Bluetooth SmartMesh

Part 1: What is it?

What is the Bluetooth SmartMesh?

The Bluetooth SmartMesh is a communication protocol designed by CSR's Robin Heydon, published in Summer 2013. CSR makes Bluetooth chips and the goal was to enable Bluetooth for home automation. Bluetooth typically relies on a point to point connection. which requires good signal strength. It is also difficult to communicate with many devices simultaneously. 

In buildings, the propagation of radio waves is severely constrained by walls and other obstacles, which limits the range of communication between devices. 

Security is a very important aspect for home automation, commercially as well as private. Neighbors haunting your lights is one thing, but door locks and other devices must not be hackable. The SmartMesh specification addresses all these issues:

  • n-to-n communication 

  • range

  • security

In 2014, CSR donates the first implementation to the Bluetooth SIG. It is in standardization since 2015 and expected to release the first standard in 2016 and a Bluetooth profile for Bluetooth Low Energy radios.

How does the SmartMesh work?

As stated, the SmartMesh is just a communication protocol, which only relies on broadcast transmissions and listening for messages. It is very generic and does not require a Bluetooth radio as the transport layer. We call the transport the bearer.

On BLE, the SmartMesh uses the advertisement channels and packets available. BLE devices can listen on those channels all the time. The advantage is that these 3 channels at 2402MHz, 2426MHz and 2380MHz are not colliding with any Wifi channel.  Certainly the size of these packets, 47 Bytes over air, with max 37 bytes payload, limits the amount of data transmitted at once, but packets are transmitted within under 0.3ms. Each mesh packet is transmitted on all 3 channels, multiple times, to ensure better reception.

Listening for mesh packets in a broadcast environment isn't successful all the time. Devices are not time or channel synchronized, and there is no collision detection before or during transmission. Another disadvantage is that the receiver on a BLE product requires quite some power. Per se, SmartMesh products are not easily run on batteries. Reducing power consumption by reducing the time the device listens for mesh packets increases the latency and may miss communication packets.

Addressing, Operation and Security

Using this simple communication scheme, we can now define addressing, operation and security. 

Addressing: each node in the mesh has a unique address. The packet contains the address to whom a packet is addressed. A device that receives the packet checks if it is the receiver and then processes the information within. Devices that hear the packet but are not the receiver, discard them, or send them back out. This relay function is possible, since we add a time to live (TTL) counter. The packet will only be repeated so many times and since packets that come around are being recognized as already received, will not be repeated. With this we avoid flooding the mesh.

This relay mechanism now provides us with a way to increase range dramatically but also allows us to manage a mesh network, without routing tables or other management tasks. It operates completely automatic independent of the size of the mesh. It is not longer necessary that every node must be in range of every other node. A single path between all nodes is enough.

Each packet also contains the sender address, as well as a sequence counter, the payload is tagged with the type of message, called a model. Models are application implementations, e.g. a lighting model, that defines the command to dim a light, or get status.

Security

Broadcast is per definition a pretty difficult environment making a communication secure. Everyone can listen is and everyone can send anything. No restrictions. The SmartMesh defines security basically in 2 steps. First packets are encrypted. An application key that is known to only the transmitter nodes and the receiver nodes who are participating. This key is used to encrypt the payload. Since every transmitter has its own transmit sequence counter which is used to initialize the encryption algorithm, every packet over air, even with the exact same content will look different. Certainly in BLE, the well know AES encryption is used, which is very strong.

The second step is to ensure the packet cannot be modified. A message integrity field is attached, after the encryption that ensures that every packet is unaltered when received. In the case of the CSRmesh implementation, a HMAC is used, and the new SIGmesh will be using the AES-CCM for encryption and message authentication in one step.

The SIG also defines the encryption mechanism twice, once with just the payload (application encryption) and then again with the destination address (network encryption).

Doing so, allows us to have a secure communication over a broadcast channel with a full end-to-end encryption, no matter over which medium or number of nodes between the communication happened.

The new SmartMesh also adds a third layer to obfuscate the transmitter.  While the address of the receiver is encryption, the transmitter's address and sequence number is clear text. By defining another privacy key, derived from the network key, a simple XOR encryption will protect from passive eavesdroppers.

At least 2 keys are required for an end-to-end decryption. Nodes between communicating end points do not require the application key, just the network key to ensure that the relayed packet is part of the network. This allows e.g. the door lock to communicate with the opener key with light switches routing the packet, but not able to decode or spoof.

All together, the upcoming SmartMesh standard requires at least 9 AES operation to check one single packet. 

A Mesh Packet

[TTL-SEQUENCE-SOURCE]-(DESTINATION-(APP_PAYLOAD-APP_MIC)-NET_MIC)

[]: obfuscated, (): encrypted