OOB Pairing

What Is OOB Pairing?

Out-of-Band (OOB) pairing is a BLE pairing method that exchanges authentication data through a channel outside the Bluetooth radio -- typically NFC, a QR code, or a proprietary wired interface. By transferring a 128-bit random value and optional confirm data over this separate channel, OOB pairing achieves strong MITM protection and high entropy, regardless of whether the underlying BLE pairing uses Legacy or LESC mode.

How It Works

The OOB pairing process varies slightly between Legacy and LESC modes:

Legacy OOB: One or both devices generate a 128-bit random TK and transmit it via the OOB channel. This TK replaces the zero or 6-digit passkey used in other association models. Because the TK has full 128-bit entropy, brute-forcing it is computationally infeasible, closing the passive eavesdropping vulnerability that plagues Legacy Just Works and Passkey Entry.

LESC OOB: Each device generates its ECDH public key, a 128-bit random nonce, and a confirm value. These are exchanged over the OOB channel. During the SMP pairing sequence, the exchanged OOB data authenticates the ECDH key agreement, providing MITM protection on top of the already eavesdrop-resistant LESC exchange.

OOB Channels

NFC is the most widely deployed OOB channel for consumer devices. The NFC Forum has standardized the Bluetooth Carrier Configuration Record for Handover, making NFC-assisted BLE pairing interoperable across vendors.

Security Properties

OOB pairing provides the strongest practical security for BLE connections. When both devices exchange OOB data mutually (bidirectional OOB), the pairing is authenticated against both passive eavesdropping and active MITM attacks. Unidirectional OOB (only one device sends OOB data) still provides strong entropy but reduced MITM protection depending on the mode.

Use Cases

OOB pairing is ideal for scenarios where user convenience and security must coexist:

• Medical devices -- a nurse taps the sensor to the phone to pair, avoiding error-prone passkey entry.
• Industrial IoT -- commissioning hardware via a wired debug port before deployment.
• Access control -- pairing a smart lock with a phone via NFC sticker.
• Point-of-sale -- payment terminals using NFC handover to establish a BLE data channel.

Implementation Considerations

The OOB data exchange must happen before or concurrently with the SMP pairing sequence. If using NFC, ensure the NFC read is completed before the BLE connection triggers pairing, or buffer the OOB data for deferred use. On Android, the NFC pairing flow is well-supported through createBond() with TRANSPORT_LE and OOB data injection. iOS has more limited OOB support, typically requiring a proprietary app-level handshake.