BLE Pairing Security

Question

I am new to BLE technology outside of using it for Arduino(RFduino). I'm trying to make it so that every phone that can see the device cannot pair to the RFduino. What I'm confused about is I know BLE has security measures but how do I go about implementing these.

Looking at this question it looks like one can use the MAC addr for security? https://stackoverflow.com/questions/22712632/pair-ble-device-with-android So I guess what I should do is have the user enter the correct MAC addr for the device and if it doesn't match they can't connect?

What I really dont understand is how to add a pairing private/public key to the whole communication which I assume is the best practice way to do this? Any help would be appreciated.

Answer 1

BLE provides Integrity and Confidentiality to its communication, but not Authentication. This means once the connection is established, it's very hard to hack, but you have to make sure yourself that you're not connected to a malicious user!

Public Private key authentication would be a good starting point. You may want the RFDuino to hold the private key. When you attempt to connect to it, it will sign something in a way that only the private key owner could sign, and you can verify this using your public key. Now you can be sure that you're connected to the right person.

Security is a very hard thing to implement correctly however, and so you may want to look around if someone has already implemented a library like this for Bluetooth.

Answer 2

1. Android support BLE on 4.3 higher version.
   
2. For making communication with Arduino you need to Use GATT services and UUID.
   

Default UUID used by android is "0000180F-0000-1000-8000-00805f9b34fb".

Please provide your own UUID id.

For more helpful details, please visit this link: http://developer.android.com/reference/android/bluetooth/BluetoothGattService.html