BLUETOOTH

Abstract
This paper summarizes one of the most promising new wireless communications
standards of the decade, called Bluetooth.

Bluetooth is a well-known, short-range technology for Wireless Personal Area Networks

(WPAN). Starting from a headset cable replacement it has been extended to support
flexible ad-hoc networks. To extend from low bit rate data to streaming multimedia,
Quality of Service (QoS) is required. Bluetooth specification defines strong
interoperability demands between all Bluetooth devices. The interoperability
requirements demand a lot from application developers. For making the developers’
work easier it has been produced different Bluetooth development platforms. These
development platforms have different purposes and capabilities. The purpose of this
paper was to demonstrate and study Bluetooth technology. Bluetooth technology is
rapidly gaining adoption worldwide as a networking topology and a generic cable
replacement technology. Despite the popularity of Bluetooth, many organizations don't
realize their exposure to this popular wireless technology, thinking that Bluetooth is
limited to short-range communications or doesn't expose sensitive data or access to
network resources.

Bluetooth wireless technology encompasses several key points that facilitate its
widespread adoption:

• It is an open specification that is publicly available and royalty free;

• Its short-range wireless capability allows peripheral devices to communicate
over a single air-interface, replacing the cables that use connectors with a
multitude of shapes, sizes and numbers of pins;
• Bluetooth supports both voice and data, making it an ideal technology to
enable many types of devices to communicate; and
• Bluetooth uses an unregulated frequency band available anywhere in the world

The paper examines what Bluetooth is, what it is good for (and what it is not). The
specification and profiles – how the technology works and how it is used - are
reviewed. This paper also looks at a few security aspects that are designed to ensure
interoperability. Competing technologies are discussed, as well as specific issues such
as co-existence with wireless ethernet (IEEE 802.11b). In addition to the above,
Personal Area Networks are discussed in brief. And, finally, some early products and
prototypes are presented.
 INDEX

................................................................................................................. ..1
ABSTRACT..................................................................................................... .2
INTRODUCTION TO BLUETOOTH................................................. ..........................4
WHAT BLUETOOTH IS – AND IS NOT....................................... ................................5
FUNCTIONAL OVERVIEW................................................................................. ....6
PROTOCOL STACK.............................................................................................................................................7
PROFILE STRUCTURE.......................................................................................................................................10
THE PERSONAL AREA NETWORK...................................................................... ....11
COMPETING TECHNOLOGIES.................................................... ..........................12
CABLE REPLACEMENT......................................................................................................................................12
WIRELESS LAN............................................................................................................................................12
BLUETOOTH AND WIRELESS ETHERNET..............................................................................................................12
PRODUCTS AND PROTOTYPES....................................... .....................................14
PLUG-IN MODULES..........................................................................................................................................14
DIGITAL IMAGE MESSAGING..............................................................................................................................14
BLUETOOTH INFOWEAR...................................................................................................................................15
BLUETOOTH PEN............................................................................................................................................15
XYLOC.........................................................................................................................................................16
CONVERGENCE PRODUCTS...............................................................................................................................16
BLUETOOTH SECURITY........................................................................... ..........17
VULNERABILITIES AND ATTACKS.......................................................................................................................17
INFORMATION RETRIEVAL AND THEFT OF SERVICE...............................................................................................17
TRACKING AND SURVEILLANCE.........................................................................................................................18
DENIAL OF SERVICE ATTACKS..........................................................................................................................18
DETECTING DEVICES.......................................................................................................................................19
REDUCING EXPOSURE......................................................................................................................................19
CHALLENGES/ISSUES AND BENEFITS.......................................................... ...........21
CONCLUSION...................................................................................... ...........22
Introduction to Bluetooth
Companies implement mobile computers, scanners, printers and other peripherals to
help their workers be more mobile, productive and accurate. Unfortunately, many of
these deployments literally hit snags when cables that connect mobile computers to
peripherals become caught, tangled or broken. Cables and interface ports can become
a constraint for users, and for enterprise plans to upgrade and enhance the application
with new peripherals in the future.

Fortunately, systems that help information flow

freely throughout the enterprise don’t have to
be leashes for the workers who use them.
Bluetooth® wireless connectivity has proven
itself as the convenient complement that
provides true mobility in enterprise computing
applications. Bluetooth improves safety and
convenience in mobile environments by
eliminating cables that connect mobile
computers, scanners, printers and other
peripherals. When cables are removed, so is
cost. With no cables or connectors to wear or break, Bluetooth interfaces improve
uptime and productivity, and reduce the lifetime total cost of ownership (TCO) for
mobile computing systems.

Bluetooth was originally conceived as a basic cable replacement technology, although

it is inevitable that new applications and usage patterns will evolve as the technology
becomes more pervasive. The user convenience, flexibility and improved safety of
cable-free operations is obvious. The cost savings, productivity gains and long-term
system benefits are surprising. Bluetooth has become the de-facto global standard for
short-range wireless data communications that allows devices to communicate with
each other using secure radio waves, and is the basis for the IEEE 802.15.1 standard.
Bluetooth operates in the 2.4 GHz Industrial, Scientific, and Medical (ISM) band, which
is unlicensed and available for use everywhere. Because this frequency band is already
crowded, Bluetooth has been designed to be robust enough to operate in noisy
environments.

Bluetooth is designed for use in mobile devices, where size, cost, and battery life are
key factors. It nominally operates with a 10-meter range, although higher-powered
versions are available yielding a range up to 100 meters. Since it is a radio link,
Bluetooth is not limited to line-of-sight and can pass through walls. It uses frequency
hopping to change its frequency 1600 times a second in a pseudo-random pattern,
making it hard to eavesdrop, and employs 128-bit encryption at the link layer for
added security. Bluetooth in and of itself, offers no application level functionality (e.g.
exchanging files or synchronizing information), but it does provide a network transport
through which applications can communicate. Because there is no intervening device
that moderates (or limits) communication between Bluetooth devices, any device that
comes within range of another Bluetooth device automatically initiates and negotiates
communications with other devices
What Bluetooth Is – and Is Not

Bluetooth is a low power, short range, wireless radio frequency (RF) communications
technology. Range is typically from 30 to 300 feet (10 to 100 meters), depending on
whether a Class 2 or Class 1 radio is used. Bluetooth devices exchange data directly
with each other through an ad hoc personal area network that does not require
transmissions to travel through an access point or server. Bluetooth shares the same
frequency band as the popular IEEE 802.11b and 802.11g wireless networking systems,
but can be used concurrently because each technology has different protocols for
transmission power, signal modulation and interference mitigation. Bluetooth devices
can also be used concurrently with wireless wide-area network (WWAN) devices. In
fact, many cell phones have a Bluetooth interface, and many mobile computers that
operate on wide-area wireless data networks also use Bluetooth for communication
with printers or other peripherals.

The technology was developed to create a standard way to link disparate devices, and
takes its name from the 10th-century king Harold Bluetooth, who united warring tribes
to unify Denmark and Norway. Bluetooth standards are developed and administered by
the Bluetooth Special Interest Group (SIG), a trade association comprised of leaders in
the telecommunications, computing, automotive, industrial automation and network
industries. Intermec Technologies is an Adopter Member.

To understand the technology’s capabilities and limitations, it is also important to

understand what Bluetooth is not. For enterprise mobile computing users, Bluetooth
should not be considered a networking technology, even though up to seven Bluetooth
devices can operate simultaneously in ad hoc networks. The technology lacks the
range, quality of service and throughput to meet enterprise wireless LAN needs. Early
on, a faction of Bluetooth supporters tried to move the technology beyond its roots in
cable replacement and position it as a networking technology. This was an unwise
move, because Bluetooth was not designed to compete with 802.11b and related
protocols. Bluetooth was miscast for enterprise networking, but has shown tremendous
value as a cable replacement technology to provide highly reliable, fast and cost-
effective communications for mobile computers and peripherals.

Devices can be Bluetooth-enabled through PC Cards or Compact Flash (CF) cards, by

building the radio into the device, or by integrating a radio through a USB or RS-232
port. Using non-integrated radios somewhat limits the flexibility Bluetooth provides,
because the user must give up an expansion slot or interface port for the radio. Some
manufacturers, including Intermec, integrate Bluetooth radios directly into computers
and peripherals so users can keep their options open for adding peripherals or extra
memory, which is often desired for enterprise applications.
Functional Overview
The Bluetooth baseband describes the specifications of the digital signal processing
part of the hardware, the Bluetooth link controller, which controls how connections in
a piconet are created and maintained. Bluetooth radios transition through the
following connection states during normal operation

• Standby – Waiting to join a piconet

• Inquire – Ask about a radio to connect to
• Page – Connect to a specific radio
• Connected – Actively on a piconet (master or slave)
• Park/Hold/Sniff – Low power connected states
Figure below illustrates the Bluetooth radio’s functional states, along with typical
state transition times. Note that the typical inquiry time is about 2 seconds, but may
be as long as 10 seconds, which may preclude using Bluetooth for high-speed “drive
by” applications involving moving vehicles and fixed access points.

Figure: Functional State Diagram

Protocol Stack

Figure below illustrates how the various core components fit together to form the
basic foundation of the Bluetooth protocol stack.

Figure: Bluetooth protocol stack

Some components are Bluetooth specific (the core components), some are reused from
other specifications (IP, WAP, and OBEX) and others have been modified for the
Bluetooth protocol stack (vCard/vCal, WAE, Audio). The most interesting core
components from the practical application point of view are RFCOMM and Service
Discovery Protocol.

The RFCOMM component provides emulation of serial ports and is the primary mode
for the basic cable replacement functionality. It is the Service Discovery Protocol that
differentiates Bluetooth from most other wireless technologies, enabling the concept
of a PAN. PAN devices are capable of spontaneously joining into a network as they
approach each other, staying only while they are in close proximity, and spontaneously
leaving the network when they are not in close proximity. Bluetooth-enabled devices
are short range and low power by design and they are capable of spontaneously
networking with similar devices that are configured to allow connections to occur.
Without this capability, a Bluetooth wireless network would be as “dumb” as a typical
wired network
Profiles
Profiles describe how different parts of the specification can be used to fulfill a
desired function for a Bluetooth device. Profiles represent the default solution for a
usage model and form the basis for Bluetooth interoperability and logo requirements.
Each Bluetooth device must support at least one profile, but may support several
profiles. The idea is that if two devices support the same profile, then they should be
able to interoperate.

A profile can be viewed as a vertical slice through the protocol stack. It defines
options in each protocol that are mandatory for the profile. It also defines parameter
ranges for each protocol. The profile concept is used to decrease the risk of
interoperability problems between different manufacturers’ products.

The profiles specified in version 1.1 of the Bluetooth specification are:

• Generic Access Profile (GAP)

• Service Discovery Application Profile (SDAP)
• Cordless Telephony Profile (CTP)
• Intercom Profile (IP)
• Serial Port Profile (SPP)
• Headset Profile (HP)
• Dial-up Networking Profile (DNP)
• Fax Profile (FP)
• LAN Access Profile (LAP)
• Generic Object Exchange Profile (GOEP)
• Object Push Profile (OPP)
• File Transfer Profile (FTP)
• Synchronization Profile (SP)

The Generic Access Profile defines the generic procedures related to discovery of
Bluetooth devices and link management aspects of connecting to Bluetooth devices. It
is the core on which all other Profiles are based.

The Service Discovery Application Profile defines the features and procedures for an
application in a Bluetooth device to discover services registered in other Bluetooth
devices and retrieve any desired available information pertinent to these services.

The Cordless Telephony Profile defines the features and procedures that are required
for interoperability between different units active in the 3-in-1 phone use case. This
profile also shows how the use case can be applied generally for wireless telephony in
a residential or small office environment.
The Intercom Profile defines the requirements for Bluetooth devices necessary for the
support of the intercom functionality within the 3-in-1 phone use case. This is also
referred to as the 'walkie-talkie' usage of Bluetooth.

The Serial Port Profile defines the requirements for Bluetooth devices necessary for
setting up emulated serial cable connections using RFCOMM between two peer
devices.

The Headset Profile defines the requirements that shall be used by devices
implementing the usage model called ‘Ultimate Headset’. The Dial-up Networking
Profile defines the requirements that shall be used by devices (modems, cellular
phones) implementing the usage model called ‘Internet Bridge'.

The Fax Profile defines the requirements for Bluetooth devices necessary to support
the fax use case. This allows a Bluetooth cellular phone (or modem) to be used by a
computer as a wireless fax modem to send/receive a fax message.

The LAN Access Profile defines how Bluetooth enabled devices can access the services
of a LAN using PPP. Also, this profile shows how the same PPP mechanisms are used to
form a network consisting of two Bluetooth enabled devices.

The Generic Object Exchange Profile lays the basis (defines the protocols and
procedures) for Bluetooth devices necessary for the support of the object exchange
usage models. The usage model can be the Synchronization, File Transfer, or Object
Push model.

The Object Push Profile defines the requirements for applications providing the
object push usage model. Typical scenarios covered by this profile involve the
pushing/pulling of data objects between Bluetooth devices.

The File Transfer Profile defines the requirements for applications providing the file
transfer usage model. Typical scenarios involve a Bluetooth device browsing,
transferring and manipulating objects on/with another Bluetooth device.

The Synchronization Profile defines the requirements for applications providing the
synchronization usage model. Typical scenarios covered by this profile involve manual
or automatic synchronization of PIM data when two Bluetooth devices come within
range.
Profile Structure

The Bluetooth profile structure and dependencies are depicted in Figure below. A
profile is dependent upon another profile if it re-uses parts of that profile, by
implicitly or explicitly referencing it. Dependency is illustrated in the figure: a profile
has dependencies on the profile(s) in which it is contained – directly and indirectly. For
example, the Object Push profile is dependent on Generic Object Exchange, Serial
Port, and Generic Access profiles.

Figure: Bluetooth Profile Structure

The key challenge and primary reason for the delay in Bluetooth adoption has been
getting Bluetooth-enabled products to work in interoperability tests with other
products. The latest version of the Bluetooth Specification, version 1.1, appears to
have solved the major interoperability issues and has received the “green light” for
developers to roll out products based on this latest specification.
The Personal Area Network
Bluetooth is not designed to compete with wireless local area networks. Even its close-
range throughput of 1 Mbps does not compare with the 11 Mbps that the emerging
standard for wireless LAN, IEEE 802.11b, offers. Instead, Bluetooth's promoters are
positioning it as the technology for the PAN, and are targeting appliances that do not
require large data flows – like printers, personal computers, and mobile phones. One
concept that has been put forward is the mobile PAN: a communication device clipped
to your belt could contain a GSM transceiver that communicates with the wider world.
Meanwhile, the same device has a Bluetooth transceiver that communicates with your
headset (replacing your mobile phone), your PDA, and your MP3 player, allowing all
these devices to communicate with each other and the larger world.

Since Bluetooth is not a very expensive technology (between $5 and $20 per chip), it
can easily be placed in many devices. Also, Bluetooth does not require an access point,
unlike the traditional radio operator networks. It is well suited for mobile devices,
since it can join a local piconet quickly, as soon as the two devices are in a sufficient
perimeter. And unlike infrared networks (like two Palm computers beaming each
other), Bluetooth does not require you to align objects for them to communicate.

Bluetooth enables the creation of wireless Internet gateways that allow Bluetooth-
equipped devices to access the Internet quickly and easily. This kind of network can
host an infinite suite of user applications, such as being able to wirelessly synchronize
with your desktop and access your e-mail and Intranet/Internet from remote locations.
Imagine being able to spontaneously network with airlines, hotels and car rental
agencies for automatic check-in, seating/room assignments, meal selection, purchases
and electronic payment.

Personal Area Networks also allow devices to work together and share each other's
information and services. For example, a web page can be called up on a small screen
and wirelessly sent to a printer for full size printing. Personal Area Networks can even
be created in the vehicle, helping to bring increased safety and convenience via
devices such as wireless headsets and Bluetooth speaker systems.

As envisioned, Personal Area Networks allow the user to customize his or her
communications capabilities. Personal Area Networks permit everyday devices to
become smart, tether less devices that spontaneously network in close proximity [25].
Bluetooth’s personal area networking capability is also a key component for enabling
“smart environments” such as IBM’s eSpace initiative (see section 7.6 below) [26].
Competing Technologies
While there is no single competing technology that covers the entire concept of
Bluetooth wireless technology, in certain market segments other technologies do exist.

Cable replacement

For cable replacement, the infrared standard IrDA has been around for several years
and is quite widespread. Most new portable PCs, PDAs, and some cellular phones
support IrDA, although actual adoption by users has been rather limited. IrDA is faster
than Bluetooth but is limited to point-to point connections, whereas Bluetooth is also
capable of point-to-multipoint. RDA’s biggest drawback is that it requires a clear line-
of-sight, and is usually limited to a few feet between devices. In the past, IrDA has had
problems with incompatible standard implementations, a lesson that the Bluetooth SIG
has learned from and is determined not to repeat.

Wireless LAN

Two other short-range frequency hopping radio technologies also operate in the 2.4
GHz band:

Wireless LANs based on the IEEE 802.11b standard are used to replace a wired LAN
throughout a building. The transmission capacity is high and so is the number of
simultaneous users. However, compared to Bluetooth, these wireless LANs are more
expensive, consume more power and have a larger hardware footprint, making them
unsuitable for small mobile devices.

Home RF is the other 2.4 GHz radio with similarities to Bluetooth wireless technology.
Home RF can operate ad hoc networks (data only) or be under the control of a
connection point coordinating the system and providing a gateway to the telephone
network (data and voice). The hop frequency of Home RF is 8 Hz while a Bluetooth link
hops at 1600 Hz. While still under development and probably a couple of years behind
Bluetooth wireless technology, Ultra-Wideband Radio (UWB) is a new radio technology
that has the potential to become a real competitor in this space. Short pulses are
transmitted in a broad frequency range. When fully developed, UWB capacity is
expected to be high while power consumption should be low.

Bluetooth and Wireless Ethernet

As enterprises are installing wireless Ethernet in their buildings, Bluetooth is coming

and it will be in everything from cellular phones to PCs. Intel currently estimates as
many as 80 percent of all notebooks will come equipped with Bluetooth by 2005,
according to Duncan Glendinning, Director of Communications Architecture in Intel’s
Mobile Platform Group. That compares with expectations that just 20 to 40 percent of
notebooks will build in wireless LAN support in the same time frame.
Both Bluetooth and 802.11b operate in the 2.4 GHz unlicensed frequency band, which
means that they can be used virtually anywhere in the world. The physical layers are
different, since Bluetooth uses the frequency hopping method and 802.11b generally
uses direct sequence spread spectrum. There are actually three different variants of
802.11b. One version does use frequency hopping, but because Bluetooth hops 600
times as fast, it is anticipated that when these two collide, Bluetooth will have quickly
recovered and continued hopping along; long before 802.11b even detects that there
has been a collision. It is for this reason that Bluetooth has the potential to severely
disrupt 802.11b in the same environment, despite 802.11b’s much higher power output
[28]. When operating in close proximity to each other, less than 3 feet apart,
Bluetooth and 802.11b can function, albeit at reduced throughput levels. However,
when both Bluetooth and 802.11b PCMCIA cards are installed adjacent to each other in
the same PC, it is possible to have connections on one or both of the radios experience
occasional disruptions. Between 3 and 6 feet apart, the interference is significantly
reduced, and beyond 6 feet the interference is minimal.

Corporate LAN administrators should be aware of the potential interference problems

between Bluetooth and 802.11b, and understand that Bluetooth radios will be in
everything from cellular phones and PDAs to laptop and desktop PCs, printers,
keyboards, mice and more. LAN administrators considering wireless LAN installations
or upgrades should look for access points that will be capable of supporting multiple
modes of operation, including 802.11b and Bluetooth.

Ultimately, at about the same time that the cost of integrating Bluetooth drops to the
point that it starts appearing in PCs as standard equipment, 802.11b may be replaced
by much speedier 802.11a-based radios as the preferred means of high-speed LAN
access, especially in corporate campus environments. Operating in the 5 GHz band and
away from Bluetooth interference, 802.11a is capable of 54 Mbps or higher,
throughput. Banking on the future success of 802.11a, some Bluetooth silicon
manufacturers have already announced plans to bypass the already crowded 802.11b
market and move next into 802.11a development.
Products and Prototypes

Plug-in modules

Initial products consist of plug-in modules to

allow users to Bluetooth enabled existing
devices. These are basic cable replacement
devices that interface through existing ports, and
include the following:

• PCMCIA card
• USB dongle
• Memory stick
• Serial port dongle
• Parallel port dongle
• Springboard for Handspring Visor
• LAN access points
• Cellular phone dongle

As chip prices drop and manufacturers begin to

integrate Bluetooth chips into motherboards and
other devices, integrated solutions will become
more widely available.

Digital image messaging

Pictured are a Bluetooth-enabled Nokia

9110 and a Fuji Film digital camera that
can communicate with one another using
Multimedia Messaging Services (MMS). In
this example, Bluetooth is enabling digital
image messaging. A user takes a digital
picture, transfers the image via Bluetooth
to the Nokia 9110, adds a few lines of
text, and then mails it to another 9110, a
PC, or to FugiFilm.net for prints and
saving to CD-R.
Bluetooth Infowear

In what the Bluetooth community calls

"unconscious" or "hidden" computing,
Bluetooth-enabled products will automatically
seek each other out and configure themselves
into networks – most often, with just two
nodes. Though small, such networks can be
quite useful [22]. In this example, a prototype
wristwatch that acts as an organizer and
synchronizes information wirelessly with a PC
is shown. While this may seem a bit like “Dick
Tracy”, it is coming. At the Bluetooth
Developers Conference in December 2000, IBM
demonstrated a working prototype of a Linux-
based wristwatch, complete with VGA touch-
screen, speaker, microphone, and Bluetooth radio. During a keynote presentation, the
presenter used this watch to control his Powerpoint presentation, while 3000 people
looked on in amazement.

Bluetooth Pen

With the Anoto Bluetooth pen, e-mails, faxes and e-

commerce orders can be sent electronically by simply
putting pen to paper. The technology was developed
by Ericsson, Anoto and Time Manager, and is scheduled
for introduction in the second half of 2001. The device
looks, feels, handles and writes like an ordinary ink
pen, albeit a bulky one with a little LED indicator on
the side. In addition to the usual ink cartridge, the
Anoto pen contains image processing and Bluetooth
radio circuitry designed to automatically transmit what
is written to a Bluetooth-enabled cellular phone,
handheld computer or network base station. A pressure
sensor at the back end of the ink cartridge senses
when the pen is actually writing, and a small imaging
sensor under the ink cartridge tracks the motion of the
pen on the paper. The system requires special paper
with a pattern printed on it, too small to be seen with
the naked eye, to allow the pen’s image processor to
track the movements of the pen.
Xyloc

Ensure Technologies patented Xyloc technology

allows a user to wear a key in the form of an ID
badge-sized Keycard or a small, pager-sized
KeyFob. A Lock attaches to the user’s PC through
the keyboard, USB or serial port. The Lock and Key
use an encrypted two-way Bluetooth radio link to
identify the user to the Xyloc software on the
computer.

When a user approaches a Xyloc secured computer,

the Key transmits a unique encrypted code to the
Lock, which relays the information to a security
database for validation. If the user is authorized,
the system unlocks the keyboard and screen; if
unauthorized the system remains secure. When the
user steps away from the computer Xyloc
immediately and automatically secures the
computer. At CeBIT 2001, Seiko Instruments Inc.
and Ensure Technologies demonstrated Xyloc
technology incorporated into an interactive
Bluetooth wristwatch. This technology is one to
follow, as it could have wide application for CSC
and its clients, both commercial and government.

Convergence Products

The Ericsson Communicator Platform is

an example of some of the capabilities
that the next generation of products
will offer, combining features of the
hottest technologies into one device.
This prototype device combines mobile
Internet browsing, messaging, imaging,
location based applications and
services, mobile telephony and personal
information management. This kind of
product convergence will truly make life
more pleasant by eliminating the need
to carry multiple devices. And, of course, Bluetooth will mean that proprietary cables
will no longer be needed in order to connect to other devices.
Bluetooth Security
Enterprise mobile computing users have several advantages that can make their
Bluetooth devices highly secure without losing any convenience and performance. The
Bluetooth protocol offers several optional layers of security to limit communications
among devices, and additional levels of security access once communication is
established. Transmissions may also be encrypted, although they usually are not. There
have been very few documented Bluetooth security problems, and most of these have
involved consumer devices configured to provide minimal protection.

Bluetooth devices can be configured for open mode, which enables them to
communicate with any other Bluetooth device, or they can be set to communicate
only with known devices. Because enterprise users typically only need to communicate
with a limited number of known peripherals, the less secure open mode can be
avoided. For example, Bluetooth mobile computers used by service or delivery workers
could be configured to communicate only with the specific printer carried by the
worker. Authentication support within the Bluetooth security protocol would require
each device to identify itself to the other before any data was transmitted. This level
of security is seldom used in consumer Bluetooth devices or even in PDAs and cell
phones, whose users want the flexibility to exchange contact information and cannot
anticipate all the Bluetooth users and devices with which they will want to
communicate.

Vulnerabilities and Attacks

The majority of Bluetooth security vulnerabilities have been discovered in mobile

phones. Even so, with the growing dependence that people have on these devices to
conduct both work and personal business the exposure to threats cannot be ignored.
The following is an overview of the types of vulnerabilities and attacks that have been
discovered to date.

Information Retrieval and Theft of Service

Due to the types of services provided by mobile phones, many of the vulnerabilities
and attacks center on being able to retrieve various types of personal information
from a device. For instance, among other things the BlueSnarf attack allows an
attacker to covertly retrieve phonebook and calendar entries from a phone, the
phone’s business tag, and even the phone’s IMEI (International Mobile Equipment
Identity). Most alarmingly, the latter can be used to clone the attacked phone. This
attack is enabled by vulnerability in the OBEX Push service provided on some models of
Sony/Ericsson and Nokia phones where by the connection to that service does not
require authentication.

Other similar attacks, such as the BlueBug attack, allow an attacker to not only
retrieve such information, but to also take nearly full control of the phone. Phones
that are vulnerable to this attack contain a hidden RFCOMM channel that is not
advertised. An attacker can connect to this channel covertly without requiring a PIN
code. Once connected they can control the vulnerable device through AT commands,
enabling them to read and write phonebook entries, initiate phone calls, and send and
receive SMS messages. Additionally, an attacker can change call-forwarding settings,
connect to the Internet through the device, or select a different cellular network to
join. Being able to retrieve such information is especially worrisome because it can be
an enabler for a competitor to gather business intelligence on an enterprise. More
troubling is being able to combine this with attacks allowing full control of the device
as this can allow a social engineer to almost fully assume the identity of the person
possessing the vulnerable device – they can route their phone calls, place phone calls
that come from the device’s phone number, and have full access to any business or
personal contacts that are stored on the vulnerable device.

Tracking and Surveillance

Due to the nature of mobile phones, Bluetooth also allows a significant amount of
information to be gathered on the movements of people. This is due to the fact that
Bluetooth devices each contain a unique address and in the case of mobile phones
(where it’s unlikely that users will lend out their phone), it’s safe for someone
attempting to track the travel patterns of a person to assume that anytime a
Bluetooth phone with a certain address is detected that the person possessing it is in
the vicinity as well. In essence their phone becomes a locator beacon. Programs such
as Bluefish go one step further and will constantly scan an area for Bluetooth devices.
When a new device is found, the pro g ram coupled with a camera will capture an
image of the area where the device was discovered. It then stores it in a database,
associating the image with the device and the time of discovery. If the device is
discovered again and the device supports OBEX Push, then Bluefish will send the last
image associated with the device. Additionally, some Bluetooth hands-free kits offered
as factory equipment in cars or as after-market add-ons make use of a hard-coded PIN
that is the same across all units of a particular model. This is because many of these
devices do not provide an interface for a user-supplied PIN to be entered. A similar
situation exists with Bluetooth headsets as well. Because of this, it’s possible for an
attacker to connect to a headset or hands- free system and eaves drop through the
microphone on conversations in proximity of the device, which is just what a newly
released tool called Car Whisperer enables. When the attacked device is a hands-free
kit even more is possible. These usually interface with the phone at a high-level
allowing the user to place calls and retrieve contact information from a phone that has
been paired with the kit.

Denial of Service Attacks

Currently the most well-known DoS attack is the Blue Smack attack. This attack is
similar in nature to the old “ping of death” attack that was able to take out Windows
’95 machines instantly. The Bluetooth L2CA Player provides a service similar to ICMP’s
echo which allows one to test device connectivity. When pinging a device through the
L2CA P layer it is possible to specify the ping packet’s size. If a large enough packet is
specified it is possible to trigger a buffer overflow in certain implementations of the
L2CA Player. Because of the devices affected, mostly PDAs and mobile phones, some
organizations may consider this annoying or an inconvenience at worst. However, this
would be considered a much more serious threat if such a vulnerability we re found in
devices such as medical equipment and video surveillance cameras.

Detecting Devices

It can be very time consuming for an attacker to find non-discoverable Bluetooth

devices. Thus discoverable devices can be thought of as low hanging fruit and will
most likely be the first targeted by any attacker. Therefore, the best way to assess
your organization’s exposure to Bluetooth vulnerabilities and attacks is to scan your
workplace for discoverable Bluetooth devices. While this may sound time consuming
and difficult to someone new to Bluetooth, it can be just as easy as using Netstumbler
or any other 802.11discovery tool thanks to Network Chemistry’s BlueScanner, part of
Network Chemistry’s RF protect line of wireless security solutions. Using BlueScanner,
IT staff can discover Bluetooth devices, their type (phone, computer, keyboard, PDA,
etc.), and the services advertised by the device. BlueScanner is easy to use and should
work with any adapter supported by Microsoft’s Windows XP Bluetooth protocol stack.
Using BlueScanner, you can perform a walk-a round site survey of your workplace and
ascertain the level of Bluetooth use within your organization. It will identify any
discoverable devices within range and record all information that can be gathered
from the device without authenticating with it. This includes the device’s “human
friendly” name, unique address, type, time of discovery, time last seen, and any SDP
information provided by the device. In addition, BlueScanner allows you to add
location information to any discovered devices. This can be easily done by specifying a
location name before starting a scan. Once the scan has been started, any discovered
devices will be tagged with this location name. The location can be changed during a
scan, and any devices discovered after changing it will be tagged with the new
location. For instance, if you we re scanning on floor three of your building, then you
could set the location to something like “Floor3.” Once you move to a different floor,
like the second floor, the location can be changed to “Floor 2.” This is completely
flexible and location names are specified by the user. They can be as granular and
descriptive as necessary. To keep from drowning the user in all the information that
BlueScanner collects, its intuitive user interface allows devices to be filtered
according to how recently they were last observed, their location, type, and by
specific service. For instance, if you wanted to see all the devices that support OBEX
Push you would simply select it underneath the Services heading in BlueScanner’s
filter-pane, which makes up the left portion of BlueScanner’s application window.

Reducing Exposure

The best way to reduce exposure to the threat of these vulnerabilities is to assess
what Bluetooth devices are present in your organization and, if unneeded, to turn off
the Bluetooth portion of their functionality. It is also possible that a vulnerable device
has had updated firmware released, which fixes the problem. If this is the case, the
updated firmware should be applied as soon as possible. However if performing either
of these is not possible, the next best action to take is to put the device into non-
discoverable mode. Putting a device into this mode will effectively render the device
invisible to any would-be attackers. However this is still not a fool-proof solution. As
mentioned before, there are discovery tools that can brute-force a device’s address in
order to communicate with it when in non-discoverable mode. It is still very time
consuming for an attacker to attempt this though, so putting a device into non-
discoverable mode can still significantly reduce the likelihood that a device will be
attacked.

Another action that can be taken to reduce the likelihood of an attack succeeding is to
use long PIN codes when pairing devices. This is very important because the
authentication of Bluetooth connections and the security of an encrypted link depend
almost solely on the secrecy of the PIN. As mentioned earlier, some devices have hard
-coded PIN codes which cannot be changed. However, for devices that allow a PIN to
be chosen by the user, it is imperative that the longest possible PIN codes be used –it
takes under one second to crack a four digit PIN. Clearly using such a short PIN is
highly insecure.
Challenges/Issues and Benefits
A major challenge for Bluetooth developers will be putting in place the software
applications that are needed to handle the almost unlimited number of situations that
are envisioned for Bluetooth. The various Bluetooth usage models all require robust
software applications to ensure that everything from device discovery and
interoperability, to authentication and security, are implemented and function
correctly. There is a concern over possible interference with aircraft navigation and
other systems due to Bluetooth radios built into cellular phones, PDAs, laptop
computers, and other portable devices. Both the FAA and Boeing may require that
Bluetooth devices traveling on aircraft have a hard-shutoff capability. The normal ‘off’
mode of operation of many of these devices would not disable the Bluetooth radio,
since one of the features of Bluetooth would be to automatically wake up the device
when performing such functions as wireless synchronization. Bluetooth devices may
also be required to have a visual indication of their on/off state, such as a flashing
light.

There is a movement within the Bluetooth SIG to make a future version of the
Bluetooth specification that would operate in the 5 GHz band. Such a move would
require more power and negate many of the advantages of using Bluetooth in
portable, battery limited, power constrained electronic devices. The challenge for the
Bluetooth community is keeping focused on what makes Bluetooth attractive for
implementing wireless PANs in mobile devices. There is a risk that in their attempt to
improve Bluetooth, developers will change Bluetooth into something that makes it less
attractive for many of the applications for which it is currently envisioned. One reason
for the delay of the widespread introduction of Bluetooth products has been the
resolving of interoperability issues between different vendors’ implementations. With
the release of version 1.1 of the Bluetooth Specification in February 2001, a significant
roadblock to the adoption of Bluetooth has been removed. This version appears to
have solved all the major outstanding interoperability issues, giving developers a
“green light” to proceed with product development and manufacture. The benefits of
Bluetooth wireless technology will have well been worth the wait. Inclusion of a single
Bluetooth radio in a PC, and in each of the devices it connects to, will eliminate the
need to purchase expensive proprietary cables. Digital cameras, cellular phones, PDAs,
wireless headsets and other devices will no longer require cables to transfer data. A
Bluetooth-enabled wireless keyboard and mouse will allow the user to take them
across a room, providing an additional degree of freedom and flexibility not
experienced today even by infrared wireless devices. In many cases, incorporating
Bluetooth will be a more cost effective solution than the specialized cables and bulky
connectors it replaces. Slimmer device designs will be possible using Bluetooth since
the physical space needed for cable connectors can be eliminated. Perhaps the
greatest benefit of Bluetooth technology is its inherent ability to enable wireless
personal area networks and “smart environments.”
CONCLUSION
Bluetooth is an enabling technology. As such, it is poised to change our world in ways
we cannot imagine. New usage patterns will emerge as a result of this new technology.
Bluetooth will enable a technology like WAP to finally achieve widespread acceptance
through the use of PDAs as the user interface instead of the current display-limited
cellular phones.

Bluetooth could also enable such visionary initiatives as MIT’s Project Oxygen to
achieve its goal of freely available and pervasive computing by providing the wireless
infrastructure for “smart rooms” and “smart spaces.” Assuming Bluetooth is
successful, five years from now, we will look back and see applications that have been
developed that we could not have anticipated today.

In order for Bluetooth to be successful, however, the first user experiences must be
pleasurable. Installation, setup and operation must be simple, and it must work the
first time out of the box. Devices must be able to interoperate as expected, flawlessly.
If Bluetooth is successful, it will be so in a big way. Even if Bluetooth fails in one area,
there is probably enough industry support to ensure success elsewhere. Once
Bluetooth’s success is assured, someone will probably revisit the failures and fix them.
Bluetooth fits best in low-power mobile devices for use in PANs. It should not try to
compete with wireless LAN technologies, but it needs to co-exist with them.

There are already numerous application areas for Bluetooth, and many that have yet
to be imagined. As a premier provider of IT services, CSC is in a unique position to
provide our clients with the vision and guidance necessary to take advantage of this
emerging technology. Whether it is developing software for wireless e-commerce,
providing hardware for wireless security, or designing and implementing smart
workspaces, CSC should be prepared to offer its services and expertise to build the
right solutions for our clients.

Bluetooth is coming, and we need to understand where it fits, and where it does not,
so that when our clients come to us for advice, we have the answers.