How is security handled in our mesh network?
from: Bluetooth Mesh Networking FAQs | Bluetooth® Technology Website
Bluetooth mesh networking is a true industrial-grade solution, including its approach to security.
Devices added to a network are provisioned using proven security algorithms. This uses 256-bit elliptic curves and out-of-band authentication to securely add devices.
All communication is required to be secured using AES-CCM using 128-bit keys. All mesh messages are encrypted and authenticated.
Encryption and authentication are applied at two layers, the network layer and the application layer. All nodes in the network help relay messages at the network layer without being able to read their contents. Those contents are secured with a separate application key, providing true end-to-end security.
Each message has a minimum of 64 bits of authentication, but it’s possible to have up to 1088 bits of authentication for the longest messages.
Models are organized in the specification to account for different users with different security credentials. This gives maintenance personnel full control over network configuration while allowing employees to interact.
Replay attacks are prevented by mandating fresh sequence numbers on every message sent.
Devices can be blacklisted in the mesh network by using defined key update procedures. During provisioning, each device computes a unique device key that only the provisioner knows and can update.
Messages protect identify by obfuscating every packet sent and refreshing privacy. This means that even if you carry mesh devices on you while walking around, people sniffing mesh packets cannot track you.
Do I lose privacy when using a Bluetooth mesh network?
No, every mesh packet is obfuscated to protect the user’s identity. An attacker listening to mesh packets cannot determine which device sent that message since there are no identifying values, such as the source or destination address. Each time a message is relayed, this obfuscated information is changed, removing the ability to track message flow.
What happens if my neighbors also have a Bluetooth mesh network?
Each mesh packet includes a small identifier that determines which network the mesh packet belongs to. A device in one mesh network can’t decrypt or authenticate mesh packets from another mesh network, and it will never relay those messages. Each mesh network is completely isolated.