B l u e t o o t h N e w s . c o m   

   BluetoothNews.com - Your ultimate resource for Bluetooth information.
   

Back ] Up ] Next ]

Bluetooth Security

 
Home
Editorial
Cover Story
Industry News
Product Reviews
Features
Glossary
Links
Discussion Forum
 

 

  


How Security Works In Bluetooth Networks

By: Steven 'fyiguy' Hughes, Co-Manager BostonPocketPC.com

This article originated from a discussion in our forum about security in Bluetooth networks versus wireless LAN (WiFi) networks. Here is the part about security implementations in Bluetooth.

Bluetooth security should start and come from procedure and implementation of any organization. I think it was wise for a company to shut down wireless communications, until a security plan can be implemented. I have attended numerous roundtables with fortune 100 companies and you would be surprised how many use wireless technology without implementing a security protocol or procedures before setting up their networks. Most are generally forced in to implementing a system because a VP or higher up wants or "needs" this new technology they heard on the news or read in an article, and they want it yesterday.

On the terms of hardware right now pretty much every piece of bluetooth out there is currently on the same playing field of encryption in version 1.1. Things may change little with 1.2, but more is rumored to occur with version 2.0. Most manufacturers and companies have kept their drivers and versions current via download from their websites.

Again the level of security would come down to with how the device is setup, if you allow your device to be detected, if you transfer data encrypted or not, if you require a password to bond, etc. These levels of security are things that should be implemented by everyone, but aren't. I was at a pretty big meeting in Boston and had to turn off my BT discovery because it was picking up everything from phones, PDAs, headsets, and computers broadcasting their presence. It is kind of like the phenomenon with WiFi and the use of Netstumbler, where 90% of all users don't even turn on basic WEP encryption and leave their access points with the default passwords. So again implementation is key to securing any system.

Every Bluetooth device is given a unique bluetooth address, allowing users to establish a trust relationship with the person at the other end of the Bluetooth transmission. In order for Bluetooth devices to communicate, there is first an initialization process which uses a PIN. Some Bluetooth enabled devices will allow you to enter in an ID number, most will also allow for you to store a PIN in the device's memory or on a hard disk. Implementing this feature reduces ones sense of security, since most Bluetooth devices that implement PINs use four digits and half the time they are set to"0000." The implementation of this reduces your certainty of knowing exactly with whom you are communicating. It would be nice if the PIN also implemented the Bluetooth identification as say the "user id" and the Pin as password this would greatly reduce the chance of access to the device, this would also prevent brute force methods of random number generators from easily coming up with a viable password in a few hours or even minutes. However there are some devices that are more secure than others like the Sony Ericcson T68 series, which you manually have to initiate the bond for it to occur, all Bluetooth devices should have this on by default as well. The third level of security that resides in Bluetooth is the implementation of encryption and this can be chosen to be implemented or not to be implemented for each service and is user configurable.

One could find the "ID" is associated with a person, by tracking the unscrambled address sent with each message via Bluetooth sniffer, available by companies such as Epiphan that will help organizations find rogue Bluetooth and WiFi devices to tighten the noose on Wireless security. And once the ID is discovered, a person could be traced and their Bluetooth activities easily logged. Imagine you and I are sharing files with one another in a crowded airport. To keep the transmission secure, we use encryption and you give me your secret key. Later that day, a coworker requests another file from you and again and you use your key. Knowing your key, I can use a faked device address, determine the encryption, and gain access to your coworkers files. I could also masquerade as you or your friend. Bluetooth only authenticates devices, not users. (Again this is a convoluted story for an "for theoretical purposes" and probably would take a lot of time and sweat equity to implement, but it could be possible.)

Here is some FYI on Bluetooth Security:

Bluetooth enabled devices can operate basically in one of three different security modes as per the Bluetooth specifications, which is set up ba the end user who determines the level of security:
bullet

Security Mode 1- This is the most insecure security mode in which the Bluetooth device does not initiate any security procedure. It is in a "promiscuous" or "discovery" mode, allowing other Bluetooth devices to initiate connections with it.

bullet

Security Mode 2- This mode enforces security after establishment of the link between the devices at the L2CAP level. This mode allows the setting up of flexible security policies involving application layer controls running in parallel with the lower protocols.

bullet

Security Mode 3- This mode enforces security controls such as authentication and encryption at the Baseband level itself, before the connection is set up. The security manager (explained later in this article) usually enforces this onto the LMP.

Bluetooth allows for these security levels to be defined for by both devices and services.

For devices there are two possible security levels. A remote device could either be a:
bullet

Trusted device- Such a device would have access to all services for which the trust relationship has been set.

OR
bullet

Untrusted device- Such a device would have restricted access to services. Typically such devices would not share a permanent relationship with the other device.

For services, three levels of security have been defined.
bullet

Services that require authorization and authentication. Automatic access is only granted to trusted devices. Other devices need a manual authorization.

bullet

Services that require authentication only. Authorization is not necessary.

bullet

Services open to all devices; authentication is not required, no access approval required before service access is granted.

Note: The Bluetooth Architecture allows for defining security policies that can set trust relationships in such a way that even trusted devices can only get access to specific services and not to others.

Fundamentally, the core Bluetooth protocols can be used to implement the following security controls to restrict access to services:
bullet

Access to Services would need Authorization (Authorization always includes authentication). Only trusted devices would get automatic access.

bullet

Access to Services would need only authentication. i.e. the remote device would need to get authenticated before being able to connect to the application.

bullet

Access to Services would need encryption. The link between the two devices must be encrypted before the application can be accessed.

What is important to understand here is (as I stated before), that Bluetooth core protocols can only be used to authenticate devices and not individual users. This isn't to say that user based access control is not possible. The Bluetooth Security Architecture (through the Security Manager) which allows applications to enforce their own security policies. The link layer, at which Bluetooth specific security controls operate, is transparent to the security controls imposed by the application layers. Thus it is possible to enforce user-based authentication and fine grained access control within the Bluetooth Security Framework.

The Security Manager component is the entity that decides what policies are to be enforced when a connection request is made (both for inbound and outbound connections). Based on the service, device type and whether the device is trusted or untrusted the security manager can enforce application level authentication, encryption of the session and any other specific access policies.

The Service database stores information regarding the authentication, authorization and encryption requirements for the services. It also stores other routing information for the services.

The typical process (steps) followed by the security manager in granting access to a remote device to connect to a particular service is as follows:
bullet

Remote device requests access

bullet

Connection request comes to L2CAP (Logical Link Control and Adaptation Protocol)

bullet

L2CAP requests security manager to grant access

bullet

Security Manager queries both device and service databases

bullet

If device is trusted, then security manager may or may not (depending on the implementation) ask for authentication or authorization

bullet

If the device is untrusted, the security manager may either terminate the connection (if so desired) or enforce authorization. Authentication at the core Bluetooth protocol level will happen when link keys are exchanged.
Depending on the security policy governing access, the security manager might call upon an application protocol to enforce application level security such as a username/password scheme for authentication.
Support is also built in for other authentication schemes through the security manager interface.

bullet

The Security manager will then decide if the service access requires link encryption. If it does, the keys will be negotiated and exchanged at the L2CAP protocol level and the connection will continue.

The Security Manager is the active component that manages and enforces security policy in the Bluetooth Security Architecture. In a way, the Security Manager acts as a bridge in terms of bringing together the application level and core Bluetooth protocol level (Link Layer) security controls and thus helps in providing end to end security across these layers.

There are a number of weaknesses in the current Bluetooth architecture (both directly and indirectly) that can be potentially exploited. Like any protocol out there, nothing is 100% safe.

A simple example, though not so simple to implement in practice is the man-in-the-middle attack for stealing identification and encryption keys before the start of a session and using the same identification to impersonate and/or eavesdrop on communications. This problem is however not specific to Bluetooth alone. Most key exchange systems are prone to this type of attack and is how many hackers get into websites as we hear on the news every day. One way to mitigate this issue would be to build in support for digital certificate based authentication systems. Another way might be to make it very difficult for an attacker to lock onto the frequency used for communication.

The frequency hopping intervals and patterns should be made reasonably unpredictable instead of fixed (to keep transmissions from breaking up, Bluetooth employs frequency hopping, a practice of skipping around the 2.45GHz radio band 1600 times each second. This improves clarity and also reduces what Bluetooth proponents call "casual eavesdropping" by allowing only synchronized devices to be able to communicate - this may help to prevent an attacker from locking onto the device signal.) These considerations have been factored in to some degree in the Bluetooth specifications. However as the paper by the Bell-Lab researchers point out, this is not so difficult to break into.

The other "big" security issue deals with the acutal PIN itself. Most devices have extremely short (usually 4 character) PINs. This is itself is a security weakness, though it is implementation and not specification related. Short PINs can be searched exhaustively by attackers. If BT devices were able to use longer password lengths like 16 charcters or even Hex codes this would be another way to strengthen security.

Security seems to be something hard for the average user to understand, (I know when I first looked at it my eyes rolled in my head a few times and it took using the technology to get a better understanding of it) and should be easier to implement. There is some talk of implementing the use of smartcards for encryption keys and realtime rolling code servers similar to RADIUS servers to keep Bluetooth secure.

There are a few security issues to still be worked out and the slow introduction of these devices using this standard may be a blessing in disguise - both for Bluetooth and wireless consumers in general, but as the devices are starting make their way into mainstream market devices, I hope we see more sooner than later. Wireless security seems to be big thing these days, especially in the field of Healthcare with the new HIPAA deadlines looming, one of which started recently on April 14th, but again generally falls on the shoulders of the IT staff for proper implementation and understanding of the technology and protocols.

I hope this helps define and clear some of these things up, rather than confuse the matter more.

 

 

Sponsored by:
 

Copyright © BluetoothNews.com 2003-06-21 23:21