Overview of Bluetooth

7/29/2019 Overview of Bluetooth

1/37

Page 1 of37

Table of Contents

1. Appendix ......................................................................................................................... 4

2.

Introduction..................................................................................................................... 5

3. Overview of Bluetooth Technology ............................................................................ 63.1. Bluetooth Stack Architecture .......................................................................... 63.2. Advantages and Disadvantages of Bluetooth Technology .............................. 9

3.2.1. Advantages ............................................................................................... 93.2.2. Disadvantages .......................................................................................... 9

3.3. Piconet ........................................................................................................... 103.4. Scatternet ....................................................................................................... 113.5. Types of Bluetooth ........................................................................................ 11

4. Bluetooth Security Feature ......................................................................................... 124.1. Basic Security Feature ................................................................................... 124.2. Service Level of Bluetooth Technology........................................................ 134.3. Key Management .......................................................................................... 14

5. Key Generation and Security Mode .......................................................................... 155.1. Security Modes .............................................................................................. 155.2. Types of Key in Bluetooth ............................................................................ 175.3. Generation of the initialization key, Kinit ...................................................... 185.4. Generation of Unit Key, K

A.......................................................................... 19

5.5. Generation of Combination Key, KAB........................................................... 195.6. Generation of Master Key, Kmaster................................................................. 205.7. Generation of Encryption Key, KC................................................................ 215.8. Algorithm that used to generate Keys ........................................................... 215.9. Pairing Process .............................................................................................. 23

6. Authentication and Confidentiality............................................................................ 24


2/37

Page 2 of37

6.1. Authentication ............................................................................................... 246.2. Confidentiality ............................................................................................... 26

7. Bluetooth Vulnerabilities & Threats.......................................................................... 287.1. Vulnerabilities ............................................................................................... 28

7.1.1. Vulnerabilities before Bluetooth v1.2 .................................................... 287.1.2. Vulnerabilities before Bluetooth v2.1 .................................................... 287.1.3. Vulnerabilities in Bluetooth v2.1 and v3.0 ............................................ 297.1.4. Vulnerabilities in Bluetooth before v4.0 ................................................ 29

7.2. Threats ........................................................................................................... 308. Bluetooth Countermeasures ........................................................................................ 329. Conclusion .................................................................................................................... 3510. Reference ................................................................................................................... 36


3/37

Page 3 of37

List of Figures

Figure 3.1: Overview of Bluetooth Stack Architecture (msdn, 2006) .......................................... 6

Figure 3.2: Example of a Piconet temporary network ............................................................... 10

Figure 3.3: Example of a Scatternet ......................................................................................... 11Figure 3.4: Overview of types of Bluetooth (Padgette, Scarfone and Chen , 2012) ................. 11Figure 5.1: Generation of Initialization Key (Giousouf, n.d.) ..................................................... 18Figure 5.2: Generation of Unit Key (Giousouf, n.d.) ................................................................. 19Figure 5.3: Generation of Combination Key (Giousouf, n.d.) .................................................... 19Figure 5.4: Generation of Master Key (Giousouf, n.d.) ............................................................. 20Figure 5.5: Generation of Encryption Key (Giousouf, n.d.) ....................................................... 21Figure 5.6: Algorithm E21 (Giousouf, n.d.) ................................................................................ 21Figure 5.7: Algorithm E22 (Giousouf, n.d.) ................................................................................ 22Figure 5.8: Algorithm E3 (Giousouf, n.d.) .................................................................................. 22Figure 5.9: Pairing process between Bluetooth device (NATIONALINSTRUMENTS, 2008). ... 23Figure 6.1: Authentication Process in Bluetooth (Padgette and Scarfone, 2008) ..................... 24Figure 6.2: Overview of Encryption Process in Bluetooth (Padgette and Scarfone, 2008) ....... 27


4/37

Page 4 of37

1. Appendix


5/37

Page 5 of37

2. Introduction

In modern era every technologys growing tendency is direct to wireless

technology. What is wireless technology? Wireless technology is a technique thatallows its user to transmit data or information in the air, in other term is that the

transmission can be done without using any visible wire. In this research paper we

will focus on one of the wireless technology which is found in the early stage in

wireless technologys history, Bluetooth.

The name Bluetooth is come from the name of a king which lived in Denmark

in 10th century (Lai, 2001). The reason of choosing the king name is unknown for me

but I think it is better to include some interesting information at the starting of this

research paper. Bluetooth is actually found and develop by 5 big organizations which

included Ericsson, Nokia, IBM, Intel and Toshiba (Lai, 2001). Back the beginning

stage of mobile industry Ericsson and Nokia can be considered as the biggest

organization during the era. But when come to the current state, the biggest

organization in the mobile industry already changed to Apple and Samsung.

Bluetooth actually simplify the lives of people during the old era, even though

this technology is still available in modern smart phone but the usage of its

application is become lesser and lesser. Besides, user also did not use Bluetooth as

often as before. The most basic example of Bluetooth application will be it allows the

user to transmit a file from a users phone to another users phone or mobile devices

which also support Bluetooth. To perform this activity it needs no setup, it will

always on in the background (Lai, 2001). But of course the connectivity of Bluetooth

can also turn off manually. One of the weaknesses of Bluetooth is that its connectivity

for both the sender and receiver is very short. The ranges of functional connection are

about 10 meters only (Lai, 2001).

Of course Bluetooth used some protocol and feature to ensure the security of

the connection. The multiple levels of security and security feature will be discussed

more in the coming sub-topic. On this research paper, we will focus more on the

security area. There is more security issues will be describe and discussed later.


6/37

Page 6 of37

3. Overview of Bluetooth Technology

3.1. Bluetooth Stack Architecture

In Bluetooth its specification can be divided into two parts, the core portion and

the profile specifications (Kardach, n.d.). Core portion is used to describe how

Bluetooth work, in the other hand the profile specification is mainly concentrate on

how to build interoperating devices using the core technologies (Kardach, n.d.). In

Figure 3.1 is the architecture view of Bluetooth stack.

Figure 3.1: Overview of Bluetooth Stack Architecture (msdn, 2006)


7/37

Page 7 of37

Lets do a very quick and brief discussion about this Bluetooth stack

architecture. Due to the limitation of time constrain we will only go through those

layer which is important in Bluetooth.

OBEX It is stand for Object Exchange. Obex client module: Obexapi.dll Obex server module: Obexsvr.dll Primarily used as a push or pull application.

TDI It is stand for Transport Driver Interface It separate the highly asynchronous callback-

based architecture of the stack presenting aWindow Sockets Specification

COM Port Emulation It is host dial-up and LAN access profilesSDP It is stand for Service Discovery Protocol.

It is used to handles publishing and discoveryof services.

This protocol empowers portable Bluetooth topermits devices to deal with the dynamicallychanging Bluetooth environment when the

Bluetooth technology is operating in motion.

SDP client module: Btdrt.dll SDP server module: Btd.dll

RFCOMM Serial Cable Emulation Protocol It can support maximum 60 simultaneous

connections between two Bluetooth devices. It serves as a base for COM port emulation

facilities.

It makes data synchronization possiblebetween Bluetooth devices and other mobile

devices such as PDA and smart phone.

Control the data flow between devices andapplications.


8/37

Page 8 of37

PAN Personal Area Network Piconet and Scatternet (will be discuss in

coming section)

L2CAP

Logical Link Control and Adaptation Protocol Do not have the responsible to control data

flow, it is depend on the reliable device to

device baseband link provided by Bluetooth

hardware.

Included in Btd.dllBluetooth Universal

Transport Manager(BthUniv)

It is the intermediate transport driver whichlocated in the middle of HCI layer andTransport layer.

It is used to spot the Plug and Play devices andresponsible to execute correct transport driver/

Located in Bthuniv.dllHCI Transport Layer Operate in transport layer and is responsible to

transfer the HCI commands to the Bluetooth

hardware.

LMP Have the services of authentication andencryption.

Stand for Link Manager Protocol. Standard that used to manage link

establishment between Bluetooth devices.

BB It is stand for Baseband Used to permit the physical radio frequency

link among Bluetooth units that produce a

Piconet.

The table above is reference from (msdn, 2006)


9/37

Page 9 of37

3.2. Advantages and Disadvantages of Bluetooth Technology

3.2.1. Advantages

The most obvious advantage of using Bluetooth is that it is accepted bythe entire world and it is a standard which is supported by more than two

thousand manufacturers (InterBluetooth, n.d.).

Can be used on most of the mobile computing devices such as lap top,PDA, smart phone, headset and so on (InterBluetooth, n.d.).

Another significant advantages its installation fees is very cheapcompare to other wireless technologies. It is because Bluetooth is license

free and it did not require any charges compare to other wireless

network service (InterBluetooth, n.d.).

It is similar with Non- Line of Sight (NLON) technology which will notinterrupt by obstacles (InterBluetooth, n.d.).

By using channel hopping, Bluetooth can dodging the interference fromany other wireless devices and help to provide an error free data

transmission environment (InterBluetooth, n.d.).

Support maximum number of 7 devices to inside a range which up to 10meters, which is the best solution for a home network (InterBluetooth,

n.d.). This network also known as Piconet, we will discuss it in detail on

coming sub-topic.

It consumes very less power because generally the range of Bluetoothsupport user to communicate with others is only up to 10 meters

(InterBluetooth, n.d.).

3.2.2. Disadvantages Compare with infrared technology, Bluetooth only support 2.1Mbps data

transfer rates where infrared technology can support 4Mbps data transfer

rates.

Although it consumes very less power but it will still waste power if youleft it running at background.


10/37

Page 10 of37

3.3. Piconet

Piconet in Bluetooth is meaning that several node are connected and to form a

connection which similar with a LAN connection. But in Bluetooth we call it as a

Personal Area Network (PAN). It is built by Slave and Master (Al-Hasani, n.d.).Each node in the Piconet has 28-bit internal clock and 48-bit address (Al-Hasani,

n.d.). During the beginning stage, each of the node do not recognize each other, to

establish the communication each of the node will send out an inquiry to other slaves

which is located in the same range (Al-Hasani, n.d.). After that it will entered in to the

paging state (Al-Hasani, n.d.). It is the state where the packet is starting to exchange

between the nominated Master and the prospective slaves (Al-Hasani, n.d.). There are

a reverse in the paging state and inquiry state. In paging state the master disclose the

slave (Al-Hasani, n.d.). In inquiry state, the slaves disclose their master (Al-Hasani,

n.d.). The maximum number of devices connect to a Piconet is 8, one Master and 7

slaves (Al-Hasani, n.d.). This network is temporary network and the data connection

within the Piconet can be added or removed dynamically (Al-Hasani, n.d.).

Figure 3.2: Example of a Piconet temporary network


11/37

Page 11 of37

3.4. Scatternet

Scatternet is also one type of the network that can be found in Bluetooth. It is

similar with the Piconet. In fact, it is actually is the bigger size of Piconet. Scatternetis formed by two or more Piconet which connected together (NOKIADeveloper, n.d.).

The formation of Scatternet is that a slave from a Piconet can become a master for

another Piconet (NOKIADeveloper, n.d.). This merge is known as the Scatternet

(NOKIADeveloper, n.d.). The maximum number of Scatternet is 10.

Figure 3.3: Example of a Scatternet

3.5. Types of Bluetooth

Figure 3.4: Overview of types of Bluetooth (Padgette, Scarfone and Chen , 2012)

Bluetooth can be categories into three types. Figure 3.3 is the summary of the

types of classes which available in Bluetooth technology. mW is stand for miliwatts

and decibels referenced to one miliwatt dBm (Padgette, Scarfone and Chen, 2012).

Class 2 type of Bluetooth is the type we will always interact with in our daily

operation.


12/37

Page 12 of37

4. Bluetooth Security Feature

Again we will talk about the security. No matter what category, industry you

are in security concern is always the major issues that we need to focus. In businesstheir security is how to ensure their money can keep in a safety place and how to

ensure their confidential information will not leak out and known by its competitor. In

IT world, the security is about how to protect the data during the data transmission

and how to secure the data and information which is stored in the database or server.

In this topic, we will show some security feature that the Bluetooth technology used

to secure its services to their users.

4.1. Basic Security Feature

When we talk about basic security feature, as an IT field student or workers

usually we will know that it is about CIA, Confidentiality, Integrity and

Authentication. This three is the most basic security features that every program

should have. In Bluetooth it did not support all this three function, but it is actually

very similar, it just replacing the Integrity into Authorization. In my opinion it is

because Bluetooth is usually used for short range data transmission, so that it is very

hard to interrupt the data connection and changing the data within the same area very

quickly. So that, they did not state Integrity in their basic security feature lists. Just

to recap that, there are three basic security features or we may call it as security

services that are specified in Bluetooth standard. First one is the Authentication

service. It is used to verify the ident ity of the communicating devices based on their

Bluetooth device address by Padgette, Scarfone and Chen. Besides this service also

offer and extra function, if the Bluetooth devices that attempt to connect to the

Piconet are not able to authenticate correctly it will use the abort mechanism to abort

the attempt (Ivris Marcelo, n.d.). Then the second is the Confidentiality. It is used to

preventing information compromise caused by eavesdropping by ensuring that only

authorized device can access and view transmitted data by Padgette, Scarfone and

Chen. Its mean that only the sender and receiver can have access to the content. The

last one will be the Authorization. This feature is design to control the resources to

avoid un-authorized devices to use the service (Ivris Marcelo, n.d.). Bluetooth willalways operate this this question are this devices authorized? Can it have access to


13/37

Page 13 of37

this service during its operation (Ivris Marcelo, n.d.). By implementing this services,

Bluetooth can secure the resources will not be used by any other third party member

or any other un-authorized devices.

4.2. Service Level of Bluetooth Technology

There are three available service level can be found in Bluetooth. Because of

these three level of services is provided, it made the demands for authorization,

encryption and authentication can be set all alone (Ivris Marcelo, n.d.). The three

security levels are:

Service Lv1 Those that need authentication and authorization (Ivris Marcelo,

n.d.).

Only the trusted Bluetooth devices can obtain automatic access(Ivris Marcelo, n.d.).

Manual authorization operation is assign to untrusted Bluetoothdevices (Ivris Marcelo, n.d.).

Service Lv2 Those that need only authentication (Ivris Marcelo, n.d.). After finishing and passed the authentication process, the access to

the application is granted (Ivris Marcelo, n.d.).

In this service level it does not require authorization process (IvrisMarcelo, n.d.).

Service Lv3 Those that is open to all devices (Ivris Marcelo, n.d.). Do not go through the authentication process (Ivris Marcelo, n.d.). The access to an application is allocated automatically (Ivris

Marcelo, n.d.).

The architecture of Bluetooth technology allows for defining security policiesthat can set trust relationship (Ivris Marcelo, n.d.). Its mean that, not all device can get


14/37

Page 14 of37

access to all other services (Ivris Marcelo, n.d.). This policy allows the trusted devices

to access some specific services only (Ivris Marcelo, n.d.). It is very essential that to

gain knowledge about this critical point, because the Bluetooth core protocols can

only authenticate the device itself not the user itself (Ivris Marcelo, n.d.). However, it

not meaning that user-based access control is not available in Bluetooth ( Ivris

Marcelo, n.d.). Bluetooths security architecture also supports the application to

implement or execute their own security policies (Ivris Marcelo, n.d.). Furthermore,

the link layer (Bluetooth specific security control layer) of Bluetooth is open to the

security controls imposed by the application layers (Ivris Marcelo, n.d.). Therefore,

there is a way to operate the user-based authentication process and fine-grained access

control inside the Bluetooth security architecture (Ivris Marcelo, n.d.).

4.3. Key Management

In the security architecture of Bluetooth, it provides Bluetooth a secure data

communication environment by implementing the symmetric key cryptography (Lee,

2006). Symmetric key cryptography in Bluetooth is used to generate and shared the

public key (also known as common link key) for the two communicating Bluetooth

devices (Lee, n.d.). This procedure is used to provide the services of authentication

process and encryption (Lee, n.d.). Encryption is the method that transforms plain text

into cipher text which is not readable by human. This key management feature will

be further discussed on the coming sub-topic.


15/37

Page 15 of37

5. Key Generation and Security Mode

5.1. Security Modes

In Bluetooth there are four different types of security mode. In this sub-topic

we will talk about it. Besides that, we will also talk about the two faith levels which

are also available in Bluetooth technology. First at all we will discuss about the three

modes:

Mode 1 In this mode there are no securities at all (Akhavan and Vakily,

2011).

The Bluetooth devices will not start any security feature or protocolto ensure the security (Akhavan and Vakily, 2011).

Mode 2 Service-level security A channel on Logical Link Control and Adaptation Protocol

(L2CAP) level is initiated without any security process (Akhavan

and Vakily, 2011).

There are different security necessities can be set for each of theapplication, if the application that running on the Bluetooth device

require low security then its requirement can be set to low, if it

require high security to transmit confidential data the security

requirement can be set to high (Akhavan and Vakily, 2011).

Mode 3 Link-level security Will start the security procedures for a secure connection before

creating a channel on L2CAP level (Akhavan and Vakily, 2011).

It is an default assembly security mechanism It is not aware of service or application-layer security by Akhavan

and Vakily


16/37

Page 16 of37

Mode 4 Introduced at Bluetooth v2.1 + EDR (Radio-Electronics.com, n.d.) It is used to secure simple pairing process by using Elliptic Curve

Diffie Hellman (ECDH) method for key exchange and link key

generation (Radio-Electronics.com, n.d.).

There are four security necessities for services protected by thismode is:

Authenticated link key (Radio-Electronics.com, n.d.) Unauthenticated link key (Radio-Electronics.com, n.d.) No security required (Radio-Electronics.com, n.d.)

This mode is the compulsory mode which make communicationpossible between v2.1 + EDR devices (Radio-Electronics.com,

n.d.).

After briefing all the three security mode, now we try to go a litter bit more

detail here. In the security mode 2, setting per service and per device basis are made

(Akhavan and Vakily, 2011). It required two databases in Bluetooth technology, one

of the databases is used to store device information and another one is used to store

service information (Akhavan and Vakily, 2011). Furthermore, the application

software provides the security configuration contained in the service database

(Akhavan and Vakily, 2011). In the other than the information about the past sessions

with other Bluetooth devices is store in the device database (Akhavan and Vakily,

2011).

Then we now go to the two faith levels. The level stated here is the trusted

and untrusted level. As the name goes to trust, it means the device is already passed

the authentication process or it is already paired so that it will be marked as trusted in

the device database (Akhavan and Vakily, 2011). In trusted level it has 15 unrestricted

accesses to all services (Akhavan and Vakily, 2011). When go to untrusted level it has

restricted access to services (Akhavan and Vakily, 2011). It is untrusted because it is

unknown or new devices or it never paired with the Bluetooth devices before so that it

did not save inside the device database (Akhavan and Vakily, 2011). By default, the

new devices will always be treating as untrusted (Akhavan and Vakily, 2011).


17/37

Page 17 of37

5.2. Types of Key in Bluetooth

In Bluetooth there are four different types of key that will used to secure the

data transmission and also making authorized the Bluetooth devices to communicatewith another Bluetooth devices. The four type of key is Initialization Key,

Combination or unit keys, Master Key and Encryption Key (Akhavan and Vakily,

2011).

Initialization Key It is the first key that being produce during the pairing procedure

(Akhavan and Vakily, 2011).

It is used to generate the next type of key in the later pairingprocedure (Akhavan and Vakily, 2011).

After the next type of key is generated this key will be expired(Akhavan and Vakily, 2011).

The strength of this key relies solely on a 4 to 16bytes PIN(Akhavan and Vakily, 2011).

Combination or Unit Keys Combination key is known as Kab and Unit Key is known as Ka

(Akhavan and Vakily, 2011).

Both of this key will store at the Bluetooth devices permanentlyunless the devices updated through the link key update process

or the broadcast encryption scheme (Akhavan and Vakily,

2011).

These two key can be used at any time, but it is only limit to theBluetooth devices which is sharing this key (Akhavan and

Vakily, 2011)

Master key

The Bluetooth specification defines shared master key to allowPiconet master to encrypt broadcast traffic by Akhavan and

Vakily.


18/37

Page 18 of37

Encryption Key Also known as Kc, it is generated from the current link keys and

it will be updated when the Bluetooth devices entered to the

encryption mode (Akhavan and Vakily, 2011).

Another function of Kc is to create a cipher stream KCipher thatin turn will be XORed with payloads (Akhavan and Vakily,

2011).

5.3. Generation of the initialization key, Kinit

The link key that is used in the initialization process is also known as

initialization key Kinit (Giousouf, n.d.). It is generated by using a BD_ADDR which is

a pin code and also a random number IN_RAND (Giousouf, n.d.). Both of this two

value BD_ADDR and IN_RAND will go through an algorithm E22 to generate this

initialization key (Giousouf, n.d.). The pin code which used to generate BD_ADDR is

enter by the user into both Bluetooth devices (Giousouf, n.d.). This code will be saved

as the original secret used for the key generation (Giousouf, n.d.). Note that the PIN

shall not more than 16 bytes since the algorithm that used to produce the BD_ADDR

are not support more than 16 bytes (Giousouf, n.d.).

Figure 5.1: Generation of Initialization Key (Giousouf, n.d.)


19/37

Page 19 of37

5.4. Generation of Unit Key, KA

This key is generated by using E21 algorithm (Giousouf, n.d.).

Figure 5.2: Generation of Unit Key (Giousouf, n.d.)

5.5. Generation of Combination Key, KAB

Combination key is the combination of two devices generated random value

and using the algorithm E21 to generate LK_KA and LK_KB (Giousouf, n.d.). Before

LK_KA and LK_KB is generated by using the random value which generated by the

two device LK_RANDA and LK_RANDB (Giousouf, n.d.). After that LK_KA and

LK_KB will be XORed with the current link key and exchanged (Giousouf, n.d.).

After both the Bluetooth devices generated the new combination key, a mutual

authentication process is initiated to ensure that the success of the transaction

(Giousouf, n.d.). Then the link key will be drop or expired after a successful exchange

of a new combination key (Giousouf, n.d.).

Figure 5.3: Generation of Combination Key (Giousouf, n.d.)


20/37

Page 20 of37

5.6. Generation of Master Key, Kmaster

First at all we need to create a new link key from two 128-bit random number

which also technically known as RAND1 and RAND2 (Giousouf, n.d.). After thesetwo random numbers are generated they will be process by using algorithm E 22 to

generate Kmaster(Giousouf, n.d.).

Kmaster= E22 (RAND1 and RAND2,16)

After that another RAND is send to the slave (Giousouf, n.d.). On each side an

overlay (OVL) is calculated using algorithm E22 with the current link key and the

RAND as the input (Giousouf, n.d.).

OVL= E22 (K,RAND,16)

The master will then sending the bitwise XOR of the OVL and the new link to

the slave and the slave will start calculating the Kmaster (Giousouf, n.d.). In order to

completing this transaction successfully the devices will then operate an

authentication process by using the new generated link key (Giousouf, n.d.). This

process will be repeat when each of the slave receives the new link key (Giousouf,

n.d.).

Figure 5.4: Generation of Master Key (Giousouf, n.d.)


21/37

Page 21 of37

5.7. Generation of Encryption Key, KC

The Encryption key is generated by using algorithm E3. To use E3 we need

used three component, first is the current link key, second is the 96-bit Cipher OFsetnumber (COF) and the third is the 128-bit random generated number(Giousouf, n.d.).

Figure 5.5: Generation of Encryption Key (Giousouf, n.d.)

5.8. Algorithm that used to generate Keys

Figure 5.6: Algorithm E21 (Giousouf, n.d.)


22/37

Page 22 of37




23/37

Page 23 of37

5.9. Pairing Process

There is a critical process that must be going through when Bluetooth wanted

to generate a common key for authentication and encryption between two Bluetoothdevices (Akhavan and Vakily, 2011). The process is known as pairing process. First at

all, both the Bluetooth devices need to enter a security code which is matched for the

two devices. This process means that both of the devices users are agree to establish a

connection (seguridadmobile, n.d.). Actually the pairing process is very simple it just

keep on exchanging a set of random number and identify the exchanged random

number either it is matched with the previous sent out random number or not. After

the first match, an authentication key is generated, then after the second match link

key is being created. This pairing procedure only have to do one time, after the

connection is terminated it will generate a new session with new Encryption key

(NATIONALINSTRUMENTS, 2008). During the time the Bluetooth devices wanted

to be connected again they can use the Encryption key to secure data communication

(NATIONALINSTRUMENTS, 2008). Then the Authentication identify by using the

Link keys (NATIONALINSTRUMENTS, 2008).

Figure 5.9: Pairing process between Bluetooth device (NATIONALINSTRUMENTS,

2008).


24/37

Page 24 of37

6. Authentication and Confidentiality

6.1. Authentication

Base on the research paper ofPadgette and Scarfone in 2008, the authentication

process of Bluetooth technology is in the form of a challenge-response scheme. By

referring to this method each of the Bluetooth devices which are involved in the

authentication process are known as the claimant or the verifier (Padgette and

Scarfone, 2008). Claimant, it is the term that used to identify the Bluetooth devices

which wanted to prove its identity (Padgette and Scarfone, 2008). In the other hand

verifier, is the Bluetooth devices which are authenticating the identity of the claimant

(Padgette and Scarfone, 2008). Challenge-response protocol is the method that

authenticating the devices by verifying the knowledge of the secret key that used in

Bluetooth technology (Padgette and Scarfone, 2008). The key is known as Bluetooth

Link Key (Padgette and Scarfone, 2008).

Figure 6.1: Authentication Process in Bluetooth (Padgette and Scarfone, 2008)


25/37

Page 25 of37

The step that involved in the process of Figure 6.1 are as follows:

1. The process starts from the verifier transmitting a 128-bit random numberto the claimant (Padgette and Scarfone, 2008). The random numbers are

also called as random challenge (AU_RAND) (Padgette and Scarfone,

2008).

2. Then the verifier and claimant will proceed to generate a critical 32 bitsoutput by using E1 algorithm (Padgette and Scarfone, 2008). To use this

algorithm both of them will use their unique 48-bit Bluetooth device

address (BD_ADDR), the link key and also the random numer

(AU_RAND) as an input for the algorithm (Padgette and Scarfone, 2008).

As I mention just now only the critical 32-bits output will be used for

authentication process the remaining 96 bits will be used to create

Bluetooth encryption key (Padgette and Scarfone, 2008). This 96 bits

output is known as Authenticated Ciphering Offset (ACO) value (Padgette

and Scarfone, 2008).

3. Then the claimant will returns the critical 32bits of the E1 output as theresponse to the verifier(Padgette and Scarfone, 2008). This output is also

known as SRES (Padgette and Scarfone, 2008).

4. After receiving the SRES the verifier will then compares the SRES with itsown SRES which calculated by itself(Padgette and Scarfone, 2008).

5. If both of the values are matching then the authentication process iscompleted successfully (Padgette and Scarfone, 2008). In the other hand, if

both the values are mismatched, the authentication process is marked as

failed (Padgette and Scarfone, 2008).

For additional information, Bluetooth standard is actually supporting

authentication process by using one-way authentication and mutual authentication so

that it is more secure because the attacker cannot guess what method the Bluetooth

devices are using to authenticate each other(Padgette and Scarfone, 2008).


26/37

Page 26 of37

6.2. Confidentiality

In order to provide a confidentiality services to the user, Bluetooth standard

introduced three encryption modes (Padgette and Scarfone, 2008). The purpose ofthese three modes is to obstruct eavesdropping attacks to the payloads of the

transmitting data between Bluetooth devices (Padgette and Scarfone, 2008). However,

there are actually two of these modes providing confidentiality (Padgette and

Scarfone, 2008). The three modes are:

Encryption Mode 1 No encryption is executing on any traffic (Padgette and Scarfone,

2008).

Encryption Mode 2 Individual addressed traffic is encrypted using encryption keys based

on individual link keys by (Padgette and Scarfone, 2008)

Broadcast traffic is not encrypted by (Padgette and Scarfone, 2008)

Encryption Mode 3 All the traffic in this mode is encrypted by using the master link key

(Padgette and Scarfone, 2008).

Furthermore, the same encryption mechanism are applied on both Encryption

Mode 2 and 3 (Padgette and Scarfone, 2008). In Figure 6.2, the encryption key

provided to the encryption algorithm is created using an internal key generator (KG)

(Padgette and Scarfone, 2008). KG create stream cipher key based on the 128-bit link

key (Padgette and Scarfone, 2008). This link key is the secret of Bluetooth devices,

the EN_RAND and ACO (Padgette and Scarfone, 2008). The ACO value is created

during the authentication process which can be review on Figure 6.1 (Padgette and

Scarfone, 2008).

The Bluetooth encryption process is based on a stream cipher algorithm, E0

(Padgette and Scarfone, 2008). The key stream output is sent to the receiving devices


27/37

Page 27 of37

after it is exclusive-OR-ed with the payload bits (Padgette and Scarfone, 2008). This

key stream is created byusing Liner Feedback Shift Registers (LFSR) (Padgette and

Scarfone, 2008). BD_ADDR, ENRAND, slot number and encryption is taken as the

inputs of the encryption function when combined initialize the LFSRs before the

transmission of each packet (Padgette and Scarfone, 2008). The encryption key (KC)

is created from the current link key and may vary from 8 bits to 128 bits (Padgette and

Scarfone, 2008). For extra information here, the E0 algorithm is not the Federal

Information Processing Standards (FIPS) approved algorithm (Padgette and Scarfone,

2008).

Figure 6.2: Overview of Encryption Process in Bluetooth (Padgette and

Scarfone, 2008)


28/37

Page 28 of37

7. Bluetooth Vulnerabilities & Threats

7.1. Vulnerabilities

Although Bluetooth technology are not a very frequent used techniques in

modern world but it still used many protocol and method to secure data transmission

between Bluetooth devices. However, nothing is perfect, human will make mistake, of

course the machine and protocol which designed and developed by human will make

mistake too. In this topic we are going to discuss about the vulnerabilities that found

on Bluetooth technology.

7.1.1. Vulnerabilities before Bluetooth v1.2

Link Key is based on Unit Key The major problem in here is not that link key cannot based on

unit key, the problem is because the key is static and reusable so

that it is less of security. Besides it can lead to eavesdropping and

spoofing if the key is obtain by attacker (Padgette, Scarfone and

Chen , 2012).

7.1.2. Vulnerabilities before Bluetooth v2.1

Three problem Security Mode 1 does not initiate security method. It make that

the communicated made in this mode is insecure (Padgette,

Scarfone and Chen , 2012).

PIN code can be very short even through it can support up to16bits (Padgette, Scarfone and Chen , 2012). Short PIN is easy to

guess and hack.

Encryption key stream will be re-use afer 23.3 hours (Padgette,Scarfone and Chen , 2012). If the connection lasts more than

23.3 hour the clock value will be repreted hence generating an

identical key stream to that user earlier in the connection by

Padgette, Scarfone and Chen on 2012.


29/37

Page 29 of37

7.1.3. Vulnerabilities in Bluetooth v2.1 and v3.0

Static SSP passkey Random key or session key should be used for each pairing try

(Padgette, Scarfone and Chen , 2012). Security Mode 4

Because it is not supported by every bluetooth devices, when theBluetooth device does not support this mode, the devices can fall

back to mode 1 which did not secure by any security protocol or

method (Padgette, Scarfone and Chen , 2012).

7.1.4. Vulnerabilities in Bluetooth before v4.0

Attempts for authentication are repeatable Because this process can be repeat so that the attacker can

keeping requesting the random number so that they might able to

guess the information about secret link key (Padgette, Scarfone

and Chen , 2012).

It should limit the authentication request to prevent attackerkeeping attempt for authentication (Padgette, Scarfone and Chen

, 2012).

Master key problem The master key is used by all the member in the Piconet for

broadcast encryption. (Padgette, Scarfone and Chen , 2012).

Which mean that if the Piconet have 7 connecting devices all of

them are using the same master key (Padgette, Scarfone and

Chen , 2012).

This secret key should not share to more than 2 party, because itis insecure (Padgette, Scarfone and Chen , 2012).


30/37

Page 30 of37

7.2. Threats

In this section we will show out a brief overview of threats that the Bluetooth

technology are facing.

Threats Description

Bluesnarfing This attack is about the attackers obtain theaccess to a Bluetooth devices by exploiting a

firmware flaw in the older Bluetooth devices

(Padgette, Scarfone and Chen , 2012).

This attack will allow access to get IMEIinformation, after obtain this information the

attacker can used it to route all incoming call

from the user devices to the attacker devices


Bluejacking This attack start from sending unsolicitedmessage to the Bluetooth devices (Padgette,


This message create no harm but seduce theuser to respond some phishing message


Bluebugging This attack is achieved by using the securityflaw in the firmware of some older version of

Bluetooth devices to get access to the devices

data and its commands (Padgette, Scarfone

and Chen , 2012).

The command can by executed withoutnoticing the user itself (Padgette, Scarfone and

Chen , 2012).

Denial of Service This type of attack is not very harmful butannoying.

This attack is about draining the devicesbattery by making the interfaces not functional


31/37

Page 31 of37


Car Whisperer It is a software tools which is introduced byEuropean security researchers that exploits a

key implementation problem in hands-freeBluetooth car kits (Padgette, Scarfone and

Chen , 2012).

It makes the attacker can access the audiofrom the microphone in the car or even

sending audio to the cars speaker (Padgette,


Fuzzing Attacks This attack is about sending malformed ornon-standard data to the devices and to check

how the devices will operate after the attack


If the devices is stop functioning a seriousvulnerability is exposed and more attack will

be found later, because it is related with the

protocol stack of the technology (Padgette,


Secure Simple Pairing

Attacks

To force the devices to operate in Just WorksSSP which will cause MITM (Padgette,


This means that the devices will not able toperform input and output (Padgette, Scarfone

and Chen , 2012).

This attack can be also achieved by using thefixed passkey to perform MITM attack



32/37

Page 32 of37

8. Bluetooth Countermeasures

In order to provide a more secure and provide confidentiality and integrity

services to the user, Bluetooth standards organizations should come out with someproper and well planning countermeasures to ensure that their planning can be

implemented successfully. In this sub-topic we going to discuss some of the possible

item or entity which may be implemented by the Bluetooth standard to mitigating the

risk or threats of Bluetooth standard are facing or dealing with. But of course it does

not mean by implementing and developing this set of recommendation

countermeasures will guaranty that the Bluetooth can be operate in a hundred percent

safety environment but for sure it may help to improving and enhancing the security

level in Bluetooth standard. This set of suggestion is not fully about technically it also

involved some personal behavior about the user, by follow the guideline which will be

stated later it should help to reduce the threat or risk that Bluetooth are facing

currently (Padgette, Scarfone and Chen , 2012).

Here we going to list some recommendation of security that the Bluetooth

standard can used it to further enhance their security. We try to separate it into two

categories which are highly recommended practice. This is the categories that we

think that is important and more executable to help Bluetooth to secure their services.

Another categories is should consider, in this categories the recommendation is

required more resources to implement and should be considered carefully by the

organization.

Highly Recommended Practice Developing an organizational wireless security policy that addresses

Bluetooth technology (Padgette, Scarfone and Chen, 2012).

Confirm that the Bluetooth users in the network will highly aware oftheir security-related responsibilities about Bluetooth use (Padgette,

Scarfone and Chen, 2012).

Set up a timetable to perform overall security assessments, it can assistthem to understand their organizations Bluetooth security posture

(Padgette, Scarfone and Chen, 2012).


33/37

Page 33 of37

Can try to document the possible risk and vulnerability of Bluetoothdevices, this can help the user having more awareness to avoid this

type of attack to be happened and also helping them to have an overall

understanding of the connectivity between each Bluetooth devices


The organization can also prepare a set or precautionary measureswhich can help the user to take better action to protect the Bluetooth

devices from theft (Padgette, Scarfone and Chen, 2012).

By changing the default setting of Bluetooth devices to match theorganization security policy it can help to enhance the security level

(Padgette, Scarfone and Chen, 2012). It is because the default setting is

not matching with the organization security policy and those setting are

usually not secure enough (Padgette, Scarfone and Chen, 2012).

Change the Bluetooth devices to the lowest power level which meansthat reduces the connectivity range can help to prevent others

unauthorized user attempt to attack the network (Padgette, Scarfone

and Chen, 2012).

Another technical practice that the organization should practice is tochange the PIN code which is not convenient to use (Padgette,

Scarfone and Chen , 2012). It means that the PIN code should be long

and complicated and also preventing the user using static PIN code for

more than 1 month (Padgette, Scarfone and Chen, 2012). This can help

to avoid PIN code being track by intentional attacker.

Ensuring that the link keys are not based on unit key because theshared unit keys can exposed many vulnerability and several attack is

started at this area (Padgette, Scarfone and Chen, 2012). Example of

attack that can start from this area are eavesdropping and MITM


Always set the Bluetooth devices to be undiscoverable by otherdevices unless a pairing process is required at the particular period


Ensuring that when the Bluetooth devices is connected to any otherdevice interface a password input is requested (Padgette, Scarfone and


34/37

Page 34 of37

Chen, 2012). It can help to prevent unauthorized user gaining access to

the device (Padgette, Scarfone and Chen, 2012).

Should Consider The organization can prepare a complete inventory list of Bluetooth-

enable wireless devices which can be refer when they wanted to

perform an audit that is searching for un-authenticated use of wireless

technologies (Padgette, Scarfone and Chen, 2012).

Use application-level authentication and encryption atop theBluetooth stack for sensitive data communication by Padgette,

Scarfone and Chen in 2012. It is because Bluetooth devices can always

refer to the local memory can obtain the link key which can make them

able to connect to the previous paired Bluetooth devices (Padgette,

Scarfone and Chen, 2012). This procedure is very insecure because if

the devices is lost and obtain by an attacker, the attacker will be able to

access the data without noticing another user in the network (Padgette,

Scarfone and Chen, 2012).

It can also enhanced by employing more authentication method such asbiometrics, public key infrastructure (PKI) or two-factor authentication



35/37

Page 35 of37

9. Conclusion

At the end of this research paper, I would like to describe some of my personal

opinion about Bluetooth technology. In this modern era, almost everydayorganizations are introducing some kind of new technology. The growing speed of

electrical and technical industry is very fast. Many new technology getting old and not

interest by people after the new technique is introduced. For Bluetooth, it already quit

from the list of frequently used technology for data transmission or data

synchronization. But it still maintains its own strengths and advantages compare with

other competitor technique.

However, it still can be further enhanced. As we mentioned in the earlier topic,

in order to secure the data transmission between Bluetooth and avoiding intentional

attacker to get access to the Bluetooth network, we are suggested to reset the setting to

make the connection range become smaller. There is a consequence found on this

countermeasure. It actually reducing the effectiveness of Bluetooth, because the data

connectivity range of Bluetooth is already very small now we still setting it become

smaller, means that the data transmission can only be done in very particular small

area. What I would like to suggest here is, try to finding a new solution which is about

to reset the connectivity range from horizontally, to vertically. It is because usually

the office is located in tall building, the range the user needs for transmission should

be vertically and not horizontally, so that I think that is good to have such technology

can be utilize in an office like this case. I believe all the organization would like to

implement this cheap, easy to implement and provide effective and efficient data

transmission and synchronization technology to run their daily operation instead of

using high charge WiMax or LTE or brand new 4G or 5G technique.


36/37

Page 36 of37

10. Reference

Al-Hasani, H., n.d.BLUETOOTH SCATTERNET BASED ON CCC[pdf].Available at

: [Accessed 11 June 2013]

Akhavan, M. and Vakily, V.T. 2011. Improvement Bluetooth Authentication and

pairing protocol using Encrypted Key Exchange and Station-to-Station MAC

Protocols [pdf].Available at : [Accessed

13 June 2013]

Giousouf, A. n.d. Bluetooth Security [pdf].Available at : [Accessed 16 June 2013]

InterBluetooth, n.d. The Pros and Cons of Bluetooth Technology [Online].Available

at: [Accessed 12 June

2013]

Ivris Marcelo, B.N., n.d. Bluetooth Security Features [pdf].Available at : [Accessed

12 June 2013]

Kardach, J., n.d. Bluetooth* Architecture Overview [pdf].Available at : [Accessed 13 June 2013]

Lai, J., May 2006.Introduction to Bluetooth Technology [Online].Available

at: [Accessed 11 June 2013]

Lee, CS., n.d.Bluetooth Security Protocol Analysis and Improvements [pdf].Available

at : [Accessed 13 June

2013]

NOKIADeveloper., n.d.Bluetooth Overview [Online].Available

at:

[Accessed 12 June 2013]

NATIONALINSTRUMENTS., 11 April 2008.Bluetooth [Online].Available


msdn., 2006.Bluetooth Stack Architecture (Window CE5.0) [Online].Available

at: [Accessed 13 June

2013]

Padgette, J. Scarfone, K. Chen, L., June 2012. Guide to Bluetooth Security

[pdf].Available at :< http://csrc.nist.gov/publications/nistpubs/800-121-rev1/sp800-

121_rev1.pdf> [Accessed 12 June 2013]

Padgette, J. Scarfone, K., September 2008. Guide to Bluetooth Security

[pdf].Available at :

[Accessed 16 June 2013]

Radio-Electronics.com, n.d. Bluetooth Security [Online].Available at : [Accessed

16 June 2013]

seguridadmobile., n.d.Bluetooth security mechanisms [Online].Available

https://www.google.com.my/url?sa=t&rct=j&q=&esrc=s&source=web&cd=13&cad=rja&ved=0CDkQFjACOAo&url=http%3A%2F%2Fciteseerx.ist.psu.edu%2Fviewdoc%2Fdownload%3Fdoi%3D10.1.1.122.3116%26rep%3Drep1%26type%3Dpdf&ei=nga5UcmeJNGxrAejxYDgAg&usg=AFQjCNH3icrNZ5fyO94WcBLtFRUDUPnxAA&sig2=eRHjqHwiomeNT0Aw23JYVg&bvm=bv.47883778,d.bmkhttps://www.google.com.my/url?sa=t&rct=j&q=&esrc=s&source=web&cd=13&cad=rja&ved=0CDkQFjACOAo&url=http%3A%2F%2Fciteseerx.ist.psu.edu%2Fviewdoc%2Fdownload%3Fdoi%3D10.1.1.122.3116%26rep%3Drep1%26type%3Dpdf&ei=nga5UcmeJNGxrAejxYDgAg&usg=AFQjCNH3icrNZ5fyO94WcBLtFRUDUPnxAA&sig2=eRHjqHwiomeNT0Aw23JYVg&bvm=bv.47883778,d.bmkhttps://www.google.com.my/url?sa=t&rct=j&q=&esrc=s&source=web&cd=13&cad=rja&ved=0CDkQFjACOAo&url=http%3A%2F%2Fciteseerx.ist.psu.edu%2Fviewdoc%2Fdownload%3Fdoi%3D10.1.1.122.3116%26rep%3Drep1%26type%3Dpdf&ei=nga5UcmeJNGxrAejxYDgAg&usg=AFQjCNH3icrNZ5fyO94WcBLtFRUDUPnxAA&sig2=eRHjqHwiomeNT0Aw23JYVg&bvm=bv.47883778,d.bmkhttps://www.google.com.my/url?sa=t&rct=j&q=&esrc=s&source=web&cd=13&cad=rja&ved=0CDkQFjACOAo&url=http%3A%2F%2Fciteseerx.ist.psu.edu%2Fviewdoc%2Fdownload%3Fdoi%3D10.1.1.122.3116%26rep%3Drep1%26type%3Dpdf&ei=nga5UcmeJNGxrAejxYDgAg&usg=AFQjCNH3icrNZ5fyO94WcBLtFRUDUPnxAA&sig2=eRHjqHwiomeNT0Aw23JYVg&bvm=bv.47883778,d.bmkhttps://www.google.com.my/url?sa=t&rct=j&q=&esrc=s&source=web&cd=13&cad=rja&ved=0CDkQFjACOAo&url=http%3A%2F%2Fciteseerx.ist.psu.edu%2Fviewdoc%2Fdownload%3Fdoi%3D10.1.1.122.3116%26rep%3Drep1%26type%3Dpdf&ei=nga5UcmeJNGxrAejxYDgAg&usg=AFQjCNH3icrNZ5fyO94WcBLtFRUDUPnxAA&sig2=eRHjqHwiomeNT0Aw23JYVg&bvm=bv.47883778,d.bmkhttp://www.developer.nokia.com/Community/Wiki/Bluetooth_Overviewhttp://www.developer.nokia.com/Community/Wiki/Bluetooth_Overviewhttp://www.ni.com/white-paper/7104/enhttp://www.ni.com/white-paper/7104/enhttp://msdn.microsoft.com/en-us/library/ms890956.aspxhttp://msdn.microsoft.com/en-us/library/ms890956.aspxhttp://csrc.nist.gov/publications/nistpubs/800-121-rev1/sp800-121_rev1.pdfhttp://csrc.nist.gov/publications/nistpubs/800-121-rev1/sp800-121_rev1.pdfhttp://csrc.nist.gov/publications/nistpubs/800-121-rev1/sp800-121_rev1.pdfhttp://www.mcs.csueastbay.edu/~lertaul/BluetoothSECV1.pdfhttp://www.mcs.csueastbay.edu/~lertaul/BluetoothSECV1.pdfhttp://www.mcs.csueastbay.edu/~lertaul/BluetoothSECV1.pdfhttp://www.radio-electronics.com/info/wireless/bluetooth/security.phphttp://www.radio-electronics.com/info/wireless/bluetooth/security.phphttp://www.seguridadmobile.com/bluetooth/bluetooth-security/security-mechanisms.htmlhttp://www.seguridadmobile.com/bluetooth/bluetooth-security/security-mechanisms.htmlhttp://www.seguridadmobile.com/bluetooth/bluetooth-security/security-mechanisms.htmlhttp://www.seguridadmobile.com/bluetooth/bluetooth-security/security-mechanisms.htmlhttp://www.seguridadmobile.com/bluetooth/bluetooth-security/security-mechanisms.htmlhttp://www.radio-electronics.com/info/wireless/bluetooth/security.phphttp://www.mcs.csueastbay.edu/~lertaul/BluetoothSECV1.pdfhttp://csrc.nist.gov/publications/nistpubs/800-121-rev1/sp800-121_rev1.pdfhttp://csrc.nist.gov/publications/nistpubs/800-121-rev1/sp800-121_rev1.pdfhttp://msdn.microsoft.com/en-us/library/ms890956.aspxhttp://www.ni.com/white-paper/7104/enhttp://www.developer.nokia.com/Community/Wiki/Bluetooth_Overviewhttps://www.google.com.my/url?sa=t&rct=j&q=&esrc=s&source=web&cd=13&cad=rja&ved=0CDkQFjACOAo&url=http%3A%2F%2Fciteseerx.ist.psu.edu%2Fviewdoc%2Fdownload%3Fdoi%3D10.1.1.122.3116%26rep%3Drep1%26type%3Dpdf&ei=nga5UcmeJNGxrAejxYDgAg&usg=AFQjCNH3icrNZ5fyO94WcBLtFRUDUPnxAA&sig2=eRHjqHwiomeNT0Aw23JYVg&bvm=bv.47883778,d.bmkhttps://www.google.com.my/url?sa=t&rct=j&q=&esrc=s&source=web&cd=13&cad=rja&ved=0CDkQFjACOAo&url=http%3A%2F%2Fciteseerx.ist.psu.edu%2Fviewdoc%2Fdownload%3Fdoi%3D10.1.1.122.3116%26rep%3Drep1%26type%3Dpdf&ei=nga5UcmeJNGxrAejxYDgAg&usg=AFQjCNH3icrNZ5fyO94WcBLtFRUDUPnxAA&sig2=eRHjqHwiomeNT0Aw23JYVg&bvm=bv.47883778,d.bmkhttps://www.google.com.my/url?sa=t&rct=j&q=&esrc=s&source=web&cd=13&cad=rja&ved=0CDkQFjACOAo&url=http%3A%2F%2Fciteseerx.ist.psu.edu%2Fviewdoc%2Fdownload%3Fdoi%3D10.1.1.122.3116%26rep%3Drep1%26type%3Dpdf&ei=nga5UcmeJNGxrAejxYDgAg&usg=AFQjCNH3icrNZ5fyO94WcBLtFRUDUPnxAA&sig2=eRHjqHwiomeNT0Aw23JYVg&bvm=bv.47883778,d.bmkhttps://www.google.com.my/url?sa=t&rct=j&q=&esrc=s&source=web&cd=13&cad=rja&ved=0CDkQFjACOAo&url=http%3A%2F%2Fciteseerx.ist.psu.edu%2Fviewdoc%2Fdownload%3Fdoi%3D10.1.1.122.3116%26rep%3Drep1%26type%3Dpdf&ei=nga5UcmeJNGxrAejxYDgAg&usg=AFQjCNH3icrNZ5fyO94WcBLtFRUDUPnxAA&sig2=eRHjqHwiomeNT0Aw23JYVg&bvm=bv.47883778,d.bmk

Overview of Bluetooth

Documents

Transcript of Overview of Bluetooth