This guide explains what Bluetooth is, how it's used, and where it fits into the world of wireless. You'll find Bluetooth articles, tutorials, examples, tips, tools, white papers, expert advice and more to pump up your Bluetooth know-how quickly.
Table of Contents
- Bluetooth overview - What Bluetooth is, how it started and how it has developed since its inception and release.
- How Bluetooth works - The basics of Bluetooth technology and how Bluetooth can be used.
- Bluetooth vocabulary - Bluetooth terminology and what it means.
- Bluetooth security - Threats to Bluetooth, how Bluetooth can be compromised and how it can be secured.
- Bluetooth quiz - Test your newfound Bluetooth skills with the Bluetooth quiz.
Bluetooth is a telecommunications industry specification that describes how mobile phones, computers, and personal digital assistants (PDAs) can be easily interconnected using a short-range wireless connection. Using this technology, users of cellular phones, pagers, and personal digital assistants can buy a three-in-one phone that can double as a portable phone at home or in the office, get quickly synchronized with information in a desktop or notebook computer, initiate the sending or receiving of a fax, initiate a print-out, and, in general, have all mobile and fixed computer devices be totally coordinated.
Bluetooth requires that a low-cost transceiver chip be included in each device. The transceiver transmits and receives in a previously unused frequency band of 2.45 GHz that is available globally (with some variation of bandwidth in different countries). In addition to data, up to three voice channels are available. Each device has a unique 48-bit address from the IEEE 802 standard. Connections can be point-to-point or multipoint. The maximum range is 10 meters. Data can be exchanged at a rate of 1 megabit per second (up to 2 Mbps in the second generation of the technology). A frequency hop scheme allows devices to communicate even in areas with a great deal of electromagnetic interference. Built-in encryption and verification is provided.
Bluetooth.org Abstract: "The name Bluetooth is taken from the 10th century Danish King Harold Blatand -- or Harold Bluetooth in English. During the formative stage of the Trade Association a code name was needed to name the effort. Over an evening discussing European history and the future of wireless technology several felt it was appropriate to name the technology after King Blatand. He had been instrumental in uniting warring factions in parts of what is now Norway, Sweden and Denmark - just as the technology is designed to allow collaboration between differing industries such as the computing, mobile phone and automotive markets. The code name stuck."
A Bluetooth update
contributed by Craig Mathias
Judging from the number of blinking lights I see hanging from people's ears these days, Bluetooth must be a roaring success. Indeed, ignoring specific applications for the moment, more than one billion Bluetooth-equipped devices have been shipped to date, and the next billion are going to be out there pretty quickly – probably within a year or two. With numbers like those, Bluetooth is an unqualified success. But we've found that the vast majority of owners of Bluetooth-equipped phones never in fact use Bluetooth, and, of those who do, only about 2% use it for anything other than a headset application.
I must confess that I have never been a big fan of Bluetooth, but by this I mean only the radio and not the very interesting software functionality that's part of the spec. Many people don't know that Bluetooth is in fact an entire network protocol stack, as well as a large number of applications.
Bluetooth protocols, called Profiles, have in fact been ported to ultrawide band (UWB), and I think Bluetooth protocols could eventually be seen across IP-based networks running on all manner of both wired and wireless physical layers. As you can see, there's a lot more to Bluetooth than headsets. I think that Bluetooth has been held back in terms of broader use by the very limited nature of the radio, not by its real capabilities. Still, because of the large installed base of Bluetooth devices today, most notably all of those headsets, the current Bluetooth radio is likely to be around for some time.
How Bluetooth cuts the cord
Bluetooth is a quaint sounding wireless networking standard that solves the problem of last-inch connectivity. Let's face it, there are lots of standards for last-mile connectivity including DSL, Cable Modem Internet, PON (Passive Optical Networks), T1, BPL (Broadband over Power Line), and even Wi-Fi. Well, Wi-Fi is really more of a last-foot connectivity solution designed to eliminate Ethernet wiring within a home or office. Bluetooth is more likely to eliminate USB and parallel printer cables within a room. It also eliminates other short wires, such as the tiny but annoying cable that links a headset to a cellular phone.
Bluetooth really is a networking standard. Instead of a LAN or Local Area Network, it's a PAN or Personal Area Network. Bluetooth devices establish what are known as piconets. A piconet contains a minimum of two devices and a maximum of eight. No manual intervention is needed. The process of setting up the network is completely automatic when Bluetooth enabled devices are within range of each other. One device assumes the role of the master and invites other nearby Bluetooth enabled devices to join the net as slaves. Once all 8 available slots are filled, no other device can join. The master and the slaves take turns communicating in a round-robin scheme. Communications between slaves must be sent via the master and not directly.
All of this is going on at a data rate of 1 Mbps for the standard Bluetooth and up to 3 Mbps for Bluetooth version 2.0. They are compatible standards and run at a speed that the slowest device in the piconet can keep up with. Deducting overhead in the transmission protocol, the basic communications rate is around 720 Kbps. There are options including half-duplex, full duplex, asynchronous connectionless and synchronous connection oriented links. The data bits can be information, digital control words or even two-way audio at 64Kbps. That's perfect for telephone applications, as 64Kbps is the legacy standard for toll quality digitized voice.
Bluetooth operates smack in the middle of the unlicensed 2.4 GHz ISM (Industrial, Scientific and Medical) band. If that has a familiar ring, it's because Wi-Fi uses the same frequencies. What keeps them from clashing is different modulation schemes. Bluetooth deliberately picked a frequency hopping scheme to avoid interfering or being interfered with. It switches randomly among 79 channels at a rate of 1,600 times per second. Only devices on a particular piconet are synchronized to hop to the same frequencies at the same time. This greatly reduces the chances of noise or other transmitters blocking out the entire data stream. If bits are lost on one channel, they can be resent on another.
What are typical uses for Bluetooth?
A popular application is wireless headsets for cell phones. If your phone has Internet capability, a Bluetooth piconet can be established between your phone and nearby laptop computer to give the computer Internet access as well. Bluetooth enabled printers can print pictures from a cell phone or camera that has Bluetooth without needing any wires. Likewise, a Bluetooth enabled PDA can synchronize with a Bluetooth-enabled cell phone, laptop or desktop computer. As devices that meet the 2.0 standard become more commonly available, the higher throughput will be used for wireless audio components and appliances as well. It seems likely that Bluetooth will replace infrared links that need direct line of site and perhaps the bulk of interface cables we're so accustomed to.
Chasing away your wireless blues
Bluetooth is a cable replacement technology, designed to connect paired devices within 10 meters of each other. Given limited range and application, many incorrectly discount Bluetooth as a serious business threat. But new Bluetooth devices can reach up to 100 meters, using internal antennas. Most are promiscuous by default, responding to pages, service discovery probes, and connect requests from anyone. And many harbor security programming flaws associated with the Bluetooth Object Exchange (OBEX) protocol. This has fostered development of new attacks that exploit Bluetooth, such as:
|BlueBug||Issuing AT commands to place calls using another Bluetooth device|
|BlueDump||Watching Bluetooth pairing, using that info to crack a Bluetooth PIN|
|BlueJacking||Adding a new contact to a Bluetooth device's phonebook|
|BlueRogue||Using unauthorized Bluetooth devices, especially Access Points|
|BlueSmack||Sending an L2CAP ping-of-death to crash a Bluetooth device|
|BlueSnarfing||Grabbing contact and calendar lists from Bluetooth PDAs and phones device|
|BlueSniffing||Scanning an address range to find nearby Bluetooth devices|
|BlueSpoof||Masquerading as another Bluetooth device by using its BT address|
|BlueStab||Using bad names to crash devices engaged in Bluetooth discovery address|
|Bluetooone||Using external 2.4 GHz antenna to extend Bluetooth attack range|
|Cabir||Used Bluetooth to propagate a Symbian OS proof-of-concept worm|
Companies may not really care if an employee's wireless headset or keyboard gets BlueSmacked or BlueStabbed. But they should care if an executive's PDA gets BlueSnarfed or BlueSpooofed. They should care if Bluetooth is used to infect employee laptops or rack up company telephone charges. And they should care whenever any unauthorized link is used to circumvent corporate security policies – for example, using Bluetooth to exchange unsecured data between peers in an office where Wi-Fi Ad Hoc is forbidden and 802.11i security is required on the corporate WLAN.
Aside from defining policies, another major concern as Bluetooth starts to plant its foot firmly in the enterprise is its potential to open up security holes. Bluetooth still has questionable security, according to security expert Lisa Phifer, with a host of attacks -- including Bluejacking, Bluesnarfing, Bluebugging and BlueSniper Rifle -- that can intercept data or plant malicious code. There are dozens of Bluetooth attacks, and most embedded Bluetooth devices will just be enabled in a promiscuous discovery mode, with default or no PIN. While it is true that one must be relatively close to a Bluetooth device to connect to it, there are many business situations in which that will be true. Phifer said its proliferation and the potential for attack should be enough to open a few eyes and draw network managers' attention.
Those management programs include everything from enforcing how users set and use device security, to which applications are allowed to run on which devices. IT shops already manage tools to disable other devices, such as digital cameras, games and media players, so adding a Bluetooth-specific set of policies shouldn't present much of a challenge to cut down on security risks and unauthorized use. The challenge comes, however, when it's time to define the policies designed to control Bluetooth. Bluetooth's alliance with UWB could boost its use in the enterprise, but he thinks its core uses will remain in cell phones and other personal device connections that use USB wiring.
Making the best of Bluetooth security
Bluetooth specifications include basic link security measures. By default, most Bluetooth devices operate in unprotected "non-secure" mode. Two additional modes are defined: mode 3 secures the entire wireless link, while mode 2 leaves security up to each authorized application. For best results, use mode 3 to enforce link authentication and encryption for all Bluetooth traffic, and discourage or ban business use of devices that support only mode 1.
When link security is enabled, Bluetooth devices must complete an initial "bonding" exchange to derive pairwise link authentication and encryption keys. The user must give both devices the same PIN code, which is then mixed with a factory-defined unit key. But this pairing process can be compromised by use of weak or predictable PIN codes. To reduce risk, devices should be paired in a private location, using a long, random PIN code. Avoid default PIN codes, easily guessed PIN codes ("0000") and devices that do not support configurable PIN codes.
After bonding, paired Bluetooth devices associate to each other whenever they want to exchange data. As each connection is established, devices exchange challenge-response messages to demonstrate possession of the link key created during bonding. However, this authentication exchange is vulnerable to key-guessing, where a device repeatedly tries to authenticate by trial and error. Active attacks are discouraged by increasing the interval between attempts, but the Bluetooth specification does not enforce a maximum number of attempts. One-way authentication is also vulnerable to a man-in-the-middle attack. To reduce risk, always require authentication on both devices. Where possible, configure Bluetooth products so that users must accept incoming connection requests.
Depending on the negotiated encryption mode, an 8- to 128-bit encryption key can be used to scramble data sent over the link. For best results, avoid encryption mode 1 (no encryption), choosing either mode 2 (encrypt unicast but not broadcast traffic) or better yet mode 3 (encrypt all traffic). Because data that has been encrypted with a too-short key can be analyzed to decrypt captured traffic, both devices should be configured to require 128-bit encryption keys.
Further steps to make best use of these built-in Bluetooth measures include:
- Turn off Bluetooth interfaces when not in use, and disable Bluetooth's discovery feature, whereby each device announces itself to all nearby devices. These common-sense practices reduce the window of opportunity for Bluetooth attacks.
- Configure Bluetooth devices to use the lowest power that meets business needs. Class 3 devices transmit at 1 mW and cannot communicate beyond 10 meters, while class 1 devices transmit at 100 mW to reach up to 100 meters. Adjusting power does not eliminate outsider attack, but it can reduce that possibility.
- Because link keys are stored on paired Bluetooth devices, password protect both devices to prevent use of lost/stolen units. If possible, do not permanently store the pairing PIN code on Bluetooth devices.
To defend against such attacks, combine the good configuration choices and practices described above with Bluetooth product assessment, patching and security auditing.
Audit the airwaves inside your facility to locate all Bluetooth capable devices. For example, walk the halls with a portable Bluetooth scanner like AirDefense Inc.'s BlueWatch, AirMagnet Inc.'s BlueSweep, Berkeley Varitronics Systems Inc.'s Mantis Bluetooth, or Network Chemistry Inc.'s RFprotect BlueScanner. Bear in mind that you'll need to be within 10 meters to detect class 3 devices, and those that have discovery disabled will be harder to spot. Alternatively, enterprises with full-time Wi-Fi intrusion detection (IDS) or intrusion prevention systems (IPS) may detect Bluetooth as a non-descript source of Wi-Fi interference or by fingerprinting individual Bluetooth devices (e.g., Red-M Group Ltd.'s Red-Mobile, AirMagnet Spectrum Analyzer).
- Are there Bluetooth features we should require in our computing devices?
- Can you suggest tools to detect Bluetooth-based card-skimming devices?
Inventory all discovered devices with Bluetooth interfaces, including hardware model, OS, and version. Then search Bluetooth vulnerability and exposure databases (e.g., Trifinite, WVE) to determine whether those devices harbor known issues. For example, Nokia Corp. and Sony Ericsson Mobile Communications AB have issued updates for Bluetooth-capable phones that are vulnerable to Bluesnarfing and BlueBugging. Apply available patches to correct those bugs and retire older devices for which critical patches are unavailable.
Finally, define security policies for all Bluetooth-capable devices that impact your business. This frequently includes handheld devices owned by employees. Here, user education can go a long way toward promoting safer use. Once they learn the potential impact on personal and corporate data, employees are more likely to voluntarily comply with defined policies. They may even welcome configuration assistance, so long as Bluetooth security does not inhibit authorized use. However, where security is truly important, compliance for Bluetooth and other security measures should be enforced through a centrally-administered device management system (e.g., Credant Technologies Inc.'s Mobile Guardian). After all, link security is part of a much bigger picture -- multi-layered defenses must work together to safeguard Bluetooth devices and their data.
Now that you've read up on Bluetooth and Bluetooth security, try out your skills on our Bluetooth and mobile device security quiz.