1

Looking at the bluez dbus API it seems it is not possible to have a characteristic with "notify" that only paired devices can subscribe to in an encrypted way (so something like "encrypt-authenticated-notify").

Is there a way to do this? Or is this a limitation of bluez? Or maybe even not supported by Bluetooth at all?

zse
  • 147
  • 1
  • 5

2 Answers2

3

This is in fact supported by both Bluetooth Low Energy and the BlueZ API, however, you need to apply the properties to the Client Characteristic Configuration Descriptor (CCCD) and not to the characteristic itself.

To elaborate, for a characteristic to be notifiable/indicatable, it has to have the CCCD descriptor present as part of that characteristic. For example, for a heart rate characteristic, there is an accompanying CCCD descriptor that can be used to enable/disable notifications or indications. Writing 0100 to the descriptor enables notifications, writing 0200 enables indications, and writing 0000 disables both notifications/indications.

Now if you want only paired devices to be able to enable notifications, you need to change the properties of that descriptor so that it is not "open". The API for doing this is available here and you can for example set the property to be "read, encrypt-write", which means you can read the value of the descriptor normally, but in order to write to it and enable notifications you will have to pair with it.

Please have a look at the following links which may be useful

I hope this helps.

Youssif Saeed
  • 11,789
  • 4
  • 44
  • 72
  • Thanks a lot! If you don't mind, two small more clarification questions: 1. According to [this](https://stackoverflow.com/questions/36658513/how-to-write-a-client-characteristic-configuration-descriptor-in-bluez) bluez adds the CCCD on its own. So I guess when one provides a custom one to bluez it will replace the automatically added one? 2. I understood "encrypt-write" as to only guarantee that the connection is encrypted, not necessarily authenticated (which I assume means pairing for bluetooth), so wouldn't "read, encrypt-authenticated-write" be more appropriate for the example above? – zse Apr 29 '19 at 10:28
  • To formulate question 1 better: it is unclear to me how to provide a custom CCCD to bluez or modify those read-only flags in the linked API. – zse Apr 29 '19 at 10:53
  • @zse did you find a way to modify the flag of the default CCCD in bluez? – David Attias Nov 21 '22 at 14:45
  • sorry no, I gave up on this long ago. Good luck – zse Nov 22 '22 at 20:12
0

Despite what Youssif said, this was not possible with the API until very recently. As of BlueZ 5.62, the following flags have been introduced: secure-notify/secure-indicate encrypt-notify/encrypt-indicate encrypt-authenticated-notify/encrypt-authenitcated-indicate

These allow you to control the security level for server-initiated updates in a manner similar to their *-read *-write counterparts `

One Normal Night
  • 332
  • 1
  • 2
  • 12