Hi,
I've written an application based on the NimBLE Peripheral Example (exampled\bluetooth\nimble\bleprph) and connection and exchanging data works fine.
My only problem is, that every device in the range of the ESP32-S3 is able to connect, which is a big security issue.
What is the conventional method to prevent unauthoriced devices to the ESP32-S3?
I was thinking of a method where the device is only visible for 30 seconds when pressing a pairing button.
Once paired no other device should be able to pair to the ESP32-S3.
Is this the correct way? And is there an example which already has included this security features?
Thank you and best regards,
Mike
Bluetooth NimBLE security: Allow connection only after pressing button
Re: Bluetooth NimBLE security: Allow connection only after pressing button
> I was thinking of a method where the device is only visible for 30 seconds when pressing a pairing button
You can opt for limited discovery , where advertising is done only for limited period of time. After that advertising stops, so remote devices cannot find your device or initiate connection.
You can opt for limited discovery , where advertising is done only for limited period of time. After that advertising stops, so remote devices cannot find your device or initiate connection.
Re: Bluetooth NimBLE security: Allow connection only after pressing button
>You can opt for limited discovery , where advertising is done only for limited period of time. After that advertising stops, so remote devices cannot find your device or initiate connection.
The problem when opting in for limited discovery the ESP32 will only be visible for 30 seconds and after that time it is impossible for already bonded devices to connect, because for establishing a connection, the device still has to be discoverable.
The ESP32 should still be connectable after the 30 seconds, but ONLY for already bonded devices.
Devices, that are not already bonded, should either not see the ESP32 (which does not seem to be possible) or not be able to connect to the ESP32 (I could not find a way to only allow bonded devices to the ESP32).
The problem when opting in for limited discovery the ESP32 will only be visible for 30 seconds and after that time it is impossible for already bonded devices to connect, because for establishing a connection, the device still has to be discoverable.
The ESP32 should still be connectable after the 30 seconds, but ONLY for already bonded devices.
Devices, that are not already bonded, should either not see the ESP32 (which does not seem to be possible) or not be able to connect to the ESP32 (I could not find a way to only allow bonded devices to the ESP32).
Re: Bluetooth NimBLE security: Allow connection only after pressing button
The devices you want to allow to connect, you can add to whitelist . Once whitelist is generated, you can apply the setting to allow connection from filter list . This way, only connections from address which are present in the whitelist would be accepted and rest would be dropped.
Re: Bluetooth NimBLE security: Allow connection only after pressing button
The problem with this approach is, that some devices for example an iPhone are changing their bluetooth device address every 30 minutes. So whitlisting specific device addresses will not work with iPhones and other client devices.
Who is online
Users browsing this forum: Bing [Bot], ok-home and 87 guests