. IIRC, Bluetooth 2.1 offers a non-secure mode so encryption is only optional, but I wonder if the same applies to BLE.

John M.
  • 311
  • 1
  • 2
  • 5
  • 2
    OK, sorry about that. I should add that, IIRC, Bluetooth 2.1 offers a non-secure mode so encryption is only optional. It's not so clear to me if it's the same case with BLE now. – John M. Sep 18 '15 at 11:58
  • Are you sure? From Wikipedia (https://en.wikipedia.org/wiki/Bluetooth#Security_concerns) - Bluetooth v2.1 addresses this in the following ways: Encryption is required for all non-SDP (Service Discovery Protocol) connections - so I assume also for all succeeding versions it is mandatory – flohack Oct 01 '15 at 08:45
  • [Mike Ryan](https://lacklustre.net/bluetooth/) has the answers you seek :) – sampablokuper Oct 01 '15 at 10:28

1 Answers1

3

I read now a bit in the specification - Volume 3, Part H, Section 3.5.1 Pairing Request and 3.5.2 Pairing Response.

IMHO encryption is mandatory after devices have been paired, as the initiator must send a maximum key size to be used:

Maximum Encryption Key Size (1 octet)

This value defines the maximum encryption key size in octets that the device can support. The maximum key size shall be in the range 7 to 16 octets.

This ensures my comment also that since 2.1 encryption is mandatory.

So you cannot choose a key size of lets say 0 length, in order to get paired. I don´t know however if there is an ad-hoc mode available which would allow non-paired data exchange (but I don't believe this).

Note that this means only encrypted data stream. Authentication is a different thing. For example, you cannot verify that you connect to the right Bluetooth headset as it has no display or keyboard (still you could read it´s MAC address before you confirm, e.g.). So with some pairing modes I would assume that authentication is on a low trust level (by design).

IMHO as Bluetooth was a replacement for serial/infrared communication in the beginning, it always struggled with security. I would consider it a nice feature for some gadgets, but would not exchange sensitive information (= it´s not equal to WiFi or LAN).

techraf
  • 9,149
  • 11
  • 44
  • 62
flohack
  • 547
  • 3
  • 8
  • 2
    How come Bluetooth still isn't as secure as WiFi? – Kar Oct 02 '15 at 07:03
  • 2
    IMHO its different fields of application: Bluetooth was made primarily as a wireless replacement of cables for small, "stupid" devices. At the time of creation of the standard nobody could foresee smart phone capabilities for example. You should use it for freedom of mice and keyboards, for a wireless headset etc. Maybe car kits are ok as well. Keep in mind, for these devices it is essential to save energy as most of them run on batteries. High security would need more powerful hardware which sucks more energy. It´s like that. However it is not intended to be a means of LAN/WiFi replacement. – flohack Oct 02 '15 at 12:38
  • 4
    Of course, broadcasting everything you type on your bluetooth keyboard over radio in the clear is a desirable feature (he said sarcastically). – Craig Tullis Jul 03 '18 at 23:18