From 83c827ce8509bad53cc9d1c555befbd15a7524e3 Mon Sep 17 00:00:00 2001 From: liamcottle Date: Wed, 26 Feb 2025 17:04:44 +1300 Subject: [PATCH 1/2] enforce pin being used for ble pairing on esp32 --- src/helpers/esp32/SerialBLEInterface.cpp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/helpers/esp32/SerialBLEInterface.cpp b/src/helpers/esp32/SerialBLEInterface.cpp index 03131459..6aae1578 100644 --- a/src/helpers/esp32/SerialBLEInterface.cpp +++ b/src/helpers/esp32/SerialBLEInterface.cpp @@ -12,13 +12,13 @@ void SerialBLEInterface::begin(const char* device_name, uint32_t pin_code) { // Create the BLE Device BLEDevice::init(device_name); - BLEDevice::setEncryptionLevel(ESP_BLE_SEC_ENCRYPT); + BLEDevice::setEncryptionLevel(ESP_BLE_SEC_ENCRYPT_MITM); BLEDevice::setSecurityCallbacks(this); BLEDevice::setMTU(MAX_FRAME_SIZE); BLESecurity sec; sec.setStaticPIN(pin_code); - sec.setAuthenticationMode(ESP_LE_AUTH_REQ_SC_BOND); + sec.setAuthenticationMode(ESP_LE_AUTH_REQ_SC_MITM_BOND); //BLEDevice::setPower(ESP_PWR_LVL_N8); @@ -31,11 +31,11 @@ void SerialBLEInterface::begin(const char* device_name, uint32_t pin_code) { // Create a BLE Characteristic pTxCharacteristic = pService->createCharacteristic(CHARACTERISTIC_UUID_TX, BLECharacteristic::PROPERTY_READ | BLECharacteristic::PROPERTY_NOTIFY); - pTxCharacteristic->setAccessPermissions(ESP_GATT_PERM_READ_ENCRYPTED); + pTxCharacteristic->setAccessPermissions(ESP_GATT_PERM_READ_ENC_MITM); pTxCharacteristic->addDescriptor(new BLE2902()); BLECharacteristic * pRxCharacteristic = pService->createCharacteristic(CHARACTERISTIC_UUID_RX, BLECharacteristic::PROPERTY_WRITE); - pRxCharacteristic->setAccessPermissions(ESP_GATT_PERM_WRITE_ENCRYPTED); + pRxCharacteristic->setAccessPermissions(ESP_GATT_PERM_WRITE_ENC_MITM); pRxCharacteristic->setCallbacks(this); pServer->getAdvertising()->addServiceUUID(SERVICE_UUID); From dbc9659e9aa24de61662d755f63331599178abc8 Mon Sep 17 00:00:00 2001 From: liamcottle Date: Wed, 26 Feb 2025 17:27:58 +1300 Subject: [PATCH 2/2] enforce pin being used for ble pairing on nrf52 --- src/helpers/nrf52/SerialBLEInterface.cpp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/helpers/nrf52/SerialBLEInterface.cpp b/src/helpers/nrf52/SerialBLEInterface.cpp index fc7d1302..61b570eb 100644 --- a/src/helpers/nrf52/SerialBLEInterface.cpp +++ b/src/helpers/nrf52/SerialBLEInterface.cpp @@ -10,6 +10,7 @@ void SerialBLEInterface::begin(const char* device_name, uint32_t pin_code) { Bluefruit.setTxPower(4); // Check bluefruit.h for supported values Bluefruit.setName(device_name); + Bluefruit.Security.setMITM(true); Bluefruit.Security.setPIN(charpin); // To be consistent OTA DFU should be added first if it exists @@ -52,6 +53,7 @@ void SerialBLEInterface::enable() { clearBuffers(); // Configure and start the BLE Uart service + bleuart.setPermission(SECMODE_ENC_WITH_MITM, SECMODE_ENC_WITH_MITM); bleuart.begin(); // Start advertising