A TruSecure White Paper

Bluetooth Security

March 6, 2004

Co-Authored by:
William Hugh Murray, CISSP,
Executive Consultant, TruSecure Corporation

Robert Moskowitz, Senior Technical Director,

ICSA Labs, a division of TruSecure Corporation

 Bluetooth Security

Nothing useful can be said about the security of a mechanism except in the context of a specific
application and a specific environment. Robert H. Courtney

Executive Summary
Bluetooth is one of several new wireless technologies that are changing the enterprise
environment. Because it is very low power, shorter range, lower bandwidth, used for less
sensitive applications, and more sparsely used than the other wireless technologies, it is
inherently lower risk. There are relatively few enterprise applications. It is too early to say that
its use will not make an enterprise a target of opportunity, however, it has not done so yet. For
targets of choice, the cost of attack appears to be higher than that of alternative attacks and the
value of success.

However, end users often apply it in novel ways that enterprise management is not aware of
and cannot readily control. While the design seems to compensate well for the fundamental
vulnerabilities, some of its applications have suffered from implementation-induced
vulnerabilities. While the technology has been tarnished by reports of proof of concept
code for attacks against these applications, most of these attacks would have been successful
whatever the communication technology had been.1

At present, the risks of the use of this technology are not sufficient to justify a recommendation
not to use it or even to focus security measures on it. Management should focus security
measures on the user, the data, the application, the using devices, the connection, and the
environment rather than on Bluetooth per se. As always, management will wish to discourage
the use of novel technology with sensitive data and encourage the use of restrictive policies
and safe defaults. Prefer Bluetooth to other wireless technologies for applications for which its
range, power, and bandwidth are adequate. Mitigate the sparse threat by disabling Bluetooth
when not in use and turning it on only in safe environments.

Background
Bluetooth is one of the hot and hyped technologies of the day. Because it is a radio broadcast
technology, its applications have security implications. Bluetooth devices can leak sensitive
information. As a consequence, it should not surprise anyone that security professionals are
watching it very carefully.

What should security professionals do about this emerging technology and how concerned
should they be? This paper is one of several intended to help enterprise management use their
limited security resources in the most efficient manner. It will describe the technology and its

1
One of these attacks exploits application functionality in an implementation of data object exchange between cell phones or
cell phones and PDAs; that the devices use Bluetooth to communicate is merely coincidental. The other uses a long name field,
intended for one device to announce itself to another to carry a message to dupe users into communicating with strangers.

2004 TruSecure Corporation 2

 intended use, identify some of its applications, describe its security features, functions, and
properties, discuss its vulnerabilities and their mitigations, and make recommendations as to
how enterprise management should respond.

Some have probably read news articles about attacks against Bluetooth enabled devices.

For example, you may have read, It is possible, on some makes of device, to connect to
the device without alerting the owner of the target device of the request, and gain access to
restricted portions of the stored data therein, including the entire phonebook (and any images
or other data associated with the entries), calendar, real-time clock, business card, properties,
change log, IMEI (International Mobile Equipment Identity), which uniquely identifies the
phone to the mobile network, and is used in illegal phone cloning).
http://www.bluestumbler.org/

While this statement is true as far as it goes, it is artfully crafted and must be carefully
parsed. While the proof of concept code works against some Bluetooth enabled devices,
it does not work against all. It may access sensitive storage, but, by definition, the storage is
not restricted. It does not exploit or rely upon Bluetooth features or properties but only on
communication; the same attack works just as well against similar devices that communicate
via infra-red (IRDA). To the extent that Bluetooth has a wider range, ten meters as opposed to
three, and is a little more robust, Bluetooth may aggravate the vulnerability.

Description
Bluetooth, standardized as IEEE 802.15.1, is intended to be a wireless signal cable
replacement technology. It is used both for digital data transport and for analog signaling. Any
short signaling wire or cable is a potential Bluetooth application. Examples include printer
cables, modem cables, mouse cables, headset cables, PDA synchronization cables, PC-to-PC
connections, and many more.

Bluetooth uses low-power digital signaling over low-power hi-frequency (2.4Ghz.) spread-
spectrum radio to replace the cable. Bluetooth devices have relatively limited range2 and
bandwidth (someplace between enough to carry monaural audio and stereo). Bluetooth radio
chips currently sell for about $5- and that price can be expected to fall.

Like the cables that it replaces, Bluetooth is intended to connect two devices to one another;
think serial or parallel cable applications, as opposed to Ethernet. These devices may be
connected: peer-to-peer, e.g., two PCs, PDAs, or cell phones; master-slave, e.g., PC to a printer
or modem, or telephone-to-headset, or even host-guest. While it is possible to conceive of the
use of Bluetooth for networking, that is not its typical use.3 However, a given device, such as a
PC, may support multiple Bluetooth connections, just as it supports multiple cable connections.
It may even connect two of them together in some limited way. For example, Bluetooth can

2
Class 1 devices at 1mW have a range of 1M, Class 2 at 10mW are 10M, and Class 3 at 100mW are 100M. Most hand devices
are class 2, but most PC cards are 10mW/100mW so they can work with 100mW hubs.
3
Bluetooth 1.0b provides a profile for PPP over serial. 1.1 is working in IETF for IP over Bluetooth. However, these are still
point-to-point connections.

2004 TruSecure Corporation 3

 be used to connect a handheld device to a PC and then to the Internet. However, it is not a
networking technology like Wi-Fi (IEEE 802.11). As with any other material, using it for
applications that are not consistent with its properties, capabilities, and limitations may stress it
to the breaking point.

Like the cables that it replaces, Bluetooth may leak information. Cables broadcast a little
information as a side effect of their fundamental function. However, this radiation is
unintended. Bluetooth uses a broadcast technology to accomplish a point-to-point application: it
radiates deliberately. In the absence of compensating controls, it might leak a great deal more.

Applications
The applications of Bluetooth are as diverse as the cables available to be replaced. While
Bluetooth can be used to replace a general purpose signaling cable, like USB or IEEE 1394,
most applications are more specialized than that.

Many of the applications are within the discretion of the end-users; the enterprise will not be
able to totally resist their use and may not even be aware of them. On the other hand they may
involve the use of enterprise data. An end-user may obtain a new Bluetooth enabled PDA and
synch it to his PC via Bluetooth in a manner so similar to the way he did it over a cable that he
does not recognize any difference.

A small number of Bluetooth applications are novel applications that were not, perhaps could
not have been, done over wire. A few of these applications are very popular and account for
much of the Bluetooth volume. One such example is short-distance short-text messaging and
object (e.g., v-cards) exchange between cell phones. The Nokia n-Gage uses this capability to
facilitate multi-player games. (Incidentally, the same games can be played at longer distances
using a GPRS connection, i.e., Bluetooth replaces short cables while GPRS replaces arbitrarily
long ones.) Another is the connection of standardized headsets to Bluetooth enabled cell
phones. A review of the news in the cellular market suggests that Bluetooth is such a popular
feature in cell phones that it will become standard.

The application of Bluetooth that IT management and security management seem to identify
with Bluetooth (and that seems to concern them) is its use to connect peripherals to personal
computers. Bluetooth can be used to connect a wide variety of devices including peers (e.g.,
other PCs), clients (e.g., a PDA), and servers (e.g., storage, printers, modems, scanners, routers,
switches and other network interfaces and network services). However, these are not arbitrary
connections; each connection is specific both to a device type and an instance of that device.
While vendors may try to make the process transparent, one must install software (e.g., a device
driver and controls), specific to the device type (e.g., a specific printer type), and then create
a bind to a specific instance of that device. If the connection is configured for a printer, one
cannot use it for a modem. If it is bound to a particular printer, one cannot use it for a different
instance of that printer type.

2004 TruSecure Corporation 4

 Security Features, Functions, and Properties
As suggested above, this broadcast technology has to have some compensating security
mechanisms to make it behave like the point-to-point cables that it emulates.

Spread-Spectrum Radio
Bluetooth uses frequency hopping to resist interference and denial of service attacks. Spread
spectrum involves moving the traffic across multiple frequencies in a manner that cannot be
easily anticipated by an adversary. This both hides the traffic but also makes it more difficult to
jam.

Authentication
The two ends of a cable connection are permanently and physically bound to one another.

Bluetooth devices logically, exclusively, but serially, bind to one another. They do this by
first discovering one another. After recognizing the presence of one another they attempt to
pair. Each announces itself to the other to ensure that they are binding to the device that they
both intend. Pairing can be authenticated by the use of an integer called the pairing code,
analogous to a PIN.4

The pairing code for peer-to-peer connections, like the connection of two cell phones for object
exchange, is normally agreed upon out of band and at the time of use. It is then entered on both
devices. For master-slave connections to devices with no keyboards, for example, a wireless
headset, the device has a preset pairing code and is labeled with it.5 For instance, in order to
bind a headset to a particular telephone, one typically enters the code into the phone in response
to a prompt.

After the pairing codes have been entered, the devices then complete the bind by generating and
exchanging an encryption key in-band. The devices are now cryptographically, exclusively, and
persistently6 bound to one another (unless and until a new bind is created). They will talk only
to one another over that connection.

Encryption
Streaming encryption is used to bind the two ends of the connection to one another and resist
the leakage of the message traffic content over the connection to other radio receivers in the
area.7 While an attack receiver in the 2.4Ghz range will hear the traffic, it will not be able
(it will be computationally infeasible) to decode it. Unlike that in Wi-Fi (IEEE 802.11), the
encryption in Bluetooth is used by default.

Limited Functionality
Many, but not all, of the implementations of Bluetooth are specific to their intended application,

4
The devices can perform the binding without a pairing code as well; when this is done, security relies on physical controls to
ensure the authenticity of the bind; i.e., pair in a private environment and test to ensure that the bind was to the intended device.
5
While the pairing code can be up to 16 digits, in practice it is usually only 4.
6
The bind may survive the devices being powered off or moved out of range.
7
There is no integrity check or replay defense.

2004 TruSecure Corporation 5

 otherwise limited in function, bound early, and resistant to late, i.e., user, change. Examples
include cell-phones, headsets, and modems. One cannot make the kind of arbitrary changes to
the hardware or software of these devices that one can make to personal computers. This kind
of early binding resists outside interference or contamination of the Bluetooth or its application.
Said another way, it resists malicious code.

Application Security
Applications of Bluetooth may have controls built in and available to the user that can be used
to limit risk. For example, an object exchange application may require cooperation between
the users of the connected devices before an exchange can take place. The user of one device
must make a request or an offer and the user of the other must answer or accept. User A offers a
phone number or virtual business card and User B must accept it.

Vulnerabilities
As with any technology, one can classify the vulnerabilities of Bluetooth as fundamental
or implementation-induced. Fundamental vulnerabilities are those that are inherent to the
technology. They can be compensated for but they are present in all implementations.
Implementation-induced vulnerabilities are those that result from design choices or from errors
in implementing a specific product. Implementation induced vulnerabilities are limited to a
specific application or product.

We will discuss and illustrate some vulnerabilities of Bluetooth and devices implementing it.
The reader is cautioned that we can discuss only vulnerabilities that we know about. We do not
pretend to know about all or even most of such vulnerabilities.

Fundamental Vulnerabilities
Bluetooth is a radio broadcast technology. While it uses encryption to hide the content of its
message traffic, all broadcast technologies leak some information. They are all vulnerable to
traffic analysis. While there is not likely to be much sensitive information in the analysis of
traffic for a single connection, there may be more in the analysis of traffic across a large number
of connections.

While Bluetooth devices are intended to work across a limited range, that does not mean that
they can only be received across that short range. Very sensitive receivers can receive the signal
at greater distances than the operational distances. While Bluetooth benefits from the falling
cost of RF technology, so do these sensitive receivers.

Bluetooth is vulnerable to a denial of service attack. Bluetooth relies upon radio signaling
in the 2.4Ghz frequency range. Wireless phones, baby monitors, microwave ovens, Wi-Fi
(IEEE 802.11)8 and other noisy appliances and applications operate in this space. Bluetooth
is vulnerable to radio interference in that range; a noisy signal of sufficient amplitude in this
frequency range might interfere with correct operation.

8
Bluetooth 1.1 implements 802.15.2 to allow it to work in the presence of 802.11.

2004 TruSecure Corporation 6

 In order to support ad hoc connections, Bluetooth devices not only broadcast their traffic, but
they also broadcast their presence and their identity. A Bluetooth device that is enabled but
not in use, constantly attempts to identify and be identified by other Bluetooth devices. It
broadcasts its name and other identifying information, e.g., International Mobile Equipment
Identity (IMEI). It does this continuously until it is recognized by a similar device. Obviously
this leaks some information, i.e., a phone with this name (and number) is within range. This
vulnerability, while fundamental, is limited in range and information content.

Part of the information passed is a user-defined name. This name is long enough (248
characters) to contain a message that could be used to pass a rude or fraudulent message to
users of similar Bluetooth devices within the (10 meter) range. Such attacks rely in part for
their success upon a large target population. There are speculations, not to say reports, that
this capability is being used in crowded places like cafes, clubs, and train cars to send rude and
anonymous messages to nearby phones. Of course, in order for such spoofs to be problem,
rather than simply an annoyance, the population of Bluetooth enabled phones must be fairly
dense, as for example in a caf, (airline) club, plane or train.9

Implementation Induced
Bluetooth implementations rarely achieve the security that is implicit in the standard or the
protocol. This is in part because the standard is difficult to implement.

For example, the standard requires that the implementation include random inputs to key
generation routines and random initialization vectors for encryption engines. If these values
are not chosen randomly and from the entire available space, then the implementation may be
significantly less secure than the defined size of the space might suggest. Said another way,
if Malice can predict that Alice and Bob will choose their keys from a narrow range or subset
of the total space, then her cost and time for a successful attack against that key may be less
than the value of discovering that key. The standard leaves it to the implementer to solve the
problem of getting these random inputs. There are many ways to do this; most of them do not
work very well. Of course, this vulnerability is not limited to Bluetooth; the history of modern
cryptography is littered with such failures. Solutions all consume power and take space.

While the standard provides for the pairing code to be 16 digits in length, many applications
use only 4. This is a trade off between reliability and ease of use. In a circle of radius 10
meters populated with cell phones, this will usually work fairly well. However, a hostile PC
in a populated area like an office, a Starbucks, or an airline club might be able to complete an
exhaustive attack against such a small space. The size of the space is compensated for in part
by the fact that the code is intended to be passed out of band, entered from a keyboard, and in
response to a prompt.

Some devices, such as headsets and modems that have no keyboard, have fixed pre-defined
pairing codes. Many of these are pre-set to easy to remember values like 0000 or 1111. That

9
The security protocol only implements data encryption and does not supply a datagram Integrity Check or a replay protection
mechanism. The absence of these security provisions has resulted in exploitable vulnerabilities in other security protocols.

2004 TruSecure Corporation 7

 these codes might be easily guessed is compensated for in part by the fact that they must be
entered on the client device, in part by low power and short range, and by the fact that the
master device allows only one slave for this application.

Programmers seem prone to include gratuitous generality and flexibility in their applications.
Such generality and flexibility is often exploited in ways that the programmer did not anticipate.
It is just such generality and flexibility in the implementation of the object exchange application
that introduced the vulnerability exploited in the attack referenced in the introduction.

Use and users may also introduce vulnerabilities. There is no technology or implementation of
it that cannot be misconfigured or misused. Most Bluetooth applications and devices include
user controls that must be properly operated to maintain security.

Threats
At the present time, while there are known vulnerabilities to some applications, the cost of
exploiting these vulnerabilities is higher than the value of success. While there is considerable
speculation and conjecture, there is no measurable or identified threat to Bluetooth in general
or even to specific applications. This is in part because the density of use is still too sparse to
encourage attacks against targets of opportunity. Said another way, Bluetooth use is not yet a
target rich environment. It is in part because, even where the applications are sensitive, there
are easier attacks against targets of choice.

Conclusions
Applications of Bluetooth are still sparse. Most such applications are personal rather than
enterprise. To the extent that its range and bandwidth are limited, the density of its population
sparse, and its applications limited, Bluetooth is less vulnerable than other wireless technologies
such as cellular, WiFi, GPRS, or CDPD. While the applications may be sensitive, they are no
more sensitive than applications of these other technologies.

We expect the implementation-induced vulnerabilities to be more significant and easy to exploit

than any fundamental vulnerabilities that may emerge. On the other hand, these will be limited
to specific applications or products rather than applicable to all of Bluetooth.

Similarly, we expect application specific mitigation to be more efficient than those that are
applicable to Bluetooth in general. The most efficient mitigation may be point solutions that are
not yet identified or available, or simply compensating controls like safe defaults or limitations
on applications or environments.

Professionals are cautioned to consider rates of occurrence as well as the potential consequences
of a successful attack, threat as well as vulnerability and sensitivity of application.

The fix for any fundamental vulnerabilities that emerge are not likely to be within the hands of
the enterprise manager.

2004 TruSecure Corporation 8

 Recommendations
While there are some vulnerable applications, currently the vulnerabilities are more related to
wireless and the applications than to Bluetooth per se. The limited range and the compensating
security features of Bluetooth are such that the risk to data is only slightly higher than the same
application done over wire and lower than for other wireless technologies. While the technology
is young and may contain fundamental vulnerabilities that are not yet apparent, it is difficult to
recommend efficient remedies for unidentified vulnerabilities.

Short of not using it at all, there are no measures available now to enterprise management that
are effective across or applicable to all uses of Bluetooth communication. The risk that might
arise from its use does not justify prohibiting it. Enterprise management should focus on users,
uses, data, devices, connections, and the environment rather than on this technology.

Efficient security measures are those that are broadly applicable and complimentary but less
than one hundred percent effective. For example, even if a firewall protects data stored on
a personal computer, it does not protect the data at all if it is moved to a PDA or cell-phone.
Because the Bluetooth use to date is so sparse, the most efficient measures are specific to the
application and are in the hands of users rather than enterprise management. Management
should not focus on the technology but should:

Focus on the User

Management should publish policy and other guidance to ensure that users know what
management relies upon them to do, that management supervises and measures to ensure
that they do it, that variances are noted, and that necessary corrective action is taken. Prefer
restrictive (by default, that which is not explicitly authorized is implicitly forbidden) to
permissive policies. Do not rely upon end users to do things that cannot be (or are not being)
observed or measured. Keep in mind that most early applications of Bluetooth will be personal,
the decision to use in the hands of the end-user, and may not be visible to management.

Users must not respond to unexpected invitations to pair. [This is the Bluetooth equivalent of
Do not open unexpected attachments.]

Focus on the Data

Management should identify and focus on that data (e.g., proprietary, customer, patient, and
other personal data) that is sensitive to disclosure. It is inefficient to treat all data in the manner
that is appropriate for the most sensitive. Sensitive data should be labeled with the name of the
set of procedures that management wants used to protect it. Management may wish to restrict
the use of novel technology for sensitive data while permitting its use for everything else.

Focus on the Application

The applications of Bluetooth are both diverse and different. The most effective and efficient
controls will be those that are specific to the application. (Note that broad prohibitions are
unlikely to be effective and expensive permission granting processes are unlikely to be
efficient.) It is unlikely that controls related to the transport layer are going to be equally
effective, much less efficient, for or across all applications.

2004 TruSecure Corporation 9

 For example, the applications of Bluetooth in a cell phone might include wireless headset and
object exchange with similar devices. The controls for these two applications will be very
different from one another. For wireless headset, the risk is leaked conversation and the control
is to be careful what you say and where you say. For object exchange the risk is duping of the
user or contamination of the device and the controls are safe defaults and configuration and
establishing the identity and trustworthiness of the parties with whom you choose to exchange.
However, in neither case does it have anything to do with Bluetooth, per se. Furthermore, we
are already experienced in assessing and controlling the risk in applications.

The applications of Bluetooth between a personal computer and a PDA might include file
synchronization, file transfer, and connection from the PDA to the enterprise network for file
access and e-mail. The efficient controls for these applications are different from each other
but much the same for each application whether the connection is wired, Bluetooth, or other
wireless.

Special consideration should be given to business transaction applications. The applicable

controls may include strong authentication, application layer encryption, application controls,
and the involvement of multiple parties.

Focus on the Device

Bluetooth sensitivity and security are easier to understand in the context of the application and
the device. Things that are difficult to deal with in the abstract become easier in the concrete.
Careful, conscious, configuration and use of the device in accordance with the vendors
instructions can avoid and eliminate many of the limitations and risks.

This is particularly important for personal computers. By default, Bluetooth adapters should be
disabled, behind a software firewall, and not attached to the network bridge. On cell phones,
Bluetooth should be disabled by default.

Focus on the Connection

The use of Bluetooth is a small portion of the total use of wireless and even a smaller part of the
risk. Management will wish to permit the use of Bluetooth for data and applications where it
permits the use of other wireless technologies, particularly those with longer range and higher
bandwidth than Bluetooth.

That said, the ability of end users to easily and cheaply introduce wireless links into connections
in ways that are invisible to management makes it difficult and risky for management to rely
upon the transport layer for the security of sensitive applications. Prefer end-to-end application-
layer encryption for sensitive data and applications.

Focus on the Environment

Controlling the physical perimeter protects against a wide variety of risks. Keeping hostile
parties and devices at least 10 meters away from Bluetooth devices raises the cost of any attack.

2004 TruSecure Corporation 10