Make your Bluetooth Low Energy IoT device more secure with Visible Light Communication

Alexis Duque
Aug 28, 2017 · 4 min read

About IoT security

Since the Internet of Things is still in the emerging phase, ensuring security and privacy is an important issue that must be addressed and resolved now.

The number of IoT and connected objects grows exponentially, so their security exploits will have more and more repercussions, making them very attractive for the hackers. Recent news and the growing IoT track at security conferences such as Blackhat, or Defcon perfectly illustrates this phenomenon.

About Bluetooth

In regards to Bluetooth, the SIG greatly enhanced the BLE security releasing at the end of 2014 the Bluetooth Core Specification 4.2. This update introduces LE Secure Connections pairing model with the numeric comparison method and the Elliptical Curve Hellman-Diffie (ECDH) algorithm for the key exchange.
LE Secure Connections fixes BLE 4.0–1 exploits unveiled in 2012 by Mike Ryan at TOORCON (video, crackle project).

Like LE Legacy pairing, LE Secure Connection defines several modes and levels of security (see section 5.2.4 Association Models of the Bluetooth Core Specification 4.2). Nonetheless, the available modes depend on the “IO Capabilities” — keyboard, display, button — that the pairing devices have.

Mapping I/O capabilities to Key Generation Method

The highest level of security, Numeric Comparison requires that both BLE devices have a keyboard and a display to confirm and compare a number displayed on both the peripheral and smartphone. An alternative and more convenient approach is using NFC.
By placing a smartphone close to the BLE (and NFC) peripheral, NFC will automatically initiate the BLE pairing and keys exchange mechanisms to establish an authenticated and encrypted communication channel.

However, the highly limited bill of material (BOM) cost or the PCB size prevents placing a screen, an interactive input, or an NFC antenna on such devices.
As a consequence, they provide a weak level of security whereas the attacks targeting such smart objects are rising.

To overcome this issue, we propose a technological solution based on Visible Light Communication (VLC) solution to assist the pairing and the secure connection setup between a BLE 4.2 peripheral and a smartphone.
This solution targets low-cost and size-constrained IoT devices that need to setup the Secure Connection with Numeric Comparison to provide a high level of security even on BLE devices that have neither input and display nor NFC.

Few words about Kiwink and VLC

Kiwink is a short range bidirectional Visible Light Communication system

Rtone has recently developed Kiwink®, a short range bidirectional Visible Light Communication system between an unmodified smartphone and a basic and cheap LED.
Kiwink® uses the camera and the flashlight of an Android or iOS smartphone and does not need hardware modification in the IoT peripheral since it works with any micro-controller.

The communication range of such technology is tens of centimeters while the throughput is about 1kbps from the peripheral LED to the smartphone and 50bps from the smartphone to the peripheral LED.

Kiwink® is a trademark and its technology patented.

Improving BLE security with Kiwink and VLC

To solve the problem described above, we propose to take advantage of this VLC-based technology and ubiquitous LEDs, to provide a safe side channel to acknowledge or display a confirmation code and establish a BLE Secure Connection. We can also envisage to transmit a larger key if another Secure Connection mechanism is used.

This out of band key exchange is thus safer than NFC against passive eavesdropper since the light signal is highly directive and easy to obfuscate.

In practice, the connection establishment should work as follow:

  1. The smartphone starts sending a BLE Secure Connection request to the peripheral
  2. The smartphone and the peripheral proceeds to the Secure Connection Establishment with Numeric Comparison according to the BLE 4.2 standard
  3. While the smartphone confirmation number appears on the smartphone screen, the peripheral LED starts lightning and transmits its number.
  4. By placing its smartphone above its screen, the application decodes the signal and displays the peripheral number on the smartphone screen.
  5. The user confirms that both codes are equal.
  6. The smartphone sends the acknowledgment to the peripheral using the flashlight.
  7. The peripheral decodes the acknowledgment signal and the secure connection establishment can proceed according to the BLE 4.2 standard.


We have shown that Kiwink and VLC offer the possibility to setup a Secure Connection with Numeric Comparison or Out-Off-Band authentication on low-cost and size-constrained IoT devices that have neither input and display nor NFC.

Besides, many application fields and use cases of VLC exists like access control, device-to-device communication, or accurate indoor localization using ceiling LEDs (Kiwink website gives further information about VLC).

Finally, feel free to give your feedback about that. We are are waiting for your comments and suggestions!

You can also read this post and engage the conversation on the Nordic Developer Zone.

Rtone IoT Security

Blog about IoT security by Rtone IoT Makers

Alexis Duque

Written by

R&D and Security Leader @Rtone_IoT. Ph.D. 🔑🚴‍ Working in the field of #VLC #IoT #Security #Smartcity #Research. Hacking on Opensource.

Rtone IoT Security

Blog about IoT security by Rtone IoT Makers

More From Medium

Also tagged Internet of Things

Also tagged Security

Top on Medium

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade