Professional Documents
Culture Documents
Bluetooth Security
March 6, 2004
Co-Authored by:
William Hugh Murray, CISSP,
Executive Consultant, TruSecure Corporation
Bluetooth Security
Nothing useful can be said about the security of a mechanism except in the context of a specific
application and a specific environment. Robert H. Courtney
Executive Summary
Bluetooth is one of several new wireless technologies that are changing the enterprise
environment. Because it is very low power, shorter range, lower bandwidth, used for less
sensitive applications, and more sparsely used than the other wireless technologies, it is
inherently lower risk. There are relatively few enterprise applications. It is too early to say that
its use will not make an enterprise a target of opportunity, however, it has not done so yet. For
targets of choice, the cost of attack appears to be higher than that of alternative attacks and the
value of success.
However, end users often apply it in novel ways that enterprise management is not aware of
and cannot readily control. While the design seems to compensate well for the fundamental
vulnerabilities, some of its applications have suffered from implementation-induced
vulnerabilities. While the technology has been tarnished by reports of proof of concept
code for attacks against these applications, most of these attacks would have been successful
whatever the communication technology had been.1
At present, the risks of the use of this technology are not sufficient to justify a recommendation
not to use it or even to focus security measures on it. Management should focus security
measures on the user, the data, the application, the using devices, the connection, and the
environment rather than on Bluetooth per se. As always, management will wish to discourage
the use of novel technology with sensitive data and encourage the use of restrictive policies
and safe defaults. Prefer Bluetooth to other wireless technologies for applications for which its
range, power, and bandwidth are adequate. Mitigate the sparse threat by disabling Bluetooth
when not in use and turning it on only in safe environments.
Background
Bluetooth is one of the hot and hyped technologies of the day. Because it is a radio broadcast
technology, its applications have security implications. Bluetooth devices can leak sensitive
information. As a consequence, it should not surprise anyone that security professionals are
watching it very carefully.
What should security professionals do about this emerging technology and how concerned
should they be? This paper is one of several intended to help enterprise management use their
limited security resources in the most efficient manner. It will describe the technology and its
1
One of these attacks exploits application functionality in an implementation of data object exchange between cell phones or
cell phones and PDAs; that the devices use Bluetooth to communicate is merely coincidental. The other uses a long name field,
intended for one device to announce itself to another to carry a message to dupe users into communicating with strangers.
Some have probably read news articles about attacks against Bluetooth enabled devices.
For example, you may have read, It is possible, on some makes of device, to connect to
the device without alerting the owner of the target device of the request, and gain access to
restricted portions of the stored data therein, including the entire phonebook (and any images
or other data associated with the entries), calendar, real-time clock, business card, properties,
change log, IMEI (International Mobile Equipment Identity), which uniquely identifies the
phone to the mobile network, and is used in illegal phone cloning).
http://www.bluestumbler.org/
While this statement is true as far as it goes, it is artfully crafted and must be carefully
parsed. While the proof of concept code works against some Bluetooth enabled devices,
it does not work against all. It may access sensitive storage, but, by definition, the storage is
not restricted. It does not exploit or rely upon Bluetooth features or properties but only on
communication; the same attack works just as well against similar devices that communicate
via infra-red (IRDA). To the extent that Bluetooth has a wider range, ten meters as opposed to
three, and is a little more robust, Bluetooth may aggravate the vulnerability.
Description
Bluetooth, standardized as IEEE 802.15.1, is intended to be a wireless signal cable
replacement technology. It is used both for digital data transport and for analog signaling. Any
short signaling wire or cable is a potential Bluetooth application. Examples include printer
cables, modem cables, mouse cables, headset cables, PDA synchronization cables, PC-to-PC
connections, and many more.
Bluetooth uses low-power digital signaling over low-power hi-frequency (2.4Ghz.) spread-
spectrum radio to replace the cable. Bluetooth devices have relatively limited range2 and
bandwidth (someplace between enough to carry monaural audio and stereo). Bluetooth radio
chips currently sell for about $5- and that price can be expected to fall.
Like the cables that it replaces, Bluetooth is intended to connect two devices to one another;
think serial or parallel cable applications, as opposed to Ethernet. These devices may be
connected: peer-to-peer, e.g., two PCs, PDAs, or cell phones; master-slave, e.g., PC to a printer
or modem, or telephone-to-headset, or even host-guest. While it is possible to conceive of the
use of Bluetooth for networking, that is not its typical use.3 However, a given device, such as a
PC, may support multiple Bluetooth connections, just as it supports multiple cable connections.
It may even connect two of them together in some limited way. For example, Bluetooth can
2
Class 1 devices at 1mW have a range of 1M, Class 2 at 10mW are 10M, and Class 3 at 100mW are 100M. Most hand devices
are class 2, but most PC cards are 10mW/100mW so they can work with 100mW hubs.
3
Bluetooth 1.0b provides a profile for PPP over serial. 1.1 is working in IETF for IP over Bluetooth. However, these are still
point-to-point connections.
Like the cables that it replaces, Bluetooth may leak information. Cables broadcast a little
information as a side effect of their fundamental function. However, this radiation is
unintended. Bluetooth uses a broadcast technology to accomplish a point-to-point application: it
radiates deliberately. In the absence of compensating controls, it might leak a great deal more.
Applications
The applications of Bluetooth are as diverse as the cables available to be replaced. While
Bluetooth can be used to replace a general purpose signaling cable, like USB or IEEE 1394,
most applications are more specialized than that.
Many of the applications are within the discretion of the end-users; the enterprise will not be
able to totally resist their use and may not even be aware of them. On the other hand they may
involve the use of enterprise data. An end-user may obtain a new Bluetooth enabled PDA and
synch it to his PC via Bluetooth in a manner so similar to the way he did it over a cable that he
does not recognize any difference.
A small number of Bluetooth applications are novel applications that were not, perhaps could
not have been, done over wire. A few of these applications are very popular and account for
much of the Bluetooth volume. One such example is short-distance short-text messaging and
object (e.g., v-cards) exchange between cell phones. The Nokia n-Gage uses this capability to
facilitate multi-player games. (Incidentally, the same games can be played at longer distances
using a GPRS connection, i.e., Bluetooth replaces short cables while GPRS replaces arbitrarily
long ones.) Another is the connection of standardized headsets to Bluetooth enabled cell
phones. A review of the news in the cellular market suggests that Bluetooth is such a popular
feature in cell phones that it will become standard.
The application of Bluetooth that IT management and security management seem to identify
with Bluetooth (and that seems to concern them) is its use to connect peripherals to personal
computers. Bluetooth can be used to connect a wide variety of devices including peers (e.g.,
other PCs), clients (e.g., a PDA), and servers (e.g., storage, printers, modems, scanners, routers,
switches and other network interfaces and network services). However, these are not arbitrary
connections; each connection is specific both to a device type and an instance of that device.
While vendors may try to make the process transparent, one must install software (e.g., a device
driver and controls), specific to the device type (e.g., a specific printer type), and then create
a bind to a specific instance of that device. If the connection is configured for a printer, one
cannot use it for a modem. If it is bound to a particular printer, one cannot use it for a different
instance of that printer type.
Spread-Spectrum Radio
Bluetooth uses frequency hopping to resist interference and denial of service attacks. Spread
spectrum involves moving the traffic across multiple frequencies in a manner that cannot be
easily anticipated by an adversary. This both hides the traffic but also makes it more difficult to
jam.
Authentication
The two ends of a cable connection are permanently and physically bound to one another.
Bluetooth devices logically, exclusively, but serially, bind to one another. They do this by
first discovering one another. After recognizing the presence of one another they attempt to
pair. Each announces itself to the other to ensure that they are binding to the device that they
both intend. Pairing can be authenticated by the use of an integer called the pairing code,
analogous to a PIN.4
The pairing code for peer-to-peer connections, like the connection of two cell phones for object
exchange, is normally agreed upon out of band and at the time of use. It is then entered on both
devices. For master-slave connections to devices with no keyboards, for example, a wireless
headset, the device has a preset pairing code and is labeled with it.5 For instance, in order to
bind a headset to a particular telephone, one typically enters the code into the phone in response
to a prompt.
After the pairing codes have been entered, the devices then complete the bind by generating and
exchanging an encryption key in-band. The devices are now cryptographically, exclusively, and
persistently6 bound to one another (unless and until a new bind is created). They will talk only
to one another over that connection.
Encryption
Streaming encryption is used to bind the two ends of the connection to one another and resist
the leakage of the message traffic content over the connection to other radio receivers in the
area.7 While an attack receiver in the 2.4Ghz range will hear the traffic, it will not be able
(it will be computationally infeasible) to decode it. Unlike that in Wi-Fi (IEEE 802.11), the
encryption in Bluetooth is used by default.
Limited Functionality
Many, but not all, of the implementations of Bluetooth are specific to their intended application,
4
The devices can perform the binding without a pairing code as well; when this is done, security relies on physical controls to
ensure the authenticity of the bind; i.e., pair in a private environment and test to ensure that the bind was to the intended device.
5
While the pairing code can be up to 16 digits, in practice it is usually only 4.
6
The bind may survive the devices being powered off or moved out of range.
7
There is no integrity check or replay defense.
Application Security
Applications of Bluetooth may have controls built in and available to the user that can be used
to limit risk. For example, an object exchange application may require cooperation between
the users of the connected devices before an exchange can take place. The user of one device
must make a request or an offer and the user of the other must answer or accept. User A offers a
phone number or virtual business card and User B must accept it.
Vulnerabilities
As with any technology, one can classify the vulnerabilities of Bluetooth as fundamental
or implementation-induced. Fundamental vulnerabilities are those that are inherent to the
technology. They can be compensated for but they are present in all implementations.
Implementation-induced vulnerabilities are those that result from design choices or from errors
in implementing a specific product. Implementation induced vulnerabilities are limited to a
specific application or product.
We will discuss and illustrate some vulnerabilities of Bluetooth and devices implementing it.
The reader is cautioned that we can discuss only vulnerabilities that we know about. We do not
pretend to know about all or even most of such vulnerabilities.
Fundamental Vulnerabilities
Bluetooth is a radio broadcast technology. While it uses encryption to hide the content of its
message traffic, all broadcast technologies leak some information. They are all vulnerable to
traffic analysis. While there is not likely to be much sensitive information in the analysis of
traffic for a single connection, there may be more in the analysis of traffic across a large number
of connections.
While Bluetooth devices are intended to work across a limited range, that does not mean that
they can only be received across that short range. Very sensitive receivers can receive the signal
at greater distances than the operational distances. While Bluetooth benefits from the falling
cost of RF technology, so do these sensitive receivers.
Bluetooth is vulnerable to a denial of service attack. Bluetooth relies upon radio signaling
in the 2.4Ghz frequency range. Wireless phones, baby monitors, microwave ovens, Wi-Fi
(IEEE 802.11)8 and other noisy appliances and applications operate in this space. Bluetooth
is vulnerable to radio interference in that range; a noisy signal of sufficient amplitude in this
frequency range might interfere with correct operation.
8
Bluetooth 1.1 implements 802.15.2 to allow it to work in the presence of 802.11.
Part of the information passed is a user-defined name. This name is long enough (248
characters) to contain a message that could be used to pass a rude or fraudulent message to
users of similar Bluetooth devices within the (10 meter) range. Such attacks rely in part for
their success upon a large target population. There are speculations, not to say reports, that
this capability is being used in crowded places like cafes, clubs, and train cars to send rude and
anonymous messages to nearby phones. Of course, in order for such spoofs to be problem,
rather than simply an annoyance, the population of Bluetooth enabled phones must be fairly
dense, as for example in a caf, (airline) club, plane or train.9
Implementation Induced
Bluetooth implementations rarely achieve the security that is implicit in the standard or the
protocol. This is in part because the standard is difficult to implement.
For example, the standard requires that the implementation include random inputs to key
generation routines and random initialization vectors for encryption engines. If these values
are not chosen randomly and from the entire available space, then the implementation may be
significantly less secure than the defined size of the space might suggest. Said another way,
if Malice can predict that Alice and Bob will choose their keys from a narrow range or subset
of the total space, then her cost and time for a successful attack against that key may be less
than the value of discovering that key. The standard leaves it to the implementer to solve the
problem of getting these random inputs. There are many ways to do this; most of them do not
work very well. Of course, this vulnerability is not limited to Bluetooth; the history of modern
cryptography is littered with such failures. Solutions all consume power and take space.
While the standard provides for the pairing code to be 16 digits in length, many applications
use only 4. This is a trade off between reliability and ease of use. In a circle of radius 10
meters populated with cell phones, this will usually work fairly well. However, a hostile PC
in a populated area like an office, a Starbucks, or an airline club might be able to complete an
exhaustive attack against such a small space. The size of the space is compensated for in part
by the fact that the code is intended to be passed out of band, entered from a keyboard, and in
response to a prompt.
Some devices, such as headsets and modems that have no keyboard, have fixed pre-defined
pairing codes. Many of these are pre-set to easy to remember values like 0000 or 1111. That
9
The security protocol only implements data encryption and does not supply a datagram Integrity Check or a replay protection
mechanism. The absence of these security provisions has resulted in exploitable vulnerabilities in other security protocols.
Programmers seem prone to include gratuitous generality and flexibility in their applications.
Such generality and flexibility is often exploited in ways that the programmer did not anticipate.
It is just such generality and flexibility in the implementation of the object exchange application
that introduced the vulnerability exploited in the attack referenced in the introduction.
Use and users may also introduce vulnerabilities. There is no technology or implementation of
it that cannot be misconfigured or misused. Most Bluetooth applications and devices include
user controls that must be properly operated to maintain security.
Threats
At the present time, while there are known vulnerabilities to some applications, the cost of
exploiting these vulnerabilities is higher than the value of success. While there is considerable
speculation and conjecture, there is no measurable or identified threat to Bluetooth in general
or even to specific applications. This is in part because the density of use is still too sparse to
encourage attacks against targets of opportunity. Said another way, Bluetooth use is not yet a
target rich environment. It is in part because, even where the applications are sensitive, there
are easier attacks against targets of choice.
Conclusions
Applications of Bluetooth are still sparse. Most such applications are personal rather than
enterprise. To the extent that its range and bandwidth are limited, the density of its population
sparse, and its applications limited, Bluetooth is less vulnerable than other wireless technologies
such as cellular, WiFi, GPRS, or CDPD. While the applications may be sensitive, they are no
more sensitive than applications of these other technologies.
Similarly, we expect application specific mitigation to be more efficient than those that are
applicable to Bluetooth in general. The most efficient mitigation may be point solutions that are
not yet identified or available, or simply compensating controls like safe defaults or limitations
on applications or environments.
Professionals are cautioned to consider rates of occurrence as well as the potential consequences
of a successful attack, threat as well as vulnerability and sensitivity of application.
The fix for any fundamental vulnerabilities that emerge are not likely to be within the hands of
the enterprise manager.
Short of not using it at all, there are no measures available now to enterprise management that
are effective across or applicable to all uses of Bluetooth communication. The risk that might
arise from its use does not justify prohibiting it. Enterprise management should focus on users,
uses, data, devices, connections, and the environment rather than on this technology.
Efficient security measures are those that are broadly applicable and complimentary but less
than one hundred percent effective. For example, even if a firewall protects data stored on
a personal computer, it does not protect the data at all if it is moved to a PDA or cell-phone.
Because the Bluetooth use to date is so sparse, the most efficient measures are specific to the
application and are in the hands of users rather than enterprise management. Management
should not focus on the technology but should:
Users must not respond to unexpected invitations to pair. [This is the Bluetooth equivalent of
Do not open unexpected attachments.]
The applications of Bluetooth between a personal computer and a PDA might include file
synchronization, file transfer, and connection from the PDA to the enterprise network for file
access and e-mail. The efficient controls for these applications are different from each other
but much the same for each application whether the connection is wired, Bluetooth, or other
wireless.
This is particularly important for personal computers. By default, Bluetooth adapters should be
disabled, behind a software firewall, and not attached to the network bridge. On cell phones,
Bluetooth should be disabled by default.
That said, the ability of end users to easily and cheaply introduce wireless links into connections
in ways that are invisible to management makes it difficult and risky for management to rely
upon the transport layer for the security of sensitive applications. Prefer end-to-end application-
layer encryption for sensitive data and applications.