23 07 2018

Bluetooth Security Update

Bluetooth Special Interest Group (SIG) recently issued a statement about the security vulnerability identified by the researchers at the Israel Institute of Technology which relates to two Bluetooth features - Secure Simple Pairing and LE Secure Connections. Silvair Lighting Firmware, which strictly follows Bluetooth mesh specification, is not affected by this vulnerability.

Bluetooth mesh does not use the Secure Simple Pairing nor the LE Secure Connections features. Instead, provisioning is used to add devices to a mesh network. The provisioning authentication includes both X and Y components of public keys for the FIPS P-256. Additionally, the Silvair Lighting Firmware implementation (the qualified Mesh Profile Subsystem (QDID: 98880) and the qualified Mesh Model Subsystem (QDID: 99282) checks if the public key is valid and satisfies the FIPS p-256 equation in the curve’s finite field.

In order to remedy the vulnerability in Secure Simple Pairing and LE Secure Connections features, Bluetooth SIG has already updated the Bluetooth specification to require products to validate any public key received as part of public key-based security procedures.

Silvair offers an interoperable wireless lighting control solution based on the qualified Bluetooth mesh. Learn more about Bluetooth mesh and its unique features from our brochure. You can download it here.