The Bluetooth Core Specification 4.2 was released December 2nd and it brings with itself several new features for Bluetooth Low Energy. Perhaps the most interesting one (and also the biggest) of these has been merged to the Bluetooth subsystem and submitted for inclusion in the 3.19 kernel release. The feature is called Low Energy Secure Connections (LE SC).
Bluetooth LE pairing has had known security vulnerabilities ever since its introduction to the Bluetooth specification. LE SC upgrades the Security Manager Protocol (SMP, used for LE pairing) to take advantage of the same Elliptic curve Diffie–Hellman (ECDH) key agreement protocol that classic BR/EDR Bluetooth uses. This essentially brings LE pairing to the same level of security as BR/EDR pairing.
Another improvement that LE SC brings is what’s called cross-transport key derivation. What this means is that when two dual-mode (supporting LE + BR/EDR) devices pair with each other, they only need to pair over either LE or BR/EDR to get the encryption keys for both transports in one go. When pairing over LE, as a last step of the SMP pairing procedure the BR/EDR Link Key (LK) gets derived from the LE Long Term Key (LTK) by both devices. For BR/EDR on the other hand, a subset of SMP can now be run over a fixed L2CAP channel resulting in deriving an LTK from the LK at the end of the BR/EDR pairing procedure.
Hardware & Software Requirements
BlueZ 5.26 is the first user space version that supports LE SC and will automatically take advantage of it for kernels also indicating support for it (i.e. >= 3.19 in practice). Most LE SC features are available for any Bluetooth adapter capable of LE (i.e. supporting Bluetooth 4.0 or later), however cross-transport key derivation in the BR/EDR -> LE direction requires that the BR/EDR link is encrypted with AES (compared to E0 for Bluetooth 4.0 and before), i.e. supports BR/EDR Secure Connections. Since BR/EDR SC was introduced with Bluetooth 4.1 this means that full LE SC is only available when the local and remote Bluetooth HW support at least Bluetooth 4.1.
This release is for the most part a bug-fix release with fixes in A2DP and OBEX related functionality, but there’s also an added features for get/set reports for HID over GATT as well as Phonebook Access Profile 1.2 support
On the Android side the 5.0 (Lollipop) support is now starting to be fairly mature with full PTS test runs either with PTS 5.3 or 6.0.
The Bluetooth 4.2 specification went public in early December and BlueZ 5.26 is the first release with support for its features. Perhaps the most notable one of these is Low Energy Secure Connections which will require a 3.19 or newer kernel. This feature brings LE pairing to the same level of security as it has been for BR/EDR. LE SC also brings along with it so-called cross-transport pairing, which means that you only need to pair once over LE or BR/EDR to get the necessary keys for both transports between two dual-mode devices.
This release contains various improvements to MAP and PBAP support. There are also various GATT related fixes. We’ve also got a fix for a race condition which could occasionally cause LE connection/pairing failures. The fix will work for kernels from 3.13 onward (for older kernels a proper fix isn’t really feasible).
The Android Lollipop (5.0) source code was released roughly a week ago, and we’re happy to announce that this is the first BlueZ version with initial support for it. We’ll be doing various improvements and fixes along with subsequent BlueZ releases but starting with 5.25 basic things are already working.
It’s also notable that PTS 5.3 is now fully supported with this release. All tests are either passing or errata has been filed for them (all of which is documented in android/pts-*.txt).
This release fixes a bug with frame length calculation for dual-channel mode operation. It also includes a fix for preventing an overflow of an internal frame length variable.
This release consists for the most part of cleanups and minor fixes, however there are some new additions too in the form of Phonebook Access Profile 1.2 and Message Access Profile 1.2 features. On the Android side we’ve got improved automated test coverage as well as several new Android system properties for Bluetooth customization.
BlueZ 5.23 release also provides updated documentation for Bluetooth qualification using PTS 5.2 test system. Documentation about PICS, PIXIT and test cases instructions are provided. The current set contains 944 test cases for BlueZ for Android.
This is mostly a bug-fix release with fixes for concurrent authorization attempts (for untrusted devices), HID, uHID, OBEX, MAP and AVRCP. We now also have better support for AVCTP/AVRCP decoding with btmon.
On the Android side a notable enhancement is the ability to take advantage of kernel whitelist support to enable LE passive scanning (something that’s available from Linux Kernel release 3.17 onward)..
The BlueZ 5.x stack used in Tizen has achieved Bluetooth 4.1 + Low Energy qualification.
The listing is made by Samsung. It covers SDP, L2CAP, GAP, RFCOMM, SPP, AVCTP 1.4, AVDTP 1.3, MCAP, GAP, ATT and SM protocols and profiles.