The Bluetooth 4.2 specification has been adopted in December 2014 by the Bluetooth SIG and now 3 month later, Apple is introducing support for LE Secure Connections with their update to iOS 8.2 software.
Support for LE Secure Connections provides Diffie-Hellman and Elliptic Curve Cryptography (ECDH) feature for creating Long Term Keys. These keys are P-256 strong keys and provide strong security that is now similar to BR/EDR Secure Connections introduced with Bluetooth 4.1 specification.
Using a Linux kernel 3.19 also enables LE Secure Connections feature and now BlueZ and iOS devices can utilize the strong security from Bluetooth 4.2 specification. The LE Secure Connections is a host stack only feature and can be used with Bluetooth 4.0 controllers. So every Bluetooth Low Energy capable system has the possibility of gaining LE Secure Connections support.
The BlueZ for Android project also enables Bluetooth 4.1 and 4.2 features for Android KitKat and Lollipop versions. This includes support for BR/EDR and LE Secure Connections.
Here’s the first BlueZ release in 2015. Most of the changes since the last one are bug fixes, but there’s actually quite many of them this time, including:
- Fixes to GATT service discovery & probing
- Fix for bearer selection with dual-mode devices
- Fix potential crash when removing devices
- Fix issue with incomplete names in EIR data
- Fix parsing GATT name characteristics
- Fix AVCTP long press & key repetition handling
- Fixes for GATT notification handling
Besides bug fixes we’ve now also got more extensive unit tests for new GATT code as well as better HCI decoders in btmon for some less used 4.1 and 4.2 features. The hid2hci tool gained support for CSR 8510 A10 devices and the hex2hcd tool (for Broadcom firmware) received a complete rewrite with better command handling.
Here comes the traditional x-mas release! BlueZ 5.27 consists mostly of bug fixes to areas such as GATT and mgmt (the interface through which bluetoothd talks to the kernel). The emulation framework has also received many new features, paving the way for more extensive test automation. On the Android side we’ve continued perfecting 5.0 (Lollipop) support, a notable addition being support for needed SELinux policies.
The Bluetooth Core Specification 4.2 was released December 2nd and it brings with itself several new features for Bluetooth Low Energy. Perhaps the most interesting one (and also the biggest) of these has been merged to the Bluetooth subsystem and submitted for inclusion in the 3.19 kernel release. The feature is called Low Energy Secure Connections (LE SC).
Bluetooth LE pairing has had known security vulnerabilities ever since its introduction to the Bluetooth specification. LE SC upgrades the Security Manager Protocol (SMP, used for LE pairing) to take advantage of the same Elliptic curve Diffie–Hellman (ECDH) key agreement protocol that classic BR/EDR Bluetooth uses. This essentially brings LE pairing to the same level of security as BR/EDR pairing.
Another improvement that LE SC brings is what’s called cross-transport key derivation. What this means is that when two dual-mode (supporting LE + BR/EDR) devices pair with each other, they only need to pair over either LE or BR/EDR to get the encryption keys for both transports in one go. When pairing over LE, as a last step of the SMP pairing procedure the BR/EDR Link Key (LK) gets derived from the LE Long Term Key (LTK) by both devices. For BR/EDR on the other hand, a subset of SMP can now be run over a fixed L2CAP channel resulting in deriving an LTK from the LK at the end of the BR/EDR pairing procedure.
Hardware & Software Requirements
BlueZ 5.26 is the first user space version that supports LE SC and will automatically take advantage of it for kernels also indicating support for it (i.e. >= 3.19 in practice). Most LE SC features are available for any Bluetooth adapter capable of LE (i.e. supporting Bluetooth 4.0 or later), however cross-transport key derivation in the BR/EDR -> LE direction requires that the BR/EDR link is encrypted with AES (compared to E0 for Bluetooth 4.0 and before), i.e. supports BR/EDR Secure Connections. Since BR/EDR SC was introduced with Bluetooth 4.1 this means that full LE SC is only available when the local and remote Bluetooth HW support at least Bluetooth 4.1.
This release is for the most part a bug-fix release with fixes in A2DP and OBEX related functionality, but there’s also an added features for get/set reports for HID over GATT as well as Phonebook Access Profile 1.2 support
On the Android side the 5.0 (Lollipop) support is now starting to be fairly mature with full PTS test runs either with PTS 5.3 or 6.0.
The Bluetooth 4.2 specification went public in early December and BlueZ 5.26 is the first release with support for its features. Perhaps the most notable one of these is Low Energy Secure Connections which will require a 3.19 or newer kernel. This feature brings LE pairing to the same level of security as it has been for BR/EDR. LE SC also brings along with it so-called cross-transport pairing, which means that you only need to pair once over LE or BR/EDR to get the necessary keys for both transports between two dual-mode devices.
This release contains various improvements to MAP and PBAP support. There are also various GATT related fixes. We’ve also got a fix for a race condition which could occasionally cause LE connection/pairing failures. The fix will work for kernels from 3.13 onward (for older kernels a proper fix isn’t really feasible).
The Android Lollipop (5.0) source code was released roughly a week ago, and we’re happy to announce that this is the first BlueZ version with initial support for it. We’ll be doing various improvements and fixes along with subsequent BlueZ releases but starting with 5.25 basic things are already working.
It’s also notable that PTS 5.3 is now fully supported with this release. All tests are either passing or errata has been filed for them (all of which is documented in android/pts-*.txt).
This release fixes a bug with frame length calculation for dual-channel mode operation. It also includes a fix for preventing an overflow of an internal frame length variable.
This release consists for the most part of cleanups and minor fixes, however there are some new additions too in the form of Phonebook Access Profile 1.2 and Message Access Profile 1.2 features. On the Android side we’ve got improved automated test coverage as well as several new Android system properties for Bluetooth customization.