Only allow authorized devices to connect to Bluz DK


#1

Hi,

I am new to BLE and Bluz. I want to make sure only authorized BT devices can connect to Bluz, what’s the best/most secure way of making sure only the right BT device (phone) can connect to Bluz DK?
Any info is appreciated.

Thank you!


#2

Are you doing this with local communication? Or with the cloud back-end?

This is a little tricky, bluz was sort of designed to be open where any BLE device can connect to it and allow it to connect to the cloud. The reason is that the device itself handles it’s own security directly, the gateway can’t see the traffic passing through it.

So any device can connect. There is no BLE link security enabled on bluz, and it wouldn’t help much anyway as BLE link security has proven to be insecure.

Now, you can do things after the connection to ensure that the “correct” device is connected. For example, you can send down some data to bluz, or even go as far as doing some encryption handshake. This would be far more secure than any BLE link security, but you can trade off security for ease based on your application. For example, it can be as simple as sending “Hello” to bluz when it connects and bluz would listen for that before it would do whatever it is you want it to do. If it doesn’t get the “Hello”, it just disconnects.

That is easy, but not secure, so it depends on your use case.


#3

I do have a cloud backend running, which will have a passcode that can be compared to whatever the BT device is sending. I just thought there might be a way of having an additional security level (knowing that BLE access can be easily hacked) Do you have a link that shows how un-secure the BLE link security is?
Can I set the Bluz DK bluetooth to not visible?

Are there any examples out there for both, simply sending a string and the encryption handshake?

thank you!


#4

Here is a paper on the BLE security issues:

In the end, it has been shown to be breakable in a number of ways, so we decided not to depend upon it at all. Plus, we don’t need to since each bluz device has a fully secure connection at the application layer.

When you say you have a cloud backend running, do you mean a version of the Particle cloud running locally? Or something else? Are you writing your own app for connecting to bluz and sending data to your cloud?

You can look at the Local Communication tutorial in our docs here: http://docs.bluz.io/tutorials/local_communication/

That shows you how to send any data between bluz and some other device. The type of data you send and the security you use for it is up to you. There are some underlying security calls in the Particle stack, but I have never tested them on bluz. They should work, but I m not 100% sure as I have just never tried it. You can see an example here: https://gist.github.com/towynlin/fb1f56bdd0a77b46cf09

So you can use something like that to encrypt data and send it back and forth if you like.


#5

Thanks Eric!
Well, my Bluz is connected to a Photon which gets a password from the Particle cloud, and compares it to the password coming from the Bluz DK. What do you think of this approach?

Thank you


#6

It depends on your application and how secure you need it to be. Any plain text data sent over local communication is completely insecure, so if that is ok with your use case then maybe it’s not a bad idea.

There are many levels of security, they can range from “I just want to make this hard for someone to copy” all the way to “we are transferring peoples personal and financial information and need the utmost security level”. Ultimately, you need to decide what you need for your use case and then try and figure out the best way.

The Particle cloud portion of bluz was meant to give a very high level of security, but if you are bypassing it with local communication, then you do need to be careful. I can’t really speak to any suggestions as I don’t know your ultimate goal or what level of security risk you want to deal with.


#7

Thanks Eric! Yes, that’s ok for my application as the hardware itself is not accessible to anyone, so in my case the local communication is probably even a bit safer than the Bluetooth communication. I think this is the way to go for my application. Thank you very much for your help – I truly appreciate it.