"Authenticating Devices with no User Interface" is not secure at all

[Emill]

At https://github.com/SiliconLabs/bluetooth_stack_features/tree/master/security/authenticating_devices_with_no_user_interface you teach that a good method is to assign a fixed passkey that is used when pairing over BLE when the device has no user interfaces.

The BLE spec however says a fixed key should not be used since it compromises the security.

This is indeed very true. The LESC protocol is only secure if used with a new randomized passkey for every pairing attempt, since at every failed attempt, at least one extra bit of the passkey is revealed. This means the passkey can be cracked in on average 10 attempts, max 20 attempts, since 6 digits are 20 bits.

If someone really wants some fixed passkey-based security mechanism that actually is secure, they must use a PAKE on top of the application layer, since BLE does not offer any fixed passkey-based association model.

See this article for more information on more details exactly why the LESC Passkey Entry protocol is insecure with a fixed passkey: https://insinuator.net/2021/10/change-your-ble-passkey-like-you-change-your-underwear/.

I therefore recommend you to remove this example. Apart from being insecure, it also results in a false sense of security for people who don't understand why this is insecure.

Also consider deprecating sl_bt_sm_set_passkey or at least write in the documentation that this method should not be used in production, if the Bluetooth specification is to be followed, since using a fixed passkey totally breaks the security. Also consider rewriting all other sample projects using that API method, where relevant.