• State Resolved
  • Locked Locked
  • Replies 4 replies
  • Subscribers 51 subscribers
  • Views 1657 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC2540 GATT security questions

Brian Cho
Intellectual 420 points
Other Parts Discussed in Thread: CC2540, CC2640

Hi,

I'm creating a device using CC2540 and I have some questions regarding its security. I searched a lot and found most of my answers in the web and the documents but I'm vague about some topics. Please look below and if anyone can help me, it'd be greatly appreciated.

1. If I set the characteristic values' permission to GATT_PERMIT_AUTHOR_READ and GATT_PERMIT_AUTHOR_WRITE, is it definitely safe? I just want to make sure, with above settings, not any device can access to them unless it's paired with CC2540. As I have passcode callback that generates random number whenever pairing request comes, with authorization permission to characteristic, I believe the data is out of reach from unknown connection. Am I right?

2. What is difference between GATT_PERMIT_AUTHOR_XX and GATT_PERMIT_AUTHEN_XX? With my above scenario, AUTHEN is enough or should I use AUTHOR permission (currently I'm planning to use AUTHOR)?

3. I'd like to make CC2540 to be paired with only one device. So I need to remove all bonds whenever new pairing was success but it's not possible as it will remove current bonding data as well. So I believe I need to use GAPBOND_ERASE_SINGLEBOND. Can anyone tell me what I should pass in GAPBondMgr_SetParameter( GAPBOND_ERASE_SINGLEBOND, len, pValue), especially pValue? I think I can use B_ADDR_LEN + 1 for len but I absolutely have no idea what to do with pValue. My assumption is that CC2540 stores the address info somewhere in NV memory when connection/pairing happens but I don't know where and when it happens.. Is there a code snippet I can use?

4. How do I set debug lock bit? By setting "Write protect boot block" and "Block debug commands (incl. read access)" from SmartRF Flash Programmer? And, by doing so, is the data in flash memory safe including user specific data in NV memory?

5. Is there a way to control transmission power so that it could be disconnected in longer than specific range? I'm using RSSI callback and GAPRole_TerminateConnection() to implement what I want but if I could simply set the connection (including advertising) range it would be definitely better.

Regards,

Brian

  • 0
    TI__Guru** 105180 points
    Hi Brian,

    As you are probably aware, the pairing (key exchange) process in BT4.0 / BT4.1 is susceptible to eavesdropping which can comprise the security of the connection. This has largely been addressed in BT4.2. If this is a concern in your system, the suggestion is to use OOB pairing or implement encryption in your application (i.e., above GATT). You can find a description of Authorization vs. Authentication in Profile (GATT) in Vol 3, Part G, Section 8 SECURITY CONSIDERATIONS in the BT4.0 core spec. For implementing Passkey pairing, see the HIDEmuKbd example project. You will see how to terminate the connection if the passkey does not match.

    For GAPBOND_ERASE_SINGLEBOND, the pValue is the pointer to the B_ADDR value.

    For debug lock bit use, see the CC2540 User Guide.

    You can control TX power using HCI extension command: HCI_EXT_SetTxPowerCmd, see the TI Vendor Specific HCI Guide in the BLE SDK.

    Best wishes
  • 0 in reply to JXS
    Intellectual 420 points
    Hi JXS,

    Thanks for your answers. Still I need your help so please allow me to ask some questions.

    Pairing is susceptible to eavesdropping but, once the pairing is done, I assume the characteristics are safe with GATT_PERMIT_AUTHOR_READ. Am I right? And, as I generate random passcode every time when pairing request happens, I believe no random device can access to the data. Please correct me if I'm wrong.

    I saw the BT4.0 core spec but didn't quite get what I want. Basically I want to know when authorization and authentication happen. It describes what happens when authorization/authentication requirements are not met but didn't tell me what the requirements are. Can you direct me to better explanation of them?

    And I found how to do get the bond and erase by using mainRecordNvID. Thanks for helping me.

    For debug lock bit, I read the document already but didn't get much information how to control it. Can you tell me whether I should control it through SmartRF Flash Programmer or in the source code? If possible, with some example please.

    Thanks,
    Brian
  • 0 in reply to Brian Cho
    TI__Guru** 105180 points

    Hello Brian,


    Even with passkey (MITM) protection, the BLE pre-BT4.2 security is still subject to compromise since a one in a million passkey can be brute force attacked with off the shelf computing resources. If the pairing was compromised, anything further encryption with those keys can be considered insecure. 

    Although you are using CC254x, please see Section 5.4 of the CC2640 BLE SW developer's guide (SWRU393). This section has a good overview of the GAP Bond Manager and related security options available in the BLE Stack. Note that Authorization is done at the application level.

    I'll see if there is an example with debug lock bit.

    Best wishes

  • 0 in reply to JXS
    Intellectual 420 points
    Hi JXS,

    Thanks for your help again. I found Gap Bond Manager section in SWRU393 is very helpful. Please update me whenever you found good example of controlling debug lock bit.

    Thanks,
    Brian