White Paper

Bluetooth Networks: Risks & Defenses

The objective of this white paper is to provide an overall understanding of Bluetooth networks, examine their security features and inherent risks, and make recommendations for mitigating risks.

1. Understanding Bluetooth Networks

Bluetooth technology is a IEEE 802.15 open standard and specification that enables shortrange wireless connections between a multitude of wireless devices, including desktop and laptop computers, handhelds, PDAs, cell phones, camera phones, printers, digital cameras, headsets, keyboards, and even a computer mouse. More than 250 million Bluetooth devices are in operation worldwide and this number is expected to grow to more than one billion in the next two years. Currently, there are more Bluetooth devices than wireless LAN devices in use. Bluetooth was originally architected by Ericsson Mobile Communications, which named the technology after the 10th Century Danish Viking, King Harald Blatand, also called Bluetooth. Today, Bluetooth technology is supported by all major companies, including IBM, Intel, Nokia, and Toshiba.

Bluetooth devices can also provide a bridge to existing networks. The goal of Bluetooth is to connect different devices together, wirelessly, in a small environment, such as an office or home. Bluetooth can be used to connect almost any device to any other device, for example, to connect a PDA and a mobile phone. Bluetooth is inexpensive, takes little power to operate, and maintains a low profile. The standard effectively does the following: Eliminates wires and cables between stationary and mobile devices Facilitates data and voice communications Offers the possibility of ad hoc networks and delivers synchronicity between personal devices

Operating Band
Bluetooth transceivers operate in the unlicensed 2.4-GHz ISM band that is reserved for industrial, scientific, and medical applications. This band is available in most parts of the world (varies in some countries). The band is similar to the band wireless LAN devices and other IEEE 802.11-compliant devices occupy. Table 1 summarizes the characteristics of Bluetooth networks.

A Personal Area Network

Bluetooth is also called Personal Area Network (PAN) technology. It uses a globally available, short-range digital radio band frequency for worldwide compatibility to provide a mechanism for creating small wireless networks on an ad hoc basis. Bluetooth enables fast and reliable transmission for both voice and data. Bluetooth-enabled devices allow users to eliminate cables from their digital peripherals, making cable clutter a thing of the past.

Characteristics

Description

extended distance. Figure 1 illustrates a typical piconet and scatternet.

Physical Layer Frequency Band Hop Frequency Data Rate Operating Range

Frequency Hopping Spread Spectrum (FHSS) 2.4 GHz 2.45 GHz (ISM band) 1,600 hops/sec. 1 Mbps (raw). Higher bit rates are anticipated About 30 feet to 330 feet

Table 1. Key Characteristics of Bluetooth Technology

How Bluetooth Devices Network

Bluetooth networks are comprised of wireless stations or clients only, unlike a wireless LAN, which is comprised of both wireless user stations and access points. A Bluetooth client may be any Bluetooth-enabled device. Bluetooth devices automatically locate each other and form networks. As with all ad hoc networks, Bluetooth network topologies establish themselves on a temporary, random basis. Bluetooth networks maintain a master-slave relationship between devices. Any Bluetooth device can become a master or slave. This relationship forms a piconet. Up to eight Bluetooth devices may be networked together in a piconet, in which one device is designated as the master of the network with up to seven slaves connected directly to that network. The master device controls and sets up the network (including defining the networks hopping scheme). Devices in a Bluetooth piconet operate on the same channel and follow the same frequency hopping sequence. Although only one device can act as the master for each network, a slave in one network can act as the master for other networks, thus creating a chain of networks. This series of piconets, called scatternets, allows several devices to inter-network over an

Figure 1. A Typical Bluetooth Piconet & Scatternet.

Range of Bluetooth Devices

The operating range of a Bluetooth-enabled device depends on its Class, which in turn depends on the power level of the device.
Device Type Power Level Operating Range

Class 3 Class 2 Class 1

100 mW 10 mW 1 mW

Up to 330 feet Up to 30 feet Less than 30 feet

Table 2. Range of Bluetooth Devices by Class

At a 330-foot range, Bluetooth can compete with other wireless LAN technologies and applications. Additionally, as with the data rates, it is anticipated that even greater distances will be achieved in the future.

Benefits of Using Bluetooth

Bluetooth technology can result in increased efficiency and reduced costs. The efficiencies and cost savings are attractive for the home user and enterprise business user alike. Key benefits of Bluetooth include: Cable replacement for most device and peripheral interconnections, such as a mouse,

www.airdefense.net

Copyright 2004, AirDefense, Inc.

keyboard, and PC Ease of file sharing between Bluetoothdevices, for example, a PDA can access the files of a laptop Wireless synchronization with other Bluetooth-enabled devices, without user input Automated wireless applications that interface with the LAN and Internet Internet connectivity for a wide variety of devices and applications, for example, a Bluetooth mobile phone can act as a wireless modem for laptops
Figure 2. Bluetooth Air-Interface Security

2. Bluetooth Security Features

As a wireless technology, Bluetooth comes with some inherent, limited security features that users can optionally (but rarely) implement for both devices and services. Bluetooth supports authentication, authorization, and encryption (confidentiality) protocols; security modes, including link-level; separate access control for devices and services; and the use of several types of identifiers (IDs), depending on the device.

As illustrated in figure 2, Bluetooth can provide security on the link level, i.e., on various wireless links on the radio paths only. Link encryption and authentication may be provided, but true end-to-end security is not possible. In the figure, security services are provided between the PDA and the printer, between the cell phone and laptop, and between the laptop and the desktop.

Security Enforcement
Bluetooth uses pairing, PINs, and frequency hopping to enforce security. Encryption and authentication are based on a secret linked key that is shared by a pair of Bluetooth devices. To generate this key, Bluetooth uses a pairing procedure the first time two devices communicate with one another. In this manner, two Bluetooth devices authenticate each other by passing a message during the initial handshake phase. Pairing is the driving force behind Bluetooth, as it is designed for information exchange. Pairing enables Bluetooth to interface with other devices and exchange, update, and synchronize data. To communicate, Bluetooth devices use a PIN in their initialization process. Some Bluetooth devices only allow the user to enter an ID number for each use, while others allow storage of the PIN in nonvolatile memory. Additionally, Bluetooth uses a frequency hopping technique to keep transmissions from

Security protocols
Bluetooth supports the following protocols: Authentication provides an abort mechanism if a device cannot authenticate properly. This addresses, Do I know with whom I am communicating? Authorization allows the control of resources. This addresses, Has this device been authorized to use this service? Encryption attempts to prevent information compromise from eavesdropping (passive attack). This addresses, Are only authorized persons allowed to view my data?

Link-Level Security Mode

Bluetooth supports link-level security. Linklevel security provides a means for a secure link layer; pairing with PINs to establish secret pairwise link keys; challengeresponse authentication with knowledge of the link key; and encryption. Figure 2 depicts the Bluetooth radio path for link-level security.

Copyright 2004, AirDefense, Inc.

www.airdefense.net.

breaking up. This technique, which consists of skipping around the radio band 1,600 times per second, improves the signal clarity. Also, by limiting communication to only synchronized devices, frequency hopping makes it slightly more difficult for an attacker to locate the Bluetooth transmission. This provides some additional protection from eavesdropping and malicious access.

users choose to implement Bluetooth default security, vulnerabilities do exist that provide a motivation for using enhanced security. Some Bluetooth devices have serious flaws in their authentication and data transfer mechanisms (see table 3.) Though Bluetooth devices have security features built in, most devices ship with unsecured default configurations that create gaping security holes.
InStat/MicroDesign Resources

3. Security Risks
How secure are Bluetooth devices that use only available Bluetooth default security? Even when

Security Issue / Vulnerability

Comments

Shared master key. No user authentication. Eavesdropping, resulting from device key sharing. Compromise of privacy if the Bluetooth device address (BD_ADDR) is captured and associated with a particular user. Device authentication is simple shared-key challenge-response. End-to-end security is not performed.

The Bluetooth SIG needs to develop a better broadcast keying scheme. Bluetooth only provides device authentication. Application-level security and user authentication is optional. A hacker may be able to compromise the security, i.e., gain unauthorized access to between two other users. Once the BD_ADDR is associated with a particular user, that users activities could be logged, resulting in a loss of privacy. One-way only challenge-response authentication is subject to man-in-the middle attacks. Mutual authentication is required to provide verification that users and the network are legitimate. Only individual links are encrypted and authenticated. Data is decrypted at intermediate points. Application software above the Bluetooth software can be developed. Audit, non-repudiation, and other services do not exist. If needed, these can be developed at particular points in a Bluetooth network. Data is vulnerable to third-party providers. Source: NIST

Limited security services. Viruses and DoS attacks, via the Internet and Email.

Table 3. Key Security Issues with Bluetooth Networks.

www.airdefense.net

Copyright 2004, AirDefense, Inc.

Insecure Configurations Using default security configurations in a Bluetooth network is an open invitation for attack on both the Bluetooth network, and your enterprise backbone.
Like wireless LAN devices, Bluetooth devices are being rapidly deployed with little or no security, However because of the pervasiveness of these unsecured devices left in default settings, they stand to be an attractive target for exploitation.
Pete Lindstrom, research director, Spire Security

link is compromised, all devices in that Bluetooth network are vulnerable to attack. For example, a compromised link allows a hacker to monitor data traffic, while a compromised device allows the hacker to request and receive sensitive data. In addition, remote users often delegate authority (rights) to a host machine (e.g., a shared server) to execute programs. If the remote device is compromised and the authorized user had granted rights to the machine, the hacker could then use those rights to compromise the network. An example of this is a PDA automatically requesting a laptop to send and download emails. If the user had enabled (i.e., had delegated authority to) the PDA to download email from the laptop, a hacker could use the compromised PDA to obtain the email.

Bluetooth networks in many enterprises connect back to a wired network at some point. Hackers can use an insecure networked Bluetooth laptop as an entry point into the entire enterprise network, gaining access to customer credit cards, records, and other sensitive information that may not even exist on the Bluetooth network.

Signal Jamming & Interferences

Besides the typical Denial-of-Service (DoS) attacks directed against LANs and Internet services, Bluetooth devices are also susceptible to signal jamming. Bluetooth devices share bandwidth with microwave ovens, cordless phones, and other wireless networks and are thus vulnerable to interference. Hackers can interfere with the flow of information (i.e., disrupt the routing protocol by feeding the network inaccurate information) by using devices that transmit in the 2.4-GHz ISM band.

Eavesdropping and Backdoors

Hackers can use wireless microphones as bugging devices. There have been recorded incidents of successful attacks on PCs using hacker toolkits, such as Back Orifice and NetBus. A hacker with a program such as Back Orifice installed on a device in the Bluetooth network could access other Bluetooth devices and networks that have limited or no security. Bluetooth devices are further vulnerable because the system authenticates the devices, not the users. As a result, a compromised device can gain access to the network and compromise both the network and the devices on the network.

SNARF Attacks
Discovered by A.L. Digital's chief security officer Adam Laurie while testing phones for his own company's deployment, the SNARF (also called grab) attack bypasses the security net of most handsets and enables hackers to breach and compromise confidential data, including an individual subscribers phonebook, calendar, business card data, and associated attachments, such as still and moving images, e.g., friends and family photos. All this data can be taken anonymously from some very well-known Bluetooth-enabled mobiles and it is accomplished completely without the handset owners knowledge or consent.

Authorized Remote User Vulnerabilities

Authorized remote users pose a threat to Bluetooth networks. Remote users are not always subject to the same security requirements as onsite users. They frequently use links that are not secure, whether at home or while traveling. In the process of connecting, remote users transmit user IDs and passwords, which a hacker can capture using a network sniffer. The hacker does not have to be in close proximity to a user to intercept traffic. Once the device or
Copyright 2004, AirDefense, Inc.

www.airdefense.net.

Additionally, hackers can use the SNARF attack to obtain the phones International Mobile Equipment Identity (IMEI), which remotely identifies the phone to the mobile network. The IMEI is used in illegal phone cloning.

4. Mitigating Security Risks

Countermeasures are now available to help secure Bluetooth networks. There are countermeasures that enterprise IT management can take to establish security policies; there are limited software solutions inherent in Bluetooth; and now there is the industrys first commercialgrade Bluetooth monitoring system, AirDefense BlueWatch.

Backdoor Attacks
The complete memory contents of some mobile phones can be accessed when an attacker establishes a trust relationship through the Bluetooth pairing procedure, while ensuring that it no longer appears in the targets register of paired devices. This data includes not only the phonebook and calendar, but also media files, such as pictures and text messages. In essence, the entire device can be backed up to the hackers own system. Not only can the hacker acquire data from the phone, but the hacker can also access other services, such as modems or Internet, and WAP or GPRS gateways.

Management Countermeasures
Enterprises that use Bluetooth technology can reduce risks by establishing and documenting security policies that address the use of Bluetooth devices and user responsibilities. Security policies should include a list of approved uses for Bluetooth devices, the type of information that may be transferred in the network, and disciplinary actions resulting from misuse. Security policies should also specify a set scheme for password use.

Bluejacking
Bluejacking is a technique that is similar in concept to a buffer overflow attack against a wired network. The technique involves abusing the Bluetooth pairing procedure, made possible because the name of the initiating Bluetooth device displays on the target device as part of the handshake exchange. As pairing allows a large user defined name field (up to 248 characters), the field itself can be used to pass the message. This presents a potential security problem. During Bluejacking, the hacker successfully pairs with the target device using the first part of the handshake exchange. If this occurs, all data on the target device becomes available to the hacker, including phone books, calendars, pictures, and text messages. Bluejacking can provide the means for a hacker to hijack valuable data from corporations, government bodies, and the like. Bluejacking can succeed because of the number of users who are often duped by a constant barrage of unsolicited messages, such as SPAM email or SMS text messages.

Secure Bluetooth Configurations

Software solutions inherent in Bluetooth technology include the PIN and private authentication. Bluetooth enforces PIN codes at the link level. Because the PIN codes are necessary for authentication and link security, administrators should ensure that Bluetooth devices use PIN codes other than the default (or lowest) setting. Passwords are fundamental measures that add an extra layer of security. As Bluetooth devices can store and automatically access link-level PIN codes from memory, a Bluetooth device should employ device authentication as an extra layer of security. Enterprises should incorporate application-level software that requires password authentication in Bluetooth devices.

Monitoring with AirDefense

AirDefense BlueWatch is the industrys first commercial-grade Bluetooth monitoring solution. BlueWatch is part of the suite of AirDefense products that monitor the airwaves to enhance the security of wireless networks. BlueWatch is a Windows-based software program that scans for the presence of Bluetooth

www.airdefense.net

Copyright 2004, AirDefense, Inc.

devices and their key attributes. BlueWatch can enable individual users and enterprises to identify rogue and insecure Bluetooth devices in their air space, enabling them to take proactive steps to mitigate the risk of security breaches. Monitoring tools like AirDefense BlueWatch can play a critical role in providing visibility of unsanctioned or insecure Bluetooth devices and the security vulnerabilities they introduce.
Pete Lindstrom, research director, Spire Security

Conclusion
As businesses and consumers continue their rapid adoption of wireless technologies, all enterprises must address the growing security concerns from new airborne threats. Companies spend millions of dollars securing their networks. When a companys network is left exposed by insecure devices such as Bluetooth devices, hackers can enter the organization and compromise the companys corporate backbone, rendering investments in information technology security obsolete. The implications from a security breach can impact the companys reputation, intellectual property and regulated information. Organizations should take protective steps to monitor for Bluetooth devices in their air space to mitigate these new types of risks.

AirDefense BlueWatch runs on a standard Windows XP or Windows 2000 platform, on PCs and laptops. It uses a plug-in USB Bluetooth adapter that is compatible with WIDCOMM Bluetooth drivers. (Most PC devices use a WIDCOMM Bluetooth driver. This includes adapters from Linksys and Belkin, commonly available at consumer electronics stores.) AirDefense recommends using a Class 3 adapter for the greatest range of 330 feet (100 meters). BlueWatch monitors the airwaves to: Identify different types of Bluetooth devices, including laptops, PDAs, keyboards and cell phones. Provide Key Attributes, including the device class, device name, and manufacturer. Provide Connection Information, indicating if Bluetooth devices are paired or connected. Identify Available Services on each device, including network access, fax, and audio gateway. "Many of our new company-issued devices are Bluetooth enabled. Although this is a convenience for many of our associates, there is a risk that sensitive data may be compromised. AirDefense BlueWatch provides a monitoring solution that we can use to identify and track how and with whom these devices communicate."
Michael Ciarochi, senior security engineer, HomeBanc Mortgage

About AirDefense
AirDefense is the thought leader and innovator of wireless network security and operational support solutions. Founded in 2001, AirDefense pioneered the concept of 24x7 monitoring of the airwaves and now provides the most advanced solutions for rogue wireless LAN detection, policy enforcement, intrusion protection and monitoring the health of wireless networks. Blue chip companies and government agencies rely upon AirDefense solutions to secure and manage wireless networks around the globe. For more information or feedback on this white paper, please contact: AirDefense, Inc. 4800 North Point Parkway Suite 100 Alpharetta, Georgia 30022 Email: www.airdefense.net Phone: 770.663.8115
All trademarks are the property of their respective owners.

Copyright 2004, AirDefense, Inc.

www.airdefense.net.