1

I am running a BLE beacon in bluez5.52 on a linux machine(ubuntu 14.04) using the default gatt-service and the beacon using the btmgmt provided in the tools folder. Following are the commands I run to setup the beacon:

Terminal 1:

./gatt-service

Terminal 2

sudo ./btmgmt
add-adv -u 180d -u 180f -d 080954657374204C45 1

I am easily able to connect and disconnect with the beacon using BLE scanner app in android. What I would like to do is setup a password for the beacon so that I am the only one who can connect to it. So far I have been unable to find any resources online that could help set that up. I have a decent understanding of the btmgmt and gatt-service code. I am looking for direction on what part of bluez code to look for to set up the password protection. Any leads, pseudo-code or partial code would help a lot.

Paulw11
  • 108,386
  • 14
  • 159
  • 186
danny
  • 400
  • 2
  • 18
  • I think I should have worded it better. What I meant to say is a ble peripheral beacon. You can connect to it and read gatt services. I thought it was obvious with me running gatt-service in the first terminal. – danny Oct 26 '20 at 21:28
  • 1
    BLE does not support password-protection / login mechanism. What it offers is pairing/bonding, that is supposed to succeed only if the user is controlling both devices (such as the first one has a display and the other one a keypad, where the user is supposed to enter the shown passkey on the other devices's keypad, in order to protect from Man-in-the-middle attacks, for example hackers outside the window). You can implement that using this API: https://git.kernel.org/pub/scm/bluetooth/bluez.git/tree/doc/agent-api.txt. – Emil Oct 26 '20 at 23:53
  • Thank you @Emil. I have one additional question. Is it possible to dynamically change the gatt service? What I am thinking is expose a write characteristic for user to enter password(after a connection is established) and if it matches then I expose the actual data in other characteristics. – danny Oct 27 '20 at 01:46

1 Answers1

1

Emil already mentioned pairing and bonding in the comments. This would definetly serve your purpose as you would be able to control who could connect to your peripheral. A BLE characteristic can ask a connected device to authenticate before reading or writing which would result in a 'insufficient authentication error' if the device is not paired to your peripheral. A Android app is able to handle this error by displaying a pairing popup depending on the used pairing method. So it is possible to have characteristics without security right next to one's that require pairing.

In case you still want to implement something like your mentioned password safety you should look into a 'authorized read'. A characteristic which requires authorization first receives a read request and you can allow or deny it based on your own requirements. That means you can authorize yourself by sending a password to one characteristic and afterwards allow a read request on another characteristic. This would be even easier if you only accept one connection at a time.

Michael Kotzjan
  • 2,093
  • 2
  • 14
  • 23
  • Can you please elaborate on where I can find more information on 'authorize read'? I have tried looking through the code but haven't had much luck in finding anything. Perhaps a pointer to what code section to look at or a specific section of the core spec to read would help me better in implementing this. Thanks – danny Nov 03 '20 at 07:03
  • 1
    Please excuse my late answer. I searched for a equivalent of 'authorized read' in the Bluez library but was not successful. It seems like they don't offer this kind of permission. But have a look at this method: https://github.com/bluez/bluez/blob/master/tools/gatt-service.c#L468 This method handles the writing of a characteristic and receives a connection handle as well. You could create a characteristic accepting a password and store the connected handle. Then check if the same connection wants to access the secured characteristic and decide if its allowed or not. – Michael Kotzjan Nov 06 '20 at 12:11
  • 1
    I tried the method you said and it worked perfectly. One more question. Is there a way to get multiple connections working with the btmgmt? – danny Nov 12 '20 at 19:40
  • 1
    The problem seems to be that Bluez stops advertising after the first connection. You can try to follow this answer to a similar problem: https://stackoverflow.com/questions/56236749/continue-advertising-after-connection-bluez – Michael Kotzjan Nov 13 '20 at 10:08