Bluetooth Security: Part 1
September 4th, 2011
In this blog, you’ll see a six-part series on mobile computing security that I wrote some time ago. Afterwards I wrote another series on forensics with mobile computing devices. These blog entries have focused on security issues in major types of smartphones, but the mobile computing arena is not limited to smartphones. Security-related concerns in many other areas also seem to keep emerging. So this time around let’s take a look at Bluetooth security.
Bluetooth provides both wireless LAN connectivity and short-range wireless connectivity to applications that were at first designed to work only in connection with conventional (wired) networks. It is included in the IEEE 802.15 specification, and grew out of the work of the Wireless Personal Area Network (WPAN) Working group that includes big telecommunications and networking companies such as IBM, Nokia, Ericsson and Toshiba. Bluetooth and smartphones are by no means strangers to each other. Bluetooth is built into many smartphones, e.g., iPhones.
Bluetooth devices are very widely used, as evidenced by the estimate that by 2008 there were over one billion Bluetooth devices being used around the world. Less than 10 years ago, however, Bluetooth was not very popular due to some inherent limitations, several of which are substantial. For one thing, Bluetooth is not suitable for wide range communications. When Bluetooth first emerged, it worked only over a very short distance, e.g., 30 feet, and had a line-of-sight requirement. Classes of Bluetooth devices now work up to 300 feet away from each other, although 30 feet is still rather common, and there is no longer any line-of-sight requirement (although Bluetooth transmissions can be disrupted if solid objects are in the way of a broadcast beacon). Additionally, Bluetooth has always been slow; in theory, Bluetooth has a maximum bandwidth of only 1 Mb/s, but the actual bandwidth is lower because of Bluetooth’s forward error correction functionality. Furthermore, Bluetooth operates within the 2.45 GHz frequency range, a range also used by a number of other wireless devices (including baby monitors), something that can potentially cause interference. To lessen its susceptibility to interference problems, Bluetooth uses the Frequency Hopping Spread Spectrum (FHSS) transmission type.
Given these limitations, why are Bluetooth devices so popular? The main reason is that they can be used to connect just about any device to just about any other (e.g., a PDA to a mobile phone). Internet access is another purpose for which these devices are so frequently used. And Bluetooth functionality is not limited to handheld devices, either–Bluetooth can also synchronize desktop machines.
Every Bluetooth wireless link (a “pairing”) is created within the boundary of a piconet in which up to eight devices use the identical physical channel. Every piconet has one “master;” every other device within the same piconet is called a “slave.” To join a piconet, a Bluetooth device must be “discoverable,” i.e., it must reveal some information about itself to others within the same physical vicinity. The most critical information that must be revealed is the device’s address, which is called the “BD_ADDR.” The device must also obtain information (including each BD-ADDR) about the other devices. Discoverability can be configured such that a Bluetooth device is:
1. Non-discoverable mode–a device will not respond to other devices’ attempts to discover the device in question.
2. Limited discoverable mode–the device is discoverable for only a narrow time period, during temporary circumstances, or only while a specific event occurs.
3. General discoverable mode–the device is continuously discoverable.
When Bluetooth devices discover each other, they create a shared initialization key which is in turn used to generate a shared symmetric encryption key known as the “link key.” A PIN between 8 and 128 bits long, the PIN length, and a random number are used to create an initialization key for each device. The unit key (a built-in key for each device) is XORed with the initialization key to produce the link key for each device pair. This step is sometimes preceded by generation of a random number used to encrypt the initialization key. Both devices store the link key for use in further communications between them.
We haven’t gotten very far concerning Bluetooth security. Despite this, you probably are already sensing that something is amiss concerning the nature of discovery mode and the generation of link keys. Discovery mode enables attackers to perform reconnaissance on potential Bluetooth targets, resulting in obtaining a wealth of information that can facilitate attacks. Additionally, although the encryption steps described above may sound complex, they are in reality not. The amount of work effort needed to crack link keys is remarkably little.
So much for now–I’ll continue this subject with my next posting.
–Gene Schultz, Ph.D., CISSP, CISM, GSLC