Technology Survey

Bluetooth Security

by Stephen Walsh, Jun Wan, and Arran Sadlier


Bluetooth is a wireless technology for short-range (usually up to a maximum of 100 metres) networking. It is relatively robust, operates on low power, and is a low cost technology. Bluetooth uses a Time-Division Duplex scheme for full duplex transmission. In other words, Bluetooth technology is simply used to connect an electronic device to another without the physical cable. Bluetooth is intended to be a standard that works at two levels: [1]

The Bluetooth protocol uses a combination of circuit and packet switching. To send/receive data Bluetooth uses a frequency-hopping spread spectrum technique which makes it difficult to track or intercept transmissions. The Bluetooth standard uses three transmit power classes. These are 1mW, 2.5mW and 100mW. Each Bluetooth device has a unique 48 bit hard-wired device address for identity, which allows for 2^48 devices. Bluetooth devices basically form piconets to communicate. Each piconet comprises of up to eight active devices where one is the 'master' and the rest are 'slaves'. The master searches for Bluetooth devices followed by invitations to join the piconet addressed to specific devices. The 'master' then assigns a member-address to each slave and controls their transmissions. Devices can belong to several piconets. Bluetooth also provides for easy integration of TCP/IP for networking. Bluetooth uses the radio range of 2.45 GHz. This is a globally available bandwidth used worldwide for compatibility.

Inherent risks with Bluetooth devices

It is a very nice technology but the security issue has to be taken into serious consideration. Risks are inherent to any wireless technology. And the most significant risk in the wireless technology is that the underlying communication medium is open to everybody, including authentic users as well as the intruders. Bluetooth used short-range radio which is very vulnerable. For instance, if the intruders had the frequency to connect to your PC, they can use their own Bluetooth technology monitor and mouse to get access. So they can have all information in your PC. And if the attackers' headsets connected to your mobile phone by hacking the frequency, you will never know somebody bugged you phone and everything will be unsafe. Therefore we need to put extra efforts in security section to make sure the technology is safe for the users. The Bluetooth technology needs to sort out the following specific threats

Security Architecture

Because of these many new risks that a new technology like Bluetooth creates, a good security design is essential for it to be successful. However, since Bluetooth is a relatively recent invention, and we are well aware of the security risks and needs for technologies in today's world (especially having the similar 802.11 wireless technology available to examine), the architecture of Bluetooth security was very well thought out to begin with. Thus, Bluetooth is considered a relatively secure form of communication, especially when considering it uses a wireless medium.

The design of secure interaction between devices in Bluetooth consists of the following phases:

An initial phase, called pairing, in order to establish a "link" key, which will then be used for encryption and decryption for secure connections. This is the most dangerous stage of connecting 2 Bluetooth devices together; as if an attacker can spy on this part of the interaction then he may be able to establish what the link key is [2] . During this pairing, an initialisation key is generated based on each device's address, and a PIN which is shared between the devices. Once pairing has occurred, each device considers the other to be "trusted", and thus it grants it access to certain things on itself. Due to the fact that someone spying on this would be able to determine what the initialization key, and thus the link key, the Bluetooth Special Interests Group (SIG) [3] recommend that this stage is carried out in private, and that PIN should be long and manually input if possible. The PIN should also random and not common PINs like "0000".

Using this initialisation key, the devices then agree on a link key which they will use to establish a secure connection between each other when needed. There are 2 types of link key. The first is a unit key, where a device's individual unit key (which every Bluetooth device has) is chosen as the link key. This method clearly allows other a device to spy on data being transferred between a device it is trusted by and some other device, or even to send false data to another device by impersonating using the unit key. The other method is combination keys, in which an individual link key is generated for each individual link between 2 devices, based on each of their Bluetooth addresses. Whenever a device wishes to access another Bluetooth device, it gets the other to send it a challenge. It then encrypts this challenge using the link key along with other information (using a safer+ algorithm [4] ) and returns a partial result to the device he wishes to access. This other device then verifies the partial result and communication can take place using encrypted wireless interaction. This can then be mirrored in reverse to complete a mutual pairing.

When data is then being communicated, the link key is used to help generate a ciphering for an E0 encryption algorithm, which again makes it more secure as the link key is not used directly for encryption or decryption during the communication.

Known Security Issues

Given that this Bluetooth security has been well thought out and the scope for a hacker to be able to attain the link key is minimal (especially if Bluetooth SIG's recommendations are taken aboard), any security compromises must take a different form than trying to obtain or guess the decryption key. Currently there are just a few known methods for bypassing Bluetooth's security measures.

One method of hacking Bluetooth has been named "bluesnarfing", and, as with most Bluetooth hacks, the reason for its existence is a fault of the way Bluetooth is implemented on certain mobile phones, and in this case the way in which the object exchange (OBEX) protocol is implemented . What it does is it can silently access these mobile phones contacts, calendar and pictures without the owner ever knowing - a clear violation of the owner's security expectations. Nokia is one of a few mobile phone companies who have acknowledged that some of their devices have this fault, and have addressed it with updated firmware for the faulty products. [5]

Another method is that of "backdoor" hacking. This is where a device which is no longer trusted can still gain access to the mobile phone and gain access to data as with bluesnarfing, or also use services like WAP etc. [6]

A third flaw in some mobile phones allows for a hacker to use a method called "bluebugging" in order to hack into the owner's phone. It is possibly the most dangerous of the attacks, and allows hackers to send/read SMS, call numbers, monitor phonecalls and also do everything that backdoor and bluesnarfing allows. This is a separate vulnerability from bluesnarfing and does not affect all of the same phones as bluesnarfing.

The seemingly harmless "Bluejacking" is a different style of attack. It works on the fact that during the initialization process, when a device wishes to be paired with you, a message containing the device's name and whether you want to pair with this device is displayed. To many people this is just an innocent joke to get a reaction out of someone by renaming their phone and then sending them a clever anonymous message and watching their reaction [7] . However, if a malicious individual names their phone something like "Click accept to win!!" then they can gain access to someone's Bluetooth device if an owner falls for the trick.

As with computers, there is also the risk of worms and viruses. One such worm is the Cabir worm, which tries to pair the Bluetooth device it's on to any in the vicinity, and if successful it will install itself on the paired device. Once it is there, it will attempt to repeat this process, and also when the device is switched on, the worm will drain the battery by scanning for enabled Bluetooth devices. [8]

There is also the possibility for Denial of Service (DoS) attacks on Bluetooth devices. This works exactly the same way that traditional DoS attacks work, with a hacker sending invalid Bluetooth requests and his occupying a devices Bluetooth channel so it cannot communicate with any other Bluetooth devices.

The first three of these issues are purely faults of the manufacturers of particular mobile phones, and firmware has been released since their discovery to correct any faulty models. These problems illustrate the dangers of using Bluetooth devices if they are not implemented properly. Indeed, they can all be solved, for most phones, by switching the phone into "invisible" mode so that it will not be recognised by other Bluetooth devices. Switching off the Bluetooth capability when you're not using it is another more extreme option. The Bluejacking and Cabir worm issues can only hack someones phone if they agree to be paired with the device, and in the case of the cabir worm if they then also agree to install the software that it tries to install. There are also security updates and antivirus software readily available for users. These user security measures show that, as with any technology, there is responsibility on the user to take care of their device, and if they do so they should not be at a large risk. Generally, Bluetooth is accepted as a well-designed and secure medium of transfer, so long as their users take care of their devices.


The Future

The SIG outlined in its roadmap through to 2006 to continue to tackle issues of privacy and security. Nokia and Ericsson have both developed software upgrades for phones vulnerable to Bluetooth attacks. Both companies have also made sure that new phones coming to market will be able to defend against attacks. Although consumers are still advised to use long PIN codes to decrease the risk of a security violation. Most experts regard Bluetooth as still being the most secure form of wireless networking today (as confirmed by a study by Mississippi State University [9] ). Bluetooth is considered more secure than any other wireless technology, such as 802.11 networks and Wi-Fi which is vulnerable to security threats due to its weak WEP and WPA protocols. Everything considered Bluetooth is expected to become more pervasive as demand for wireless grows.



[1] - http://student.vub.ac.be/~sijansse/2e%20lic/BT/Voorstudie/PreliminaryStudy.html

[2] - https://www.bluetooth.org/foundry/sitecontent/document/security_whitepaper_v1

[3] - http://www.bluetooth.com/

[4] - http://www.vlsi.ee.upatras.gr/~pkitsos/Kitsos_IEEEPC.pdf

[5] - http://news.zdnet.co.uk/0,39020330,39145886,00.htm

[6] - http://www.thebunker.net/security/bluetooth.htm

[7] - http://www.bluejackq.com/what-is-bluejacking.shtml

[8] - http://securityresponse.symantec.com/avcenter/venc/data/epoc.cabir.html

[9] - http://www.arraydev.com/commerce/jibc/0402-10.htm