Bluetooth Security Issue

Hi,

Recently I read few articles on hacking IoT devices. I wonder if the BLE connection is encrypted between Metawear boards and the phone. More specifically, is the BLE transmission encrypted? Is the data being transmitted encrypted? If not, is there a way to get encryption support on firmware level? Will encryption cost extra space or energy on the board?

I myself checked with nRF applications and found that the general information (such as firmware version, battery info, and etc.) can be fetched easily. Does it mean that anyone with Nordic SDK can programmatically prone the device and gather device information?

Thank you!

Comments

  • @Edwardsj

    BLE is default unencrypted.  When a device is paired with a central, the BLE spec has provisions to run AES CCM mode.

    We have considered possibilities for firmware encryption of the MetaWear protocol, but there is a penalty to energy use and data throughput.  It is not a priority at present, especially considering that MetaWear is streaming raw unprocessed sensor data which is not typically a privacy concern.

    The information you described is part of the Bluetooth standard Device Information Service (DIS) and is implemented and available in plaintext on nearly all BTLE devices.  When you connect to a device, you need to know something about it to load the correct drivers.  Once paired, a device and central have more privacy in communications and can hide this information.  Anyone with a Bluetooth client can access this on most devices.

    The MetaWear command protocol is highly complex and without the APIs loaded it would be difficult to do much with a MetaWear device.
  • @Matt
    Thank you very much! It's very helpful!
This discussion has been closed.