There’s often a lot of confusion about Bluetooth LE Addresses. How they’re used and generated seems complicated because they’re not just a single number.
Overview
Devices communicating with each other in Bluetooth Low Energy need a way to identify themselves. For this purpose a Device Address is specified by the Bluetooth specification. Note that the Bluetooth LE specification itself doesn’t use the word MAC address but rather Device Address. Calling it a MAC address isn’t necessarily wrong because like an IEEE MAC address it’s 48-bit in length, and in fact one of the possible values of a Device Address is an IEEE allocated MAC address. This comes from the Bluetooth Classic part of the specification which does explicitly calls it a MAC address. For the duration of this guide we’ll use Device Address and MAC address interchangeably, so they will refer to the same thing.
The Device address can take on several values, and there’s a hierarchy.
The top level shows the Uncoded LE Packet Format. The relevant item here is the Protocol Data Unit (PDU) which contains both Header and Payload.
The Header contains two fields called TxAdd and RxAdd. These fields are Payload specific – depending on the packet they may or may not be used, but they indicate whether the relevant address is public (0) or Random (1). This is the first indication of what kind of an address we actually have.
For cases where we have a random address we have to take another step. The Type of the address is encoded in the address itself. The actual Device Address is contained in the Payload itself, in fields such as AdvA (Advertiser Address). Since the header indicated to us whether the address is Public or Random, we can decode the address itself.
The Device Address is 48-bit (6 Octets or bytes). The top 2 bits, denoted above as [47:46] indicate the subtype of the address:
- 0b00 – Non-Resolvable Private Address
- 0b01 – Resolvable Private Address
- 0b10 – Reserved. Currently Unused
- 0b11 – Static Address
Now that we know how to decode the address types and subtypes, let’s discuss more about them
Public Device Address
A public device address is a fixed address that’s allocated by the IEEE. If you’re familiar with MAC address for Ethernet, Wi-Fi, these addresses are set by the device manufacturer out of a block of addresses that are purchased from the IEEE. Because of this, MAC addresses can be tracked to a manufacturer, since parts of the MAC are allocated to a particular manufacturer.
If the same address is going to be used by the device for Bluetooth Classic as well, there is a restriction on LAP values. Otherwise, whatever was provided by the IEEE can be used as is.
From experience, LE Devices rarely if ever use Public Addresses. This is both due to cost but also because using a Public MAC address makes the device trackable, and privacy is one of the goals of BLE.
Random Device Address
Random device addresses are so called because they’re addresses randomly generated for the most part and not defined by the IEEE. There are two categories of Random Addresses:
- Static Addresses – semi-permanent addresses randomly generated
- Private Addresses – the address provides privacy and allows for device
Both Static and Private addresses are common and you will deal with both.
Static Device Addresses
A static Device address is a randomly generated address that is used during a complete power up cycle of a BLE device.
- The Address is randomly generated
- It contains at least one bit 0
- It contains at least one bit 1
- Bits 47 and 46 of the address shall be set to the subtype (both are set to 1)
- The address can only be changed to a new value after a power cycle
Many developers leverage the pre-programmed BLE MAC address that comes in the chips because they’re essentially random but fixed. Changing the address after powerup means that a peer device won’t be able to find it if it relies on the old address. Sometimes this matters and sometimes it doesn’t.
Private Device Addresses
Private addresses are BLE MAC addresses used to provide privacy for the device. In Bluetooth Classic, a fixed MAC address was used. This mean that a user could be tracked relatively easily. One of the changes made by the Bluetooth SIG was to provide for better privacy and prevent tracking from being easy.
Private Device addresses are addresses that are generated according to a key called the Identity Resolution Key. Using this key means that Private resolvable addresses change in a way that one can find out whether the device is the same using the Resolution.
Let’s take an example. We have a BLE Peripheral and an iPhone. The BLE peripheral is using LE Privacy features and therefore uses Resolvable a resolvable Private Address.
The iPhone connects for the first time to the BLE Peripheral. At this point, the BLE Peripheral sends the iPhone its IRK information. The iPhone then disconnects from the BLE Peripheral.
Now, because the BLE peripheral is using Private resolvable addresses, it periodically changes its address. Now, the iPhone wants to reconnect to the device, but since the iPhone has only the old MAC address, it can’t just use that. Instead, the iPhone scans for devices around, and uses the address resolution process to attempt to resolve the private address. If the address resolves to that peer device (the BLE Peripheral), then the iPhone knows this is the correct device and can connect to it.
Now, you may have realized something – the Resolution process becomes more complex the more IRKs you have and the more devices there are. Because of this, chips have implemented peripherals to speed the process. For example, the Nordic Semiconductor nRF52840 and other devices from Nordic contains a peripheral called Accelerated Address Resolved (AAR) whose job it is to perform the Resolvable Private Address Resolution procedure. Otherwise, performing this in the CPU would take longer.
To give you an idea, the time to resolve 8IRKs is 49us, which means that it may be possible to meet the 150us limit turnaround time to respond to an advertising packet.
To round this part, we’ll mention unresolvable private addresses – these addresses simply can’t be resolved. We have rarely dealt with these address types as they have limited use.
Address Update Interval
We said that Private Addresses update periodically. This interval is called the Resolvable private Address Generation Interval and is configurable.
The Bluetooth specification recommends to set it to 15 minutes
BLE Addresses in Practice
Now that we have an understanding of the various addresses and how to check which are in the packets it’s makes sense to talk some more about using them in practice.
If you’re not going to use LE Security features, then Static Device address is really your only option. The exchange of the IRK occurs during pairing and bonding. Without this process, you will quickly lose track of the device’s address once it changes. It’s still possible to connect to the device, but would require features that essentially break privacy in most cases.
Realistically it makes little sense to worry about device privacy if you’re not worried about device security encryption. Our experience is that we will leverage LE Privacy almost every time we implement security because it adds up naturally.
Take the example of practically every smartphone out there – they’re using security and LE privacy. If you sniff the packets of an iPhone you will see that its address will change every 15 minutes or so. The same for phones for other manufacturers.
In cases where security is not implemented , then static device address is all you can have. Typically devices in this case will simply load a fixed MAC address. Sometimes the chipset vendor pre-programs a unique MAC address into the device.
Using the same static MAC address during boot makes things easy during development. A consistent MAC address is easier to follow in sniffers and work with overall. Once you begin production or enable security you can switch to use the Privacy Features.
Summary
The several types and subtypes of BLE MAC Addresses can sometimes cause confusion, especially when trying to decide which MAC to use, but the core is that there’s essentially two main BLE Device addresses in use in practice, the Static Random address and the Private Resolvable Random address. Sometimes you will see a Public address on devices, but this is a fixed address that will not change.
