Bluetooth security

What is Bluetooth?

Bluetooth is a technology intended particularly for use in wireless communication between pieces of electronic apparatus which are separated by relatively small distances (typically up to a few meters). The basic motivation for this is to avoid the use of cables for connecting devices, particularly mobile devices which need to be moved from place to place.

Typical examples of devices which use Bluetooth are mobile phones, PDAs, portable and stationary computers, medical apparatus, and all sorts of equipment which might be attached to these, such as headphones, microphones, printers, sensors and so on.

Bluetooth devices communicate with one another using a range of frequencies around 2.4GHz, within the so-called ISM (Industrial, Scientific and Medical) band. This band is also used by a lot of Wireless LAN (WiFi) equipment, by microwave ovens, and for many other purposes.

As Bluetooth devices are only intended to communicate over small distances, the power of the transmitter in a Bluetooth device is typically very small. There are in fact three classes of Bluetooth device, with different ranges for transmission:

Class Power (mW) Range (m)

1 100 100

2 2.5 10

3 1 0.1-10

Class	Power (mW)	Range (m)
1	100	100
2	2.5	10
3	1	0.1-10

Most pieces of apparatus which use Bluetooth technology are equipped with a non-directional antenna, which is used both for sending and receiving wireless signals. Essentially, this means that any other Bluetooth equipment within range of the transmitter can receive the signals. The ranges given in the table above are estimates based on typical Bluetooth antennas in small standard pieces of apparatus. It is important to realise that with special equipment, the signals can be picked up over much larger distances, maybe as large as 2-3 kilometers!

A directional antenna (in the white tube) enables Bluetooth signals from Class 2 devices to be picked up at a distance of at least 500m. Even at a distance of 25-50m, the victim does not notice that his device is being monitored.

Bluetooth security

Since any equipment within range of a Bluetooth transmitter can in principle receive the transmitted signals, precautions need to be taken to prevent signals from being used by anyone except the intended receiver(s). Although each Bluetooth device is identified by an address (in fact just a number between 0 and 2⁴⁸-1), which is used to indicate the intended receiver of a transmitted message, there is no guarantee that other devices cannot pick up the message simply by eavesdropping. Three mechanisms are available to prevent this:

Bonding, by means of which two devices can produce a shared secret, which only those two devices know.
Authentication, by means of which two or more devices can verify one another's identities.
Encryption, by means of which two devices can achieve confidentiality of an exchange of messages by ensuring that third parties cannot understand the messages.

Bluetooth security modes and profiles

Bluetooth devices can operate in three security modes which exploit various combinations of these mechanisms:

Security mode 1: A device in this mode will use no security procedures.
Security mode 2: Services and applications which are accessed via Bluetooth can specify whether authentication and/or encryption are to take place.
Security mode 3: The device will itself determine whether authentication and/or encryption are to be used whenever it sets up a Bluetooth connection to another device.

In security modes 2 and 3, it is possible to specify a security policy, such that only particular devices have access to particular services.

Yet another possibility is to define Bluetooth profiles, which utilise combinations of the basic mechanisms in order to achieve a level of security which is thought to be appropriate for particular applications. For example, profiles might be defined for use in:

Transferring data files between Bluetooth devices;
Supporting the use of headsets;
Transferring so-called objects such as business cards ("vCard objects") or calendar entries ("vCalendar objects").

A typical Bluetooth device is set up to support a number of profiles appropriate to its functionality. This may lead to security problems if the device has some functions which do not require a high level of security, since these functions will typically be supported by low security profiles. A well-known example is the object push profile used to support transfer of objects. In this profile, authentication is not used before the objects are exchanged, and this deficiency can be exploited by intruders who want to attack Bluetooth devices in which the profile is installed.

What are the security risks?

There are a number of built-in weaknesses in the way in which Bluetooth operates:

The basic identification of a Bluetooth device is an address. This can easily be faked, so one device appears to be another.
The authentification and encryption processes both use relatively simple methods to generate the required messages from secrets shared by the two participants. By monitoring the communication over a long period, it may be possible to deduce the secrets, and thus be able to find out how to fool the authentification procedure or decrypt the encrypted messages.

These weaknesses are in practice relatively difficult to exploit for real attacks. Faking the address is no help to the attacker, as long as the devices use correct Bluetooth authentication. Deducing the secrets from the passing communication is not really a realistic possibility, as you need an extremely powerful computer to perform the necessary analysis, which in the "cheapest" case requires 2⁶⁴ (about 16 billion billion) arithmetic operations.

Thus most actual attacks on Bluetooth devices are based on other approaches:

Users' laziness: Bonding requires the same PIN code to be supplied simultaneously to the two devices which are to be bonded. In devices in which this is done by hand, the procedure is rather troublesome and the user is therefore often tempted to choose very short PIN codes or simple values which are easy to guess (such as 0000). In this way it becomes easy for others to find the right PIN code by trial and error.
Weak profiles: Profiles such as object push do not require devices to perform the authentication process. This can be exploited in some telephones, in order to get hold of information stored in the victim's telephone, such as the telephone book, stored text (SMS) messages, contact lists etc. A particularly well-known attack of this type is Bluesnarfing.
Unprotected services: Some models of telephone do not have proper access control on services accessible via Bluetooth. A well-known attack of this type is Bluebugging, in which an attacker can set up a connection to the victim's telephone without authentication and without the victim in any way being involved in the process. Via this hidden connection, the attacker can subsequently send so-called AT commands to the victim's telephone, which makes it possible to make calls, read and write text messages, make connections to the Internet or even eavesdrop on the victim by getting the victim's telephone to dial secretly to the attacker's telephone.
Fake bonding (1): The attacker establishes a relationship of trust by means of the bonding mechanism, but arranges for the connection no longer to be visible in the victim's list of bonding partners. In this way the attacker becomes able to carry out other security procedures, set up connections and so on, on the victim's telephone without the victim being aware of this. Essentially the attacker has established a backdoor to the victim's telephone, via which it becomes possible to obtain access to the victim's texting service, Internet service etc.
This attack in fact also makes it possible to perform Bluesnarfing on devices which would otherwise refuse Bluesnarf attacks.
Fake bonding (2): This attack also exploits the bonding mechanism, but this time in a way known as Bluejacking, in which the victim must participate if the attack is to have any effect with respect to security.
The attacker initiates the bonding process. This will, as usual, lead to a query being displayed on the victim's telephone, asking whether it is OK to set up a connection. However, the attacker exploits the feature that a relatively long text can be sent and displayed together with the rest of the query. Users often exploit this feature to send one another small, anonymous messages, which in itself is a relatively innocent pastime. The security problem arises if the attacker can get the victim to accept the connection, by giving some spurious reason in the message; the attacker then has free access to the victim's telephone.
Malicious programs: Just as in computers in general, Bluetooth devices can be exposed to attacks by vira, worms and similar malicious programs, which in this case are spread by means of Bluetooth communication.

What can you do to protect yourself?

Some simple rules can help a lot to reduce the risks inherent in the use of Bluetooth:

Turn Bluetooth off, unless you actually need to use it!
Set your Bluetooth device up, so it runs in hidden mode. The device will then not send out signals which draw attention to its existence. Such signals can otherwise be used by attackers to find out whether there are potential victims in the vicinity.
Make sure your device has the latest version of the internal firmware. Many of the attacks mentioned above only work on telephones which have some kind of design fault in their electronics or the associated software. Many phone manufacturers offer upgrades which reduce the possibilities of attack considerably.
Choose good, long PIN codes. The value 0000 is probably the value which the attacker is most likely to try first. Choose something better, preferably with more digits. Or use devices where the exchange of PIN codes can be done automatically.
Make sure your device has the necessary antivirus software, when this is relevant.
Take care when installing Bluetooth applications with new profiles whose origin you are unsure about. They might contain security holes which can be exploited by an attacker.
Only allow bonding to take place with devices which you consider to be trustworthy. Always say no to surprising offers which will cause a Bluetooth connection to be set up to your device from other devices which you do not know.

Further information

For the technically interested person, there are lots of much more technical descriptions of Bluetooth security, most of them in English. A good web page, with detailed references, can be found at: http://www.niksula.cs.hut.fi/~jiitv/bluesec.html.

An overview of some of the best-known attacks and a list of some models of telephone which are particularly at risk, can be found at: http://www.thebunker.net/security/bluetooth.htm.

Robin Sharp
Last updated 050518.