Search code examples
c++securityencryptionbluetooth-lowenergybluez

How to encrypt data using BLE connection using Bluez5.50

I'm working on a C++ project that deals with data transmission. My system is composed of two different devices, that have to exchange sensitive data in a trusted mode. To do this I downloaded and set up the last bluez library (v5.50) on my Raspberry Pi.

  1. Is there any possibility to enable data encryption using the bluez API?

Googling around the possibility to use the BLE encryption mechanism I found discordant opinions. Someone suggests using it while others one discourage it in favor of application-level encryption exploiting, for instance, the Cripto++ library.

  1. Which is the best solution?

Thanks

Solution

  • My recommendation is to always have the connection encrypted. Please see this answer which explains the benefits and importance of encrypted connections vs open connections.

    In regards to encrypted connections, you can easily do this by pairing with a device. In BLE, pairing allows connection packets to be encrypted. Using BlueZ, you can easily do this from the command line using the bluetoothctl command as follows:-

    bluetoothctl
[bluetoothctl] connect 00:11:22:33:44:55
[bluetoothctl] pair 00:11:22:33:44:55

    Beforehand, please ensure that your BlueZ device can perform/accept connections and pairing as follows:-

    btmgmt connectable on
btmgmt bondable on
btmgmt io-cap 
btmgmt 3

    The last command sets your IO capability to NoInputNoOutput, but you can change this to one of the following values:-

    0       DisplayOnly
1       DisplayYesNo
2       KeyboardOnly
3       NoInputNoOutput
4       KeyboardDisplay

    However, if you do that, you will need to pass the equivalent command line option when launching bluetoothctl as follows:-

    bluetoothctl --agent KeyboardOnly
bluetoothctl --agent KeyboardDisplay
bluetoothctl --agent NoInputNoOutput
bluetoothctl --agent DisplayOnly

    If you want to view the underlying API for this, please have a look at the BlueZ source code, and you can start with client/main.c for the connection and pairing commands.

    Finally, as Solomon Slow indicated, if you are promising the protection of sensitive data then you should definitely go for multi-level encryption. In other words, the link should be encrypted, as well as the data before being sent in the software, and if your device supports hardware-level encryption, then do that as well.

    For further reading on BLE Encryption, please visit the Bluetooth Specification Version 5.0, Vol 2, Part H, Section 1: Security Overview.

    I hope this helps.