Professional Documents
Culture Documents
Abstract
This paper summarizes one of the most promising new wireless communications
standards of the decade, called Bluetooth.
Bluetooth wireless technology encompasses several key points that facilitate its
widespread adoption:
The paper examines what Bluetooth is, what it is good for (and what it is not). The
specification and profiles – how the technology works and how it is used - are
reviewed. This paper also looks at a few security aspects that are designed to ensure
interoperability. Competing technologies are discussed, as well as specific issues such
as co-existence with wireless ethernet (IEEE 802.11b). In addition to the above,
Personal Area Networks are discussed in brief. And, finally, some early products and
prototypes are presented.
INDEX
................................................................................................................. ..1
ABSTRACT..................................................................................................... .2
INTRODUCTION TO BLUETOOTH................................................. ..........................4
WHAT BLUETOOTH IS – AND IS NOT....................................... ................................5
FUNCTIONAL OVERVIEW................................................................................. ....6
PROTOCOL STACK.............................................................................................................................................7
PROFILE STRUCTURE.......................................................................................................................................10
THE PERSONAL AREA NETWORK...................................................................... ....11
COMPETING TECHNOLOGIES.................................................... ..........................12
CABLE REPLACEMENT......................................................................................................................................12
WIRELESS LAN............................................................................................................................................12
BLUETOOTH AND WIRELESS ETHERNET..............................................................................................................12
PRODUCTS AND PROTOTYPES....................................... .....................................14
PLUG-IN MODULES..........................................................................................................................................14
DIGITAL IMAGE MESSAGING..............................................................................................................................14
BLUETOOTH INFOWEAR...................................................................................................................................15
BLUETOOTH PEN............................................................................................................................................15
XYLOC.........................................................................................................................................................16
CONVERGENCE PRODUCTS...............................................................................................................................16
BLUETOOTH SECURITY........................................................................... ..........17
VULNERABILITIES AND ATTACKS.......................................................................................................................17
INFORMATION RETRIEVAL AND THEFT OF SERVICE...............................................................................................17
TRACKING AND SURVEILLANCE.........................................................................................................................18
DENIAL OF SERVICE ATTACKS..........................................................................................................................18
DETECTING DEVICES.......................................................................................................................................19
REDUCING EXPOSURE......................................................................................................................................19
CHALLENGES/ISSUES AND BENEFITS.......................................................... ...........21
CONCLUSION...................................................................................... ...........22
Introduction to Bluetooth
Companies implement mobile computers, scanners, printers and other peripherals to
help their workers be more mobile, productive and accurate. Unfortunately, many of
these deployments literally hit snags when cables that connect mobile computers to
peripherals become caught, tangled or broken. Cables and interface ports can become
a constraint for users, and for enterprise plans to upgrade and enhance the application
with new peripherals in the future.
Bluetooth is designed for use in mobile devices, where size, cost, and battery life are
key factors. It nominally operates with a 10-meter range, although higher-powered
versions are available yielding a range up to 100 meters. Since it is a radio link,
Bluetooth is not limited to line-of-sight and can pass through walls. It uses frequency
hopping to change its frequency 1600 times a second in a pseudo-random pattern,
making it hard to eavesdrop, and employs 128-bit encryption at the link layer for
added security. Bluetooth in and of itself, offers no application level functionality (e.g.
exchanging files or synchronizing information), but it does provide a network transport
through which applications can communicate. Because there is no intervening device
that moderates (or limits) communication between Bluetooth devices, any device that
comes within range of another Bluetooth device automatically initiates and negotiates
communications with other devices
What Bluetooth Is – and Is Not
Bluetooth is a low power, short range, wireless radio frequency (RF) communications
technology. Range is typically from 30 to 300 feet (10 to 100 meters), depending on
whether a Class 2 or Class 1 radio is used. Bluetooth devices exchange data directly
with each other through an ad hoc personal area network that does not require
transmissions to travel through an access point or server. Bluetooth shares the same
frequency band as the popular IEEE 802.11b and 802.11g wireless networking systems,
but can be used concurrently because each technology has different protocols for
transmission power, signal modulation and interference mitigation. Bluetooth devices
can also be used concurrently with wireless wide-area network (WWAN) devices. In
fact, many cell phones have a Bluetooth interface, and many mobile computers that
operate on wide-area wireless data networks also use Bluetooth for communication
with printers or other peripherals.
The technology was developed to create a standard way to link disparate devices, and
takes its name from the 10th-century king Harold Bluetooth, who united warring tribes
to unify Denmark and Norway. Bluetooth standards are developed and administered by
the Bluetooth Special Interest Group (SIG), a trade association comprised of leaders in
the telecommunications, computing, automotive, industrial automation and network
industries. Intermec Technologies is an Adopter Member.
Figure below illustrates how the various core components fit together to form the
basic foundation of the Bluetooth protocol stack.
Some components are Bluetooth specific (the core components), some are reused from
other specifications (IP, WAP, and OBEX) and others have been modified for the
Bluetooth protocol stack (vCard/vCal, WAE, Audio). The most interesting core
components from the practical application point of view are RFCOMM and Service
Discovery Protocol.
The RFCOMM component provides emulation of serial ports and is the primary mode
for the basic cable replacement functionality. It is the Service Discovery Protocol that
differentiates Bluetooth from most other wireless technologies, enabling the concept
of a PAN. PAN devices are capable of spontaneously joining into a network as they
approach each other, staying only while they are in close proximity, and spontaneously
leaving the network when they are not in close proximity. Bluetooth-enabled devices
are short range and low power by design and they are capable of spontaneously
networking with similar devices that are configured to allow connections to occur.
Without this capability, a Bluetooth wireless network would be as “dumb” as a typical
wired network
Profiles
Profiles describe how different parts of the specification can be used to fulfill a
desired function for a Bluetooth device. Profiles represent the default solution for a
usage model and form the basis for Bluetooth interoperability and logo requirements.
Each Bluetooth device must support at least one profile, but may support several
profiles. The idea is that if two devices support the same profile, then they should be
able to interoperate.
A profile can be viewed as a vertical slice through the protocol stack. It defines
options in each protocol that are mandatory for the profile. It also defines parameter
ranges for each protocol. The profile concept is used to decrease the risk of
interoperability problems between different manufacturers’ products.
The Generic Access Profile defines the generic procedures related to discovery of
Bluetooth devices and link management aspects of connecting to Bluetooth devices. It
is the core on which all other Profiles are based.
The Service Discovery Application Profile defines the features and procedures for an
application in a Bluetooth device to discover services registered in other Bluetooth
devices and retrieve any desired available information pertinent to these services.
The Cordless Telephony Profile defines the features and procedures that are required
for interoperability between different units active in the 3-in-1 phone use case. This
profile also shows how the use case can be applied generally for wireless telephony in
a residential or small office environment.
The Intercom Profile defines the requirements for Bluetooth devices necessary for the
support of the intercom functionality within the 3-in-1 phone use case. This is also
referred to as the 'walkie-talkie' usage of Bluetooth.
The Serial Port Profile defines the requirements for Bluetooth devices necessary for
setting up emulated serial cable connections using RFCOMM between two peer
devices.
The Headset Profile defines the requirements that shall be used by devices
implementing the usage model called ‘Ultimate Headset’. The Dial-up Networking
Profile defines the requirements that shall be used by devices (modems, cellular
phones) implementing the usage model called ‘Internet Bridge'.
The Fax Profile defines the requirements for Bluetooth devices necessary to support
the fax use case. This allows a Bluetooth cellular phone (or modem) to be used by a
computer as a wireless fax modem to send/receive a fax message.
The LAN Access Profile defines how Bluetooth enabled devices can access the services
of a LAN using PPP. Also, this profile shows how the same PPP mechanisms are used to
form a network consisting of two Bluetooth enabled devices.
The Generic Object Exchange Profile lays the basis (defines the protocols and
procedures) for Bluetooth devices necessary for the support of the object exchange
usage models. The usage model can be the Synchronization, File Transfer, or Object
Push model.
The Object Push Profile defines the requirements for applications providing the
object push usage model. Typical scenarios covered by this profile involve the
pushing/pulling of data objects between Bluetooth devices.
The File Transfer Profile defines the requirements for applications providing the file
transfer usage model. Typical scenarios involve a Bluetooth device browsing,
transferring and manipulating objects on/with another Bluetooth device.
The Synchronization Profile defines the requirements for applications providing the
synchronization usage model. Typical scenarios covered by this profile involve manual
or automatic synchronization of PIM data when two Bluetooth devices come within
range.
Profile Structure
The Bluetooth profile structure and dependencies are depicted in Figure below. A
profile is dependent upon another profile if it re-uses parts of that profile, by
implicitly or explicitly referencing it. Dependency is illustrated in the figure: a profile
has dependencies on the profile(s) in which it is contained – directly and indirectly. For
example, the Object Push profile is dependent on Generic Object Exchange, Serial
Port, and Generic Access profiles.
The key challenge and primary reason for the delay in Bluetooth adoption has been
getting Bluetooth-enabled products to work in interoperability tests with other
products. The latest version of the Bluetooth Specification, version 1.1, appears to
have solved the major interoperability issues and has received the “green light” for
developers to roll out products based on this latest specification.
The Personal Area Network
Bluetooth is not designed to compete with wireless local area networks. Even its close-
range throughput of 1 Mbps does not compare with the 11 Mbps that the emerging
standard for wireless LAN, IEEE 802.11b, offers. Instead, Bluetooth's promoters are
positioning it as the technology for the PAN, and are targeting appliances that do not
require large data flows – like printers, personal computers, and mobile phones. One
concept that has been put forward is the mobile PAN: a communication device clipped
to your belt could contain a GSM transceiver that communicates with the wider world.
Meanwhile, the same device has a Bluetooth transceiver that communicates with your
headset (replacing your mobile phone), your PDA, and your MP3 player, allowing all
these devices to communicate with each other and the larger world.
Since Bluetooth is not a very expensive technology (between $5 and $20 per chip), it
can easily be placed in many devices. Also, Bluetooth does not require an access point,
unlike the traditional radio operator networks. It is well suited for mobile devices,
since it can join a local piconet quickly, as soon as the two devices are in a sufficient
perimeter. And unlike infrared networks (like two Palm computers beaming each
other), Bluetooth does not require you to align objects for them to communicate.
Bluetooth enables the creation of wireless Internet gateways that allow Bluetooth-
equipped devices to access the Internet quickly and easily. This kind of network can
host an infinite suite of user applications, such as being able to wirelessly synchronize
with your desktop and access your e-mail and Intranet/Internet from remote locations.
Imagine being able to spontaneously network with airlines, hotels and car rental
agencies for automatic check-in, seating/room assignments, meal selection, purchases
and electronic payment.
Personal Area Networks also allow devices to work together and share each other's
information and services. For example, a web page can be called up on a small screen
and wirelessly sent to a printer for full size printing. Personal Area Networks can even
be created in the vehicle, helping to bring increased safety and convenience via
devices such as wireless headsets and Bluetooth speaker systems.
As envisioned, Personal Area Networks allow the user to customize his or her
communications capabilities. Personal Area Networks permit everyday devices to
become smart, tether less devices that spontaneously network in close proximity [25].
Bluetooth’s personal area networking capability is also a key component for enabling
“smart environments” such as IBM’s eSpace initiative (see section 7.6 below) [26].
Competing Technologies
While there is no single competing technology that covers the entire concept of
Bluetooth wireless technology, in certain market segments other technologies do exist.
Cable replacement
For cable replacement, the infrared standard IrDA has been around for several years
and is quite widespread. Most new portable PCs, PDAs, and some cellular phones
support IrDA, although actual adoption by users has been rather limited. IrDA is faster
than Bluetooth but is limited to point-to point connections, whereas Bluetooth is also
capable of point-to-multipoint. RDA’s biggest drawback is that it requires a clear line-
of-sight, and is usually limited to a few feet between devices. In the past, IrDA has had
problems with incompatible standard implementations, a lesson that the Bluetooth SIG
has learned from and is determined not to repeat.
Wireless LAN
Two other short-range frequency hopping radio technologies also operate in the 2.4
GHz band:
Wireless LANs based on the IEEE 802.11b standard are used to replace a wired LAN
throughout a building. The transmission capacity is high and so is the number of
simultaneous users. However, compared to Bluetooth, these wireless LANs are more
expensive, consume more power and have a larger hardware footprint, making them
unsuitable for small mobile devices.
Home RF is the other 2.4 GHz radio with similarities to Bluetooth wireless technology.
Home RF can operate ad hoc networks (data only) or be under the control of a
connection point coordinating the system and providing a gateway to the telephone
network (data and voice). The hop frequency of Home RF is 8 Hz while a Bluetooth link
hops at 1600 Hz. While still under development and probably a couple of years behind
Bluetooth wireless technology, Ultra-Wideband Radio (UWB) is a new radio technology
that has the potential to become a real competitor in this space. Short pulses are
transmitted in a broad frequency range. When fully developed, UWB capacity is
expected to be high while power consumption should be low.
Ultimately, at about the same time that the cost of integrating Bluetooth drops to the
point that it starts appearing in PCs as standard equipment, 802.11b may be replaced
by much speedier 802.11a-based radios as the preferred means of high-speed LAN
access, especially in corporate campus environments. Operating in the 5 GHz band and
away from Bluetooth interference, 802.11a is capable of 54 Mbps or higher,
throughput. Banking on the future success of 802.11a, some Bluetooth silicon
manufacturers have already announced plans to bypass the already crowded 802.11b
market and move next into 802.11a development.
Products and Prototypes
Plug-in modules
• PCMCIA card
• USB dongle
• Memory stick
• Serial port dongle
• Parallel port dongle
• Springboard for Handspring Visor
• LAN access points
• Cellular phone dongle
Bluetooth Pen
Convergence Products
Bluetooth devices can be configured for open mode, which enables them to
communicate with any other Bluetooth device, or they can be set to communicate
only with known devices. Because enterprise users typically only need to communicate
with a limited number of known peripherals, the less secure open mode can be
avoided. For example, Bluetooth mobile computers used by service or delivery workers
could be configured to communicate only with the specific printer carried by the
worker. Authentication support within the Bluetooth security protocol would require
each device to identify itself to the other before any data was transmitted. This level
of security is seldom used in consumer Bluetooth devices or even in PDAs and cell
phones, whose users want the flexibility to exchange contact information and cannot
anticipate all the Bluetooth users and devices with which they will want to
communicate.
Due to the types of services provided by mobile phones, many of the vulnerabilities
and attacks center on being able to retrieve various types of personal information
from a device. For instance, among other things the BlueSnarf attack allows an
attacker to covertly retrieve phonebook and calendar entries from a phone, the
phone’s business tag, and even the phone’s IMEI (International Mobile Equipment
Identity). Most alarmingly, the latter can be used to clone the attacked phone. This
attack is enabled by vulnerability in the OBEX Push service provided on some models of
Sony/Ericsson and Nokia phones where by the connection to that service does not
require authentication.
Other similar attacks, such as the BlueBug attack, allow an attacker to not only
retrieve such information, but to also take nearly full control of the phone. Phones
that are vulnerable to this attack contain a hidden RFCOMM channel that is not
advertised. An attacker can connect to this channel covertly without requiring a PIN
code. Once connected they can control the vulnerable device through AT commands,
enabling them to read and write phonebook entries, initiate phone calls, and send and
receive SMS messages. Additionally, an attacker can change call-forwarding settings,
connect to the Internet through the device, or select a different cellular network to
join. Being able to retrieve such information is especially worrisome because it can be
an enabler for a competitor to gather business intelligence on an enterprise. More
troubling is being able to combine this with attacks allowing full control of the device
as this can allow a social engineer to almost fully assume the identity of the person
possessing the vulnerable device – they can route their phone calls, place phone calls
that come from the device’s phone number, and have full access to any business or
personal contacts that are stored on the vulnerable device.
Due to the nature of mobile phones, Bluetooth also allows a significant amount of
information to be gathered on the movements of people. This is due to the fact that
Bluetooth devices each contain a unique address and in the case of mobile phones
(where it’s unlikely that users will lend out their phone), it’s safe for someone
attempting to track the travel patterns of a person to assume that anytime a
Bluetooth phone with a certain address is detected that the person possessing it is in
the vicinity as well. In essence their phone becomes a locator beacon. Programs such
as Bluefish go one step further and will constantly scan an area for Bluetooth devices.
When a new device is found, the pro g ram coupled with a camera will capture an
image of the area where the device was discovered. It then stores it in a database,
associating the image with the device and the time of discovery. If the device is
discovered again and the device supports OBEX Push, then Bluefish will send the last
image associated with the device. Additionally, some Bluetooth hands-free kits offered
as factory equipment in cars or as after-market add-ons make use of a hard-coded PIN
that is the same across all units of a particular model. This is because many of these
devices do not provide an interface for a user-supplied PIN to be entered. A similar
situation exists with Bluetooth headsets as well. Because of this, it’s possible for an
attacker to connect to a headset or hands- free system and eaves drop through the
microphone on conversations in proximity of the device, which is just what a newly
released tool called Car Whisperer enables. When the attacked device is a hands-free
kit even more is possible. These usually interface with the phone at a high-level
allowing the user to place calls and retrieve contact information from a phone that has
been paired with the kit.
Currently the most well-known DoS attack is the Blue Smack attack. This attack is
similar in nature to the old “ping of death” attack that was able to take out Windows
’95 machines instantly. The Bluetooth L2CA Player provides a service similar to ICMP’s
echo which allows one to test device connectivity. When pinging a device through the
L2CA P layer it is possible to specify the ping packet’s size. If a large enough packet is
specified it is possible to trigger a buffer overflow in certain implementations of the
L2CA Player. Because of the devices affected, mostly PDAs and mobile phones, some
organizations may consider this annoying or an inconvenience at worst. However, this
would be considered a much more serious threat if such a vulnerability we re found in
devices such as medical equipment and video surveillance cameras.
Detecting Devices
Reducing Exposure
The best way to reduce exposure to the threat of these vulnerabilities is to assess
what Bluetooth devices are present in your organization and, if unneeded, to turn off
the Bluetooth portion of their functionality. It is also possible that a vulnerable device
has had updated firmware released, which fixes the problem. If this is the case, the
updated firmware should be applied as soon as possible. However if performing either
of these is not possible, the next best action to take is to put the device into non-
discoverable mode. Putting a device into this mode will effectively render the device
invisible to any would-be attackers. However this is still not a fool-proof solution. As
mentioned before, there are discovery tools that can brute-force a device’s address in
order to communicate with it when in non-discoverable mode. It is still very time
consuming for an attacker to attempt this though, so putting a device into non-
discoverable mode can still significantly reduce the likelihood that a device will be
attacked.
Another action that can be taken to reduce the likelihood of an attack succeeding is to
use long PIN codes when pairing devices. This is very important because the
authentication of Bluetooth connections and the security of an encrypted link depend
almost solely on the secrecy of the PIN. As mentioned earlier, some devices have hard
-coded PIN codes which cannot be changed. However, for devices that allow a PIN to
be chosen by the user, it is imperative that the longest possible PIN codes be used –it
takes under one second to crack a four digit PIN. Clearly using such a short PIN is
highly insecure.
Challenges/Issues and Benefits
A major challenge for Bluetooth developers will be putting in place the software
applications that are needed to handle the almost unlimited number of situations that
are envisioned for Bluetooth. The various Bluetooth usage models all require robust
software applications to ensure that everything from device discovery and
interoperability, to authentication and security, are implemented and function
correctly. There is a concern over possible interference with aircraft navigation and
other systems due to Bluetooth radios built into cellular phones, PDAs, laptop
computers, and other portable devices. Both the FAA and Boeing may require that
Bluetooth devices traveling on aircraft have a hard-shutoff capability. The normal ‘off’
mode of operation of many of these devices would not disable the Bluetooth radio,
since one of the features of Bluetooth would be to automatically wake up the device
when performing such functions as wireless synchronization. Bluetooth devices may
also be required to have a visual indication of their on/off state, such as a flashing
light.
There is a movement within the Bluetooth SIG to make a future version of the
Bluetooth specification that would operate in the 5 GHz band. Such a move would
require more power and negate many of the advantages of using Bluetooth in
portable, battery limited, power constrained electronic devices. The challenge for the
Bluetooth community is keeping focused on what makes Bluetooth attractive for
implementing wireless PANs in mobile devices. There is a risk that in their attempt to
improve Bluetooth, developers will change Bluetooth into something that makes it less
attractive for many of the applications for which it is currently envisioned. One reason
for the delay of the widespread introduction of Bluetooth products has been the
resolving of interoperability issues between different vendors’ implementations. With
the release of version 1.1 of the Bluetooth Specification in February 2001, a significant
roadblock to the adoption of Bluetooth has been removed. This version appears to
have solved all the major outstanding interoperability issues, giving developers a
“green light” to proceed with product development and manufacture. The benefits of
Bluetooth wireless technology will have well been worth the wait. Inclusion of a single
Bluetooth radio in a PC, and in each of the devices it connects to, will eliminate the
need to purchase expensive proprietary cables. Digital cameras, cellular phones, PDAs,
wireless headsets and other devices will no longer require cables to transfer data. A
Bluetooth-enabled wireless keyboard and mouse will allow the user to take them
across a room, providing an additional degree of freedom and flexibility not
experienced today even by infrared wireless devices. In many cases, incorporating
Bluetooth will be a more cost effective solution than the specialized cables and bulky
connectors it replaces. Slimmer device designs will be possible using Bluetooth since
the physical space needed for cable connectors can be eliminated. Perhaps the
greatest benefit of Bluetooth technology is its inherent ability to enable wireless
personal area networks and “smart environments.”
CONCLUSION
Bluetooth is an enabling technology. As such, it is poised to change our world in ways
we cannot imagine. New usage patterns will emerge as a result of this new technology.
Bluetooth will enable a technology like WAP to finally achieve widespread acceptance
through the use of PDAs as the user interface instead of the current display-limited
cellular phones.
Bluetooth could also enable such visionary initiatives as MIT’s Project Oxygen to
achieve its goal of freely available and pervasive computing by providing the wireless
infrastructure for “smart rooms” and “smart spaces.” Assuming Bluetooth is
successful, five years from now, we will look back and see applications that have been
developed that we could not have anticipated today.
In order for Bluetooth to be successful, however, the first user experiences must be
pleasurable. Installation, setup and operation must be simple, and it must work the
first time out of the box. Devices must be able to interoperate as expected, flawlessly.
If Bluetooth is successful, it will be so in a big way. Even if Bluetooth fails in one area,
there is probably enough industry support to ensure success elsewhere. Once
Bluetooth’s success is assured, someone will probably revisit the failures and fix them.
Bluetooth fits best in low-power mobile devices for use in PANs. It should not try to
compete with wireless LAN technologies, but it needs to co-exist with them.
There are already numerous application areas for Bluetooth, and many that have yet
to be imagined. As a premier provider of IT services, CSC is in a unique position to
provide our clients with the vision and guidance necessary to take advantage of this
emerging technology. Whether it is developing software for wireless e-commerce,
providing hardware for wireless security, or designing and implementing smart
workspaces, CSC should be prepared to offer its services and expertise to build the
right solutions for our clients.
Bluetooth is coming, and we need to understand where it fits, and where it does not,
so that when our clients come to us for advice, we have the answers.