Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
SEMINAR REPORT
ON
“BLUETOOTH”
SUBMITTED IN PARTIAL FULFILLMENT
FOR THE AWARD OF THE
DEGREE OF
BACHELOR OF TECHNOLOGY
IN
ELECTRONICS ENGINEERING
1. INTRODUCTION
When you use computers, entertainment systems or telephones, the various pieces and
parts of the systems make up a community of electronic devices. These devices
communicate with each other using a variety of wires, cables, radio signals and infrared
light beams, and an even greater variety of connectors, plugs and protocols.
There are lots of different ways that electronic devices can connect to one another. For
example:
• Component cables
• Electrical wires
• Ethernet cables
• WiFi
• Infrared signals
The art of connecting things is becoming more and more complex every day. In this
article, we will look at a method of connecting devices, called Bluetooth, that can
streamline the process. A Bluetooth connection is wireless and automatic, and it has a
number of interesting features that can simplify our daily lives.
A unique new wireless technology specifically designed for short range (10-100) meters
with modest performance of 780Kbps dynamically configurable and hoc networking with
low power. It is well suited for handheld applications and support both voice and data.
Uses 2.4 GHZ unlicensed ISM band. Frequency hopping spread spectrum radio for
higher interference immunity. Supports point to point and point to multipoint connection
with single radio link. Designed to provide low cost, robust, efficient, high capacity voice
and data networking. Uses a combination of circuit and packet switching.
Bluetooth devices can form piconets of up to seven slaves and one master, enabling
discovery of services and subsequent implementation of many varied usage models
including wireless headsets, Internet bridges, and wireless operations such as file
exchange, data synchronization, and printing.
Despite talk of Bluetooth competing with wireless LANs, Bluetooth products work over
shorter distances and are designed to solve different problems. The Bluetooth SIG
publishes the Bluetooth specification. The IEEE has formed the 802.15 working group to
define standards for wireless PANs. The 802.15.1 standard for WPAN™s will be
modeled after the Bluetooth specification from the Bluetooth SIG. Microsoft® has
announced support for Bluetooth in the next release of Windows® XP. The waters of
Bluetooth security have yet to be tested. However, the Bluetooth specification has a
robust key management scheme built in, as well as upper layers of security. Bluetooth
uses the national standard AES algorithm for encryption and the general consensus is that
the options for Bluetooth security are strong and robust.
2. BLUTOOTH
What is Bluetooth?
Bluetooth is a short-range wireless communications technology.
Why this name?
It was taken from the 10th century Danish King Harald Blatand who
unified Denmark and Norway.
When does it appear?
1994 – Ericsson study on a wireless technology to link mobile phones &
accessories.
5 companies joined to form the Bluetooth Special Interest Group (SIG) in
1998.
First specification released in July 1999.
1999.
Fig 1 (a)
(a) One of the first modules (Ericsson) (b) A recent module
a.
b. bluetooth connecting examplE
2.1 TIMELINE
• CD Player
• TV/VCR/DVD
• Access Points
• Telephone Answering Devices
• Cordless Phones
• Cars
2.5APPLICATIONS OF BLUETOOTH
Range 30 ft
Module size 9 x 9 mm
2.7 A Comparison`
3. ABOUT THE NAME
For those who know little about the technology, and even for those who are more than a
little acquainted with it, the name Bluetooth may seem odd. You may wonder, in fact,
how it relates to wireless technology, or speculate that perhaps it’s derived somehow from
the founding members of the SIG. Neither of these ideas is correct.
The name is a romantic gesture that in some sense indicates the excitement the
technology generates as well as the belief in its value as a revolutionary concept. To
combine these qualities in a name required ingenuity and delving into the past. The name
Bluetooth comes from Danish history. Harald Blatand, who was called Bluetooth, was the
son of King Gorm the Old, who ruled Jutland, the main peninsula of Denmark. By the
time Harald became king, he was a skilled Viking warrior. So, when his sister asked for
help to secure control in Norway after her husband died, Harald quickly seized the
opportunity to unite the countries and expand his kingdom. By 960 A.D. according to the
story, Harald was at the height of his powers, and ruled both Denmark and Norway. He
was later credited with bringing Christianity to his Viking realm.
Although it’s popularly believed that King Harald had a blue tooth, and various stories
explain how this came about, it’s more likely that the Bluetooth name is the English
derivative of the original Viking word, Blâtand. The Bluetooth name was chosen for the
wireless technology because its developers and promoters hope it will unite the mobile
world, just as King Harald united his world
Bluetooth takes small-area networking to the next level by removing the need for user
intervention and keeping transmission power extremely low to save battery power.
Picture this: You're on your Bluetooth-enabled cell phone, standing outside the door to
your house. You tell the person on the other end of the line to call you back in five
minutes so you can get in the house and put your stuff away. As soon as you walk in the
house, the map you received on your cell phone from your car's Bluetooth-enabled GPS
system is automatically sent to your Bluetooth-enabled computer, because your cell
phone picked up a Bluetooth signal from your PC and automatically sent the data you
designated for transfer. Five minutes later, when your friend calls you back, your
Bluetooth-enabled home phone rings instead of your cell phone. The person called the
same number, but your home phone picked up the Bluetooth signal from your cell phone
and automatically re-routed the call because it realized you were home. And each
transmission signal to and from your cell phone consumes just 1 milliwatt of power, so
your cell phone charge is virtually unaffected by all of this activity.
the remote control at the television or DVD player to make things happen. The second
drawback is that infrared is almost always a "one to one" technology. You can send data
between your desktop computer and your laptop computer, but not your laptop computer
and your PDA at the same time. (See How Remote Controls Work to learn more about
qualities of infrared are actually advantageous in some regards. Because infrared
transmitters and receivers have to be lined up with each other, interference between
devices is uncommon. The one-to-one nature of infrared communications is useful in that
you can make sure a message goes only to the intended recipient, even in a room full of
infrared receivers.
Bluetooth is intended to get around the problems that come with infrared systems. The
older Bluetooth 1.0 standard has a maximum transfer speed of 1 megabit per second
(Mbps), while Bluetooth 2.0 can manage up to 3 Mbps. Bluetooth 2.0 is backward-
compatible with 1.0 devices.
There is even talk of Bluetooth competing with WLANs, but Bluetooth products work
over shorter distances and are designed to solve different problems. While the
functionality of a WLAN device stands alone as a network component, the functionality
of a Bluetooth component requires a host. The host can be any number of Bluetooth
enabled devices such as cell phones, headsets, keyboards, PDAs, vending machines,
cameras, and bar code readers.
5.2.5 Printing
HP is making printers and notebooks with embedded Bluetooth technology.
Bluetooth-enabled devices can automatically detect Bluetooth-enabled printers in their
area and wirelessly send documents to the printer without going through lengthy
network and printing setup processes. Mobile users who frequently visit remote offices
will find Bluetooth printing a significant improvement in convenience to their current
experience.
The phrase “Wireless connections made easy,” which is printed on the cover page of the
more than 1,500 pages of engineering specifications that define Bluetooth, means easy
for the user, but hard for the engineers designing the products. For the reasons outlined
above, Bluetooth presents some of the most demanding engineering challenges in the
telecommunications arena, and products are only just now beginning to appear on the
market.
New profiles not yet part of the standard include the following: a Basic Printing Profile to
facilitate printing of text emails, short messages, and formatted documents; a Hands Free
Profile to enable a mobile phone to be used with a hands-free device in a car; a Basic
Imaging Profile enabling Bluetooth devices to negotiate the size and encoding of
exchanged images; and a Hardcopy Cable Replacement Profile, used by devices such as
laptops and desktop computers that utilize printer drivers.
The fundamental elements of a Bluetooth product are defined in the two lowest
protocol layers, the radio layer and the baseband layer. Included in these layers
are hardware tasks such as frequency hopping control and clock synchronization,
as well as packet assembly with associated FEC (Forward Error Correction) and
ARQ (Automatic Repeat Request).
The link manager layer is responsible for searching for other Bluetooth devices,
creating and tearing down piconets, as well as authentication and encryption.
One of the most intriguing is a car profile that describes the use of personal
devices like pagers, cell phones, and laptops in an automotive environment.
Envisioned usages include the automatic adjustment of various settings in an
automobile, such as seat and mirror positions and radio tuning, based on personal
preferences stored in a Bluetooth device. Another profile would link a cell phone,
car radio, and text-to-speech software on a laptop, to allow email to be spoken
audibly over the car radio.
In addition to developing new profiles, other working groups are developing
extensions to enhance Bluetooth operations. The radio working group is
developing optional extensions to the current Bluetooth standard that include
higher data rates and handoff capability to support roaming, and the coexistence
working group is collaborating with the IEEE 802.11 and 802.15 working groups
to address interference concerns and ensure that Bluetooth can coexist in the same
environment with WLANs.
8.4 Bluejacking
Although known to the technical community and early adopters for some time, the
process now known as "Bluejacking"[1] has recently come to the fore in the consumer
arena, and is becoming a popular mechanism for exchanging anonymous messages in
public places. The technique involves abusing the bluetooth "pairing"[2] protocol, the
system by which bluetooth devices authenticate each other, to pass a message during the
initial "handshake" phase. This is possible because the "name" of the initiating bluetooth
device is displayed on the target device as part of the handshake exchange, and, as the
protocal allows a large user defined name field - up to 248 characters - the field itself can
be used to pass the message. This is all well and good, and, on the face of it, fairly
harmless, but, unfortunately, there is a down side. There is a potential security problem
with this, and the more the practice grows and is accepted by the user community, and
leveraged as a marketing tool by the vendors, the worse it will get. The problem lies in
the fact that the protocol being abused is designed for information exchange. The ability
to interface with other devices and exchange, update and synchronise data, is the raison
d'être of bluetooth. The bluejacking technique is using the first part of a process that
allows that exchange to take place, and is therefore open to further abuse if the handshake
completes and the "bluejacker" successfully pairs with the target device. If such an event
occurs, then all data on the target device bacomes available to the initiator, including such
things as phone books, calendars, pictures and text messages. As the current wave of
PDA and telephony integration progresses, the volume and quality of such data will
increase with the devices' capabilities, leading to far more serious potential compromise.
Given the furore that errupted when a second-hand Blackberry PDA was sold without the
previous owner's data having been wiped[3], it is alarming to think of the consequences
of a single bluejacker gathering an entire corporate staff's contact details by simply
attending a conference or camping outside their building or in their foyer with a bluetooth
capable device and evil intent. Of course, corporates are not the only potential targets - a
bluejacking expedition to, say, The House of Commons, or The US Senate, could provide
some interesting, valuable and, who's to say, potentially damaging or compromising data.
The above may sound alarmist and far fetched, and the general reaction would probably
be that most users would not be duped into allowing the connection to complete, so the
risk is small. However, in today's society of instant messaging, the average consumer is
under a constant barrage of unsolicted messages in one form or another, whether it be by
SPAM email, or "You have won!" style SMS text messages, and do not tend to treat them
with much suspicion (although they may well be sceptical about the veracity of the
offers). Another message popping up on their 'phone saying something along the lines of
"You have won 10,000 pounds! Enter this 4 digit PIN number and then dial 0900-
SUCKER to collect your prize!" is unlikely to cause much alarm, and is more than likely
to succeed in many cases.
8.5 VARIOUS OTHER ATTACKS
BLUEBUG is the name of a bluetooth security loophole on some bluetooth-enabled cell
phones. Exploiting this loophole allows the unauthorized downloading phone books and
call lists, the sending and reading of SMS messages from the attacked phone and many
more things.
LONG DISTANCE SNARF- An eye-opener to those who believe that the range of the
wireless technology Bluetooth is 100 meter maximum. The Long-Distance-Snarf
Experiment that took place in the early morning of proofs this assumption wrong
9. BLUETOOTH SECURITY
Bluetooth security, when compared with WLAN security, is both more complex and
simpler. It is more complex in the sense that there are many different options for security
based on different application scenarios. It is simpler in the sense that, for the most part,
they are transparent to the user. With WLANs it is up to the network administrator to add
security at higher levels. With Bluetooth, since the Bluetooth spec includes all levels,
higher-level security features are already built into the devices when appropriate.
Bluetooth security includes both authentication and confidentiality, and is based around
the SAFER+ encryption algorithm. SAFER+ is a block cipher, but in this application is
implemented as a stream cipher. SAFER+ was thoroughly analyzed and tested during the
NIST’s search for a national encryption standard. Although some versions were found to
have very minor weaknesses, the 128-bit version as used in Bluetooth is considered very
strong.
These methods utilize a number of keys generated by a process that begins with three
basic device entities: a public 48-bit device address, a random number generator, and a
secret PIN which is either built into the unit by the manufacturer or programmed by the
user. A typical PIN may consist of just four decimal digits. However, for applications
requiring more security a PIN code up to 128-bits long can be entered. The first of many
keys is created the first time the Bluetooth device is installed on the host
and is typically never changed. This is referred to as the unit key.
9.1.1 Authentication
When a Bluetooth session (defined as the time interval for which the device is
part of a piconet) is initiated, a series of additional keys is generated. One of these
keys, referred to as the link key or authentication key, is a one-time 128-bit secret
key that is used only during that session. The process of authentication employs
the encryption of a random number by each device to verify that each is sharing
the same secret link key.
9.1.2 Encryption
If encryption is required by the application, an encryption key is further derived
from the
link key, a ciphering offset number, and a random number. While the
authentication key is always 128-bits, the encryption key may be shorter to
accommodate government restrictions on encryption, which vary from country to
country. A new encryption key is generated each time the device enters encryption
mode. The authentication key, however, is used during the entire session.
Pairing is the procedure where a relationship (link key) is established between two
previously unknown devices. The link key is derived when the devices are initially paired
(i.e. the link key does not exist before the pairing procedure). Pairing is facilitated with
yet another key, the initialization key. This key is computed by a pair of devices using the
Bluetooth addresses of each device, a random number, and a shared secret (PIN). Since it
is only used in the initial pairing, the initialization key is only used once. The initial
pairing is the most profitable area of attack on a Bluetooth device. If the attacker can
guess or steal the PIN during the initial pairing, then he can perform a much more
efficient search to derive the link key. This search is further simplified if the
communications occurring while the devices are paired is recorded. For this reason the
Bluetooth SIG strongly encourages the use of long, random PINs and suggests that
pairing be performed only in a private place. Assuming that both devices have a man-
machine interface (such as a keypad) it is also suggested that the PIN be manually
entered into both devices or in any case communicated out-of-band (not transmitted over
the Bluetooth wireless link). Thus, long PINs provide improved security since the PIN
cannot be received over-the-air. To steal the PIN an attacker must guess or record it by
some other means such as direct observation of the user, a more difficult procedure if the
PIN is long and the pairing is performed in private.
As a communication standard, Bluetooth security focuses on the link level. It provides
both entity authentication and link privacy. Since these functions are focused at the lower
network layers, message authentication and secure end-to- end links are not provided.
However, many applications, such as e-mail and browser transactions require end-to-end
security. As with other communication standards, this function is expected to be provided
at higher network layers by specific application providers.
Accordingly, the Bluetooth SIG encourages the reuse of existing transport, session and
application layer security. Accordingly the Bluetooth SIG strongly encourages pairing in
a private place and the use of robust PINs. In addition, simple devices that use unit keys
should not be relied upon to communicate highly secure data.
13. BLUESNARFING
SNARF and bluesnarfing are words that have been spooking through the Internet during
the last months. These words relate to a recently discovered security flaw in Bluetooth-
enabled devices. This report is about a field-trial that has evaluated this security loophole
at the CeBIT 2004 in Hannover. As described in, the SNARF attack enables access to
restricted portions of the device. SNARF is a word coming from computer-hacker jargon.
To snarf something means “to grab a large document or file and use it without the
author’s permission”. So it is possible to, for example read out the affected devices’
phone books. These phone books contain numbers and associated names of persons that
are either stored in the device phone-book, on the SIM card or in the lists of missed,
received or dialed contacts. It is also possible to retrieve and send SMS messages from
the affected phone or to initiate phone calls to any existing number (this feature is of
special interest if you are the running a premium service number yourself.
In theory, all supported AT-commands could be issued to the respective device, but
according to statements of the manufacturers some of the commands are not permitted by
means of this disallowed connection. But there would be no reason of preventing
commands from a connection that the firmware discloses by accident.
13.1 The BlueSnarf Field Trial
The environment was build up by open-source software ran on a laptop computer.
It would also be possible to get the device’s phone number by initiating a phone call to
the number of a phone that is able to display the caller’s number. However, this method
would disclose the number of the dialed phone to the owner of the attacked phone,
because every call initiation is writing an entry into the dialed contacts list (DC phone
book).
13.13.5 Blueprinting
Blueprinting aims to set a standard for Bluetooth fingerprinting devices. The idea is
similar to IP fingerprinting techniques as used in tools like an map where it is possible to
determine a hosts operating system by specific behavior of the IP stack. With
Blueprinting it is possible to determine the manufacturer, the device model and the
firmware version of the respective device. The complexity of the introduced method is
intentionally simple so that this procedure can be executed on constrained devices that
are not capable of calculating common hashes such as MD5: the J2ME Connected
Limited Device Configuration (CLDC) Version 1.0 (as used in many mobile handsets)
can perform it. There are many different reasons that justify a method that allows the
identification of Bluetooth-enabled devices by the characteristics of their radio interface.
13.13.12 Blueprinting
Blueprinting uses specific information from SDP profiles of a device to create a hash for
the respective device. According to the standard, there is always a field that holds the
Service.
Table 13.13.12.1 OPUSH Profile from a Nokia 6310i
Service Name: OBEX Object Push
Service RecHandle: 0x1000c
Service Class ID List:"OBEX Object Push" (0x1105)
Protocol Descriptor List:"L2CAP" (0x0100)
"RFCOMM" (0x0003)Channel: 9"OBEX" (0x0008)
Language Base Attr List: code ISO639: 0x656e
encoding: 0x6a
base offset: 0x100
Profile Descriptor List:"OBEX Object Push" (0x1105)
Version: 0x0100
Record Handle, which is a 32 bit number that is assigned by the SDP server when a
service is registered during startup of the device (e.g. 0x1000c in table 1). In the case of
mobile phones, the Record Handles for the profile entries at the SDP server are not
dynamically assigned but statically coded in the phone’s firmware. The other value that is
taken into the hash is the RFCOMM channel or the L2CAP psm number that the service
can be accessed under. In the above profile, this would be RFCOMM channel 9. One part
of a device’s Blueprinting hash is the sum of the Rechanneled times the Channel for all
running services. The following example shows this by the example of a Nokia 6310i
SDP profile export.
13.14.4 Conclusions
Blueprinting is a novel method for the identification of Bluetooth-enabled devices by
means of their radio interface and the Bluetooth stack of the operating system. The
information gathered so far about the SDP profiles demonstrates a decreasing diversity in
mobile phone operating systems; the prevalent usage of e.g. Symbian. The increasing
uniformity is evident from similar Blueprinting hashes even when the hardware and the
manufacturer of the products differ. In the future, current trends dictate the variety of
Blueprinting hashes will most likely decrease. The fact that many phones have the same
operating system could result in serious trouble once a security flaw is discovered for a
common operating system.
Microsoft® has announced support for Bluetooth in the next release of Windows® XP as
follows:
Microsoft is creating native support in the Microsoft® Windows® operating system for
Bluetooth wireless technology. This support is entirely new and is not based on existing
software from other companies. The specific delivery vehicles are to be determined.
Microsoft supports the Bluetooth technology as a wireless bus, complementing USB and
IEEE 1394. The goal for Microsoft software support is to Windows work with several
types of devices that implement Bluetooth wireless technology, such as PC peripherals,
PC companions, and devices bridged to network resources through a PC.
Support for Bluetooth wireless technology is not in the first release of Windows XP,
because there is not a sufficient array of production-quality devices that conform to the
Bluetooth specification for Microsoft to test. However, Microsoft is actively developing
support for Bluetooth technology and will ship this support in a future release. Quality,
reliability and compatibility are principal ship goals for Windows XP, and Microsoft will
not compromise on the customer experience
16. SUMMARY
It can be said that the name Bluetooth refers not only to a technology, but also to a
standard and a specification. And few standards have taken off as Bluetooth has,
capturing the attention anddevelopment money of major corporations throughout the
world. If it can live up to its expectations and meet the needs of a global marketplace in
an easy-to-use, straightforward manner, it promises to become (like its eponymous King
Harald) a uniting force in the wireless communications world. This chapter helps you get
started with Bluetooth technology by covering the basics:
17. BIBLIOGRAPHY