Bluetooth: Is it a Security Threat?
You don't see so much discussion of Bluetooth security. Is that because the short distance range means you don't have to worry about security? I recently heard someone say that he considered Bluetooth one of the computer industry's "biggest security bloopers ever" and would never buy a BT product. The only BT devices I use are a set of headphones and my HP GPS receiver that connects to my iPaq Pocket PC.
Bluetooth: What it is and How it Works
I know many experienced computer users who never give a thought to Bluetooth. "Oh, yeah, I think that's built into my laptop but I never use it" is a common refrain. Initially touted as the technology that would finally free us from the horrors of multiple tangled cables and cords, Bluetooth didn't catch on as quickly as expected. Until recently, there just weren't that many useful (with the emphasis on "useful") Bluetooth devices available - at least, not for desktop computing. Users of handheld computers (such as my iPaq) adopted the technology more quickly, as it allowed us to easily attach portable keyboards, headsets, printers, etc. to our portable devices (which often don't have a bunch of connection ports like desktops and laptops do). Bluetooth-enabled cell phones allow you to connect a PDA or portable computer to the Internet through them.
Bluetooth was designed to be the basis of the Personal Area Network (PAN) - a way for devices within relatively close proximity to communicate wirelessly with one another. The range for Bluetooth transmissions varies from about 1 meter up to 100 meters, depending on the power class of the device. Thus, the most powerful (Class 1) can communicate over a distance of more than 300 feet, similar to a typical wi-fi network.
Like 802.11b and g, Bluetooth transmits over the 2.4 GHz radio frequency. Its speed is limited to about 1 Mbps (far slower than wi-fi, but still roughly equivalent to a typical broadband Internet connection). It uses LMP (Link Manager Protocol) to handle the connections between devices.
Bluetooth Security Issues
Bluetooth can operate in one of three security models:
- Mode 1 is non security.
- Mode 2 provides security at the service level, after the channel is established.
- Mode 3 provides security at the link level, before the channel is established.
Each Bluetooth device has a unique 48-bit device address. The authentication scheme is challenge-response, using symmetric keys, and encryption is done with a key that can be up to 128 bits (negotiated by the communicating devices, with each device having a maximum key length defined). A 128 bit random link key handles security transactions between two or more devices.
When two Bluetooth devices establish a communications channel, they both create an initialization key. A passkey or Personal Identification Number is input and the inititalization key is created, and the link key is calculated using it. Then the link key is used for authentication.
The first security concern is the passkey or PIN. As with any key, long keys are more secure than short ones. If a hacker is able to discover the passkey, he can calculate possible initiation keys, and then from that, calculate the link key. Making the passkey long will make it much harder to accomplish the first step.
The initial key exchange takes place over an unencrypted link, so it is especially vulnerable. It's best if this part of the BT device pairing process takes place in a more physically secure location (that is, where there are not likely to be any lurkers with BT devices who could intercept the communications). A hacker could record transmissions sent over the BT frequency and use them to recreate the PIN.
Rather than using the same fixed passkey all the time, it should be changed frequently (how frequently depends on the types of devices and the required security level).
Link keys can be combination keys or unit keys. Best security practice is to use combination keys instead of unit keys. When you use a unit key, you must use the same key for all secure transactions, and the key has to be shared with other trusted devices. This means any trusted device can potentially access traffic with other trusted devices using this key.
It's possible to use the Bluetooth address to identify a particular device (and associated user) and log those transactions, which can create privacy concerns.
Why Does Bluetooth Security Matter?
Many Bluetooth users only use the technology to connect a wireless headset or similar device to their portable computers, and they may wonder why security is a big deal. Implementing security, even for these types of device pairings, can prevent an unauthorized user from using the headset.
However, another use of Bluetooth is to create a temporary computer network. For example, several people in a meeting room can connect their Bluetooth-enabled laptops to each other to share files during the meeting.
When you use Bluetooth to create a temporary network, it is usually an ad hoc network; that is, computers communicate directly with each other rather than going through a wireless access point (WAP). This means you have no centralized point of security control, as you do with a WAP (for example, you can configure a WAP to use MAC address filtering and other built-in security mechanisms). Thus, security becomes a major concern because you can be exposing important data stored on your laptop to others on the Bluetooth network. Remember that the range for class 1 Bluetooth devices can be more than 300 feet - far enough so that in some locations, the BT equivalent of the wi-fi "war driver" may be able to establish a link with your computer even though not within your sight.
Another special concern is the security of Bluetooth mobile phones. These phones may have information stored on them such as the addresses and phone numbers of contacts, calendar information and other PDA-type data. Hacking into these phones using Bluetooth is called bluesnarfing. Newer mobile phones and software upgrades for older phones can patch this vulnerability.
A related hacking technique is called bluebugging, and it involves accessing the phone's commands so that the hacker can actually make phone calls, add or delete contact info, or eavesdrop on the phone owner's conversations. This vulnerability, too, is being addressed by phone manufacturers. Thus, if you own a BT-enabled phone, it's important to keep the software updated or upgrade to the latest phone models frequently.
Bluetooth devices can also be targets of Denial of Service (DoS) attacks, typically by bombarding the device with requests to the point that it causes the battery to degrade.
Finally, there are "cell phone worms" such as Cabir that can use the Bluetooth technology to propagate to other BT devices. Cabir targets phones that use the Simbian OS.
The relatively short range of most Bluetooth devices helps to ameliorate the risk of most of these security issues. For example, to practice bluesnarfing or bluebugging against a BT phone, the hacker would typically need to be within about 10 meters (a little less than 33 feet) of the target phone.
The Bluetooth Special Interest Group (SIG) consists of more than 3000 companies that make BT devices and/or BT-enabled software, including Microsoft, IBM, Intel, Motorola, Nokia, Toshiba and others. For a very detailed discussion of Bluetooth security and how it can be implemented on specific device types, see http://188.8.131.52/search?q=cache:6HqlN2zxgYAJ:www.bluetooth.com/upload/24Security_Paper.PDF+bluetooth+security&hl=en.