| Bluetooth: What it is and How it Works | | | | the required security level). |
| Many experienced computer users who never | | | | Link keys can be combination keys or unit keys. |
| give a thought to Bluetooth. “Oh, yeah, I think | | | | Best security practice is to use combination keys |
| that’s built into my laptop but I never use | | | | instead of unit keys. When you use a unit key, |
| it” is a common refrain. Initially touted as the | | | | you must use the same key for all secure |
| technology that would finally free us from the | | | | transactions, and the key has to be shared with |
| horrors of multiple tangled cables and cords, | | | | other trusted devices. This means any trusted |
| Bluetooth didn’t catch on as quickly as | | | | device can potentially access traffic with other |
| expected. Until recently, there just weren’t | | | | trusted devices using this key. |
| that many useful (with the emphasis on | | | | It’s possible to use the Bluetooth address to |
| “useful”) Bluetooth devices available – | | | | identify a particular device (and associated user) |
| at least, not for desktop computing. Users of | | | | and log those transactions, which can create |
| handheld computers (such as my iPaq) adopted | | | | privacy concerns. |
| the technology more quickly, as it allowed us to | | | | Why Does Bluetooth Security Matter? |
| easily attach portable keyboards, headsets, | | | | Many Bluetooth users only use the technology to |
| printers, etc. to our portable devices (which often | | | | connect a wireless headset or similar device to |
| don’t have a bunch of connection ports like | | | | their portable computers, and they may wonder |
| desktops and laptops do). Bluetooth-enabled cell | | | | why security is a big deal. Implementing security, |
| phones allow you to connect a PDA or portable | | | | even for these types of device pairings, can |
| computer to the Internet through them. | | | | prevent an unauthorized user from using the |
| Bluetooth was designed to be the basis of the | | | | headset. |
| Personal Area Network (PAN) – a way for | | | | However, another use of Bluetooth is to create a |
| devices within relatively close proximity to | | | | temporary computer network. For example, |
| communicate wirelessly with one another. The | | | | several people in a meeting room can connect |
| range for Bluetooth transmissions varies from | | | | their Bluetooth-enabled laptops to each other to |
| about 1 meter up to 100 meters, depending on | | | | share files during the meeting. |
| the power class of the device. Thus, the most | | | | When you use Bluetooth to create a temporary |
| powerful (Class 1) can communicate over a | | | | network, it is usually an ad hoc network; that is, |
| distance of more than 300 feet, similar to a | | | | computers communicate directly with each other |
| typical wi-fi network. | | | | rather than going through a wireless access point |
| Like 802.11b and g, Bluetooth transmits over the | | | | (WAP). This means you have no centralized point |
| 2.4 GHz radio frequency. Its speed is limited to | | | | of security control, as you do with a WAP (for |
| about 1 Mbps (far slower than wi-fi, but still | | | | example, you can configure a WAP to use MAC |
| roughly equivalent to a typical broadband Internet | | | | address filtering and other built-in security |
| connection). It uses LMP (Link Manager Protocol) | | | | mechanisms). Thus, security becomes a major |
| to handle the connections between devices. | | | | concern because you can be exposing important |
| Bluetooth Security Issues | | | | data stored on your laptop to others on the |
| Bluetooth can operate in one of three security | | | | Bluetooth network. Remember that the range for |
| models: | | | | class 1 Bluetooth devices can be more than 300 |
| - Mode 1 is non security. | | | | feet – far enough so that in some locations, |
| - Mode 2 provides security at the service level, | | | | the BT equivalent of the wi-fi “war driver” |
| after the channel is established. | | | | may be able to establish a link with your |
| - Mode 3 provides security at the link level, before | | | | computer even though not within your sight. |
| the channel is established. | | | | Another special concern is the security of |
| Each Bluetooth device has a unique 48-bit device | | | | Bluetooth mobile phones. These phones may have |
| address. The authentication scheme is | | | | information stored on them such as the |
| challenge-response, using symmetric keys, and | | | | addresses and phone numbers of contacts, |
| encryption is done with a key that can be up to | | | | calendar information and other PDA-type data. |
| 128 bits (negotiated by the communicating | | | | Hacking into these phones using Bluetooth is called |
| devices, with each device having a maximum key | | | | bluesnarfing. Newer mobile phones and software |
| length defined). A 128 bit random link key handles | | | | upgrades for older phones can patch this |
| security transactions between two or more | | | | vulnerability. |
| devices. | | | | A related hacking technique is called bluebugging, |
| When two Bluetooth devices establish a | | | | and it involves accessing the phone’s |
| communications channel, they both create an | | | | commands so that the hacker can actually make |
| initialization key. A passkey or Personal | | | | phone calls, add or delete contact info, or |
| Identification Number is input and the inititalization | | | | eavesdrop on the phone owner’s |
| key is created, and the link key is calculated using | | | | conversations. This vulnerability, too, is being |
| it. Then the link key is used for authentication. | | | | addressed by phone manufacturers. Thus, if you |
| The first security concern is the passkey or PIN. | | | | own a BT-enabled phone, it’s important to |
| As with any key, long keys are more secure than | | | | keep the software updated or upgrade to the |
| short ones. If a hacker is able to discover the | | | | latest phone models frequently. |
| passkey, he can calculate possible initiation keys, | | | | Bluetooth devices can also be targets of Denial of |
| and then from that, calculate the link key. Making | | | | Service (DoS) attacks, typically by bombarding |
| the passkey long will make it much harder to | | | | the device with requests to the point that it |
| accomplish the first step. | | | | causes the battery to degrade. |
| The initial key exchange takes place over an | | | | Finally, there are “cell phone worms” such |
| unencrypted link, so it is especially vulnerable. | | | | as Cabir that can use the Bluetooth technology to |
| It’s best if this part of the BT device pairing | | | | propagate to other BT devices. Cabir targets |
| process takes place in a more physically secure | | | | phones that use the Simbian OS. |
| location (that is, where there are not likely to be | | | | The relatively short range of most Bluetooth |
| any lurkers with BT devices who could intercept | | | | headset devices helps to ameliorate the risk of |
| the communications). A hacker could record | | | | most of these security issues. For example, to |
| transmissions sent over the BT frequency and | | | | practice bluesnarfing or bluebugging against a BT |
| use them to recreate the PIN. | | | | phone, the hacker would typically need to be |
| Rather than using the same fixed passkey all the | | | | within about 10 meters (a little less than 33 feet) |
| time, it should be changed frequently (how | | | | of the target phone. |
| frequently depends on the types of devices and | | | | |