1. Security concerns with Bluetooth® Low Energy
Bluetooth® Low Energy devices are constantly advertising.
Their advertisement data may contain information related to the device: type, manufacturer, capabilities, and advertising address.
This address is a unique identifier, represented by the 6-byte MAC address.
A static MAC address associated with the signal strength of the advertisement may result in the location of the device.
Bluetooth® Low Energy devices tracking |
---|
Bluetooth® Low Energy specification provides a way to randomize and change periodically the MAC address in advertising packets.
This is allowed by the feature Bluetooth® Low Energy privacy.
Bluetooth® Low Energy tracking protection using random private address |
---|
2. STM32WB-WBA - Bluetooth® Low Energy privacy
The STM32WB-WBA - Bluetooth® Low Energy privacy feature reduces the ability to track a device over a period of time by changing the device address on a frequent basis.
The address of a device using privacy mode is either resolvable private address (RPA), or non-resolvable private address (NRPA).
A resolvable private address (RPA) can be resolved using the identity resolving key (IRK), which is one of the encryption keys exchanged during the pairing process. The IRK is derived from Identity Root (IR) value, according to Bluetooth® Core Specification the IRK can be assigned, or randomly generated by the device during manufacturing, that's why IR value shall be different from device to device.
The local device adds the remote devices in one resolving list (to maintain remote device identity addresses) along with that IRKs. It enables also the resolution, sets the privacy mode, and connects to the remote device with a remote identity address.
3. STM32WB-WBA - Bluetooth® Low Energy Addresses and Privacy
Bluetooth® Low Energy devices have an identity address associated with each device.
A Bluetooth® Low Energy address is a 48-bit value that uniquely identifies a Bluetooth® Low Energy device.
There are two main types of Bluetooth® Low Energy addresses: public and random addresses.
Bluetooth® Low Energy Address types |
---|
The four Bluetooth address types are:
- Public Address
- Random Static Address
- Random Private Resolvable Address
- Random Private Non-Resolvable Address
Random Address and Private Address, as shown in the diagram, are simply classifications.
3.1. Public address
Bluetooth’s LE public address is a constant worldwide address, that is, it never changes and is registered with IEEE. The public device address must conform with the IEEE 802-2001 standard, using a valid organization unique identifier (OUI) obtained from the IEEE registration authority. It abides by the same guidelines as MAC addresses, and is an extended unique identifier EUI-48.
The following diagram represents the simplified format of a public Bluetooth® Low Energy address (LSB first):
Bluetooth® Low Energy public address | ||||
---|---|---|---|---|
|
- Company ID: the publicly assigned portion of the address by the IEEE (MSB)
- Company assigned: the internally assigned ID as part of the allocated block (LSB)
3.2. Random address
Random addresses do not require any registration with the IEEE.
A random address is an identifier that is either programmed into the device, or generated at runtime. The latter depends on the subtype.
The two subtypes of Random addresses are:
- Random static address
- Random private address
3.2.1. Random static address
This specific type of Bluetooth® Low Energy address serves as a popular alternative to public addresses since there are no fees involved with its use.
Random static addresses can be used in one of two ways:
- It can be assigned and fixed for the lifetime of the device.
- It can be changed at bootup.
However, it cannot be changed during runtime.
The format of random static addresses looks like this (LSB first):
Bluetooth® Low Energy random static address | |||
---|---|---|---|
|
- The two most significant bits (MSB) need to be set to 1.
- The remaining 46 bits are chosen randomly by the developer/manufacturer and have to meet the following requirements:
- At least one bit of the random part of the address must be 0.
- At least one bit of the random part of the address must be 1.
There are two types of random private addresses:
- Resolvable
- Nonresolvable
Random private addresses are used specifically for protecting the privacy of a Bluetooth® Low Energy device to hide the identity and prevent the tracking of the device.
3.2.2. Resolvable random private address
The purpose of a resolvable random private address is to prevent malicious third-parties from tracking a Bluetooth device while still allowing one or more trusted parties to identify the Bluetooth® Low Energy device of interest.
A resolvable random private address is “'resolvable”' by using a key shared with a trusted device.
This key is referred to as the identity resolving key (IRK).
The address is originally generated using this IRK and a random number.
So, what makes a device “trusted” by another device?
In this case, a trusted device is a bonded device. Bonding is the optional step that takes place after the pairing of two Bluetooth® Low Energy devices.
The bonding process involves the storage of keys inside the devices that are bonded with each other.
One of the keys exchanged by the two bonded Bluetooth® Low Energy devices is the IRK.
This type of address changes periodically. The recommendation per the Bluetooth specification is to have it change every 15 minutes.
The format of resolvable private addresses looks like this (LSB first):
Bluetooth® Low Energy resolvable private address | ||||||||
---|---|---|---|---|---|---|---|---|
|
- 0 and 1 are fixed in the most significant bits (MSB).
- The next 22 bits are randomly generated.
- The prand constitutes most of the significant 24 bits
- The lower 24 bits represent a hash value, which is generated using the prand and the IRK.
3.2.3. Nonresolvable random private address
The other type of random private address is the nonresolvable random private address.
This type of address also changes periodically. However, unlike resolvable addresses, it is not resolvable by any other device.
The only purpose of this type of address is to prevent tracking by any other Bluetooth® Low Energy device.
This type is not very common, but it is sometimes used in beacon applications.
The format of nonresolvable random private addresses is as follows:
Bluetooth® Low Energy nonresolvable private address | |||
---|---|---|---|
|
- Bits 0 and 0 are fixed in the most significant bits (MSB). - The remaining 46 bits are chosen at random.
4. How to configure and use resolvable private address (RPA)
One address type is chosen by the customer and is defined as the identity address of the device. It may be either a public address, or a static random address. It is defined with CFG_IDENTITY_ADDRESS in app_conf.h.
Initialization sequence in app_ble.c:
- Write identity address for the Bluetooth® Low Energy stack:
If CFG_IDENTITY_ADDRESS is defined as GAP_PUBLIC_ADDRESS:
Ble_Hci_Gap_Gatt_Init() {
..
// write public address at public address offset
aci_hal_write_config_data(CONFIG_DATA_PUBADDR_OFFSET,..)
If CFG_IDENTITY_ADDRESS is defined as GAP_STATIC_RANDOM_ADDR:
Ble_Hci_Gap_Gatt_Init() {
..
// write static random address at random address offset
aci_hal_write_config_data(CONFIG_DATA_RANDOM_ADDRESS_OFFSET,..)
- Initialize the GAP layer with privacy enabled:
aci_gap_init(CFG_PRIVACY = privacy_enabled,..)
- Sets the authentication requirements for the device with the identity address:
The identity address is used in aci_gap_set_authentication_requirement and corresponds to SMP identity address type, which is now used as GAP identity address type.
// Sets the authentication requirements for the device : Identity address type is used
aci_gap_set_authentication_req(..,Identity_address_type = CFG_IDENTITY_ADDRESS)
- Start advertising:
If privacy is enabled, to start advertising, scan request or connection request, allowed values for Own_address_type are RPA (0x02) or NRPA (0x03).
// Start advertising
aci_gap_set_discoverable(.., Own_address_Type = CFG_BLE_ADDRESS_TYPE,..)
As long as the peer device address is not added to resolving list (with aci_gap_add_devices_to_resolving_list or aci_gap_add_devices_to_list(Mode = "Append to" or "Clear and set" resolving list only), identity address is used for advertising.
To advertise using the RPA without previous bonding, aci_gap_add_devices_to_resolving_list or aci_gap_add_devices_to_list command can be called with a dummy address before starting advertising:
aci_gap_add_devices_to_resolving_list(peer_identity_address_type equals to 0 or 1, Peer_address could be whatever except NULL address)
or aci_gap_add_devices_to_list
// Start the advertising with RPA or NRPA
aci_gap_set_discoverable(.., Own_address_Type = CFG_BLE_ADDRESS_TYPE,..)
- Add device to resolving list:
Add a device in resolving list to be able to resolve RPA. Follow the sequence below:
- Initiate a connection
- Start pairing with bonding enabled
- Link disconnection (not mandatory)
- Add the previously bonded device in resolving list:
aci_gap_get_bonded_devices(peer_bonded_devices_addr)
aci_gap_add_devices_to_resolving_list(peer_bonded_devices_addr_type and peer_bonded_devices_addr of the previously bonded device)
(or aci_gap_add_devices_to_list)
Start advertising with a RPA:
Add a dummy address to resolving list.
aci_gap_add_devices_to_resolving_list (or aci_gap_add_devices_to_list)
aci_gap_set_discoverable(.., Own_address_Type = CFG_BLE_ADDRESS_TYPE,..)
5. First example: connection between a smartphone and a STM32WB-WBA
5.1. First phase - initialize the GAP layer with privacy enabled, connection and bonding - use of public address
Connection and bonding - privacy enabled, use of public address |
---|
5.2. Second phase - add a device to resolving list
Add a device to resolving list |
---|
6. Second example : connection between two STM32WB-WBA
6.1. First phase - initialize the GAP layer with privacy enabled, connection and bonding. Use of static random address
Connection and pairing - privacy enabled, use of static random address |
---|
6.2. Second phase - add device to resolving list
Add a device to resolving list |
---|
7. STM32-Hotspot GitHub BLE privacy example
- GAP Peripheral STM32WB Bluetooth® Low Energy privacy [1] feature enabled to demonstrate advertising with a resolvable private address.
- GAP Peripheral STM32WBA Bluetooth® Low Energy privacy [2] feature enabled to demonstrate advertising with a resolvable private address.
8. References