How to get IRK on peripheral if central uses BR/EDR pairing - bluetooth

I am programming a device which uses BR/EDR and BLE. BR/EDR is mostly used for audio data while BLE should work as control channel. Access to the used BLE characteristic returns a gatt_status_insufficient_authentication if and only if the central (smart phone) is not bonded. At least, that is what I want.
Moreover, if BLE bonding is triggered, I also get a BR/EDR bonding by Cross Transport Key Derivation (CTKD). Ok.
IF I do BR/EDR pairing from the phones pairing menu, this CTKD does not work. How could this work?
Or is there a way to enforce BLE pairing instead BR/EDR pairing?
Regards

Related

is Bluetooth BR/EDR same as bluetooth Classic

Many BLE devices have BR/EDR Controller Mode - LE + BR/EDR Host Mode in their Flags. Does this mean that this Device is also a classic Bluetooth device?
BR/EDR is the technical term for what you call bluetooth classic.
With "in their Flags" you probably mean in the advertisement? This would mean that the device at least reports, that it also implements bluetooth classic, yes.

Bluetooth Dual LE and Classic Mode Flags

In the Advertising section of a BLE, The Bluetooth SIG Define the "Flags"
which has these plus a few more.
BR/EDR Not Supported
Simultaneous LE and BR/EDR to Same Device Capable (Controller)
Simultaneous LE and BR/EDR to Same Device Capable (Host)
I am having an issue on a CSR chipset design that does not support GATT over BR/EDR.
Apple works great, as it always connects to LE.
..but android devices persistently try to connect GATT over BR/EDR if the audio is already up; therefore fail because CSR cant handle BR/EDR transport for GATT.
I am thinking these flags are at the core of the problem.
In CSR's demo code they do not set "any" of the above flags. I have had limited success with my problem on some handsets by setting the "Not Supported" flag.
The issue is the other two flags. How does Controller/ Host relate to other LE terms. For example Central/Peripheral or later Master/Slave.
I dont know what flags to set for my use case. Any suggestions welcome?
You can use a Static Random address for all LE operations. That way the Android device thinks it's a different device than when talking over Bluetooth Classic since that uses the public BD_ADDR.
Or, one variant of the connectGatt takes a transport parameter which you can set to TRANSPORT_LE to force communication over BLE.
If your device supports BLE and BR/EDR at the same time you should set these flags:
BR/EDR Not Supported=0
Simultaneous LE and BR/EDR to Same Device Capable (Controller)=1
Simultaneous LE and BR/EDR to Same Device Capable (Host)=1
If the flag data is missing completely, it's the same as if all fields are zero.

Pairing differences between Bluetooth and Bluetooth LE?

Is there any (big) technial difference between pairing 'normal' Bluetooth devices and pairing Bluetooth LE devices?
I found a lot of information for Bluetooth LE pairing, but not for normal? For example
Info 1.
So is this information for normal Bluetooth correct too?
If you mean Bluetooth Classic or BR/EDR by 'normal',the difference depends on the version of Bluetooth in use.
Bluetooth Classic or BR/EDR 2.1 - 4.1 Vs BLE 4.0-4.1
BR/EDR pairing procedures are handled by the LMP layer of the Bluetooth Controller.
BLE Pairing procedures are handled by SMP in the host stack.
BR/EDR uses ECDH Key generation which prevents passive eavesdropping.
BLE legacy pairing does not use ECDH Key generation and so it is susceptible to passive eavesdropping
BR/EDR defines 4 association models; OOB, Passkey entry, Just works, Numeric Comparison
BLE Legacy Pairing defines 3 association models ; OOB, Passkey entry, Just works.
Although they appear similar from the user perspective, they do not provide the same level of security. See #2
BR/EDR generates the Link Key on both devices.
BLE legacy pairing, generates the STK. The Link Key i.e. LTK in use is distributed by the slave
BR/EDR v4.2 Secure Connection vs BLE v4.2 Secure Connection
BLE 4.2 secure connections added ECDH key generation and the Numeric Comparison association model. It also did away with the STK. The LTK is now generated on both slave and master.
Secure connection association models on the BLE link, are equivalent to BR/EDR secure connection association models, in terms of protection against MITM attacks and Passive eavesdropping.
When two BR/EDR/LE devices support Secure Connections over both transports, keys for both transports may be generated during a single pairing procedure. The ability to convert keys from one transport to the other eliminates the need to pair twice.
There are still some differences.
BR/EDR pairing procedures are handled by the LMP layer of the Bluetooth Controller.
BLE Pairing procedures are handled by SMP in the host stack.
BR/EDR cryptographic functions use HMAC-SHA-256.
BLE cyrptographic functions use AES-CMAC.
More information can be found in the Bluetooth core specification here

MAC spoofing on a Bluetooth LE Device (Bluetooth Low Energy security)

I am concerned with the MAC spoofing on a Bluetooth LE Device.
Is it possible during only the bonding or would be possible in any step of the connection (pairing, bonding, scan, data exchange, etc...)
Yes, it is achievable.
Mike Ryan from iSEC Partners used specific hardware to achieve injection, in his article Bluetooth: with low energy comes low security
From Ubertooth we send undirected advertising messages broadcasting
the existence of a device with a user-specified MAC address.
And here is the presentation at Usenix WOOT'13 conference.

Bluetooth as beacon and classic simultaneously

Can a Bluetooth device act as a beacon and simultaneously be used for other functions?
I've tried looking around, without finding a concrete answer to this question.
A beacon is a Bluetooth Low Energy device that is advertising. The BLE radio is separate from the classic radio, and since the Bluetooth specification does not restrict the operation of classic Bluetooth along side Low Energy functionality then there is no issue performing classic Bluetooth operation while the device is acting as a Beacon.

Resources