7/27/2019 Bluetooth Airdefense
http://slidepdf.com/reader/full/bluetooth-airdefense 1/7
.
White Paper
Bluetooth Networks: Risks & Defenses
The objective of this white paper is to provide an overall understanding of Bluetooth networks,examine their security features and inherent risks, and make recommendations for mitigating
risks.
1. Understanding Bluetooth
Networks
Bluetooth technology is a IEEE 802.15 open
standard and specification that enables short-
range wireless connections between a multitudeof wireless devices, including desktop and
laptop computers, handhelds, PDAs, cell phones,
camera phones, printers, digital cameras,
headsets, keyboards, and even a computer
mouse. More than 250 million Bluetooth devices
are in operation worldwide and this number is
expected to grow to more than one billion in the
next two years. Currently, there are more
Bluetooth devices than wireless LAN devices in
use.
Bluetooth was originally architected by EricssonMobile Communications, which named the
technology after the 10th Century Danish
Viking, King Harald Blatand, also called
“Bluetooth.” Today, Bluetooth technology is
supported by all major companies, including
IBM, Intel, Nokia, and Toshiba.
A Personal Area Network Bluetooth is also called Personal Area Network
(PAN) technology. It uses a globally available,
short-range digital radio band frequency for
worldwide compatibility to provide amechanism for creating small wireless networks
on an ad hoc basis. Bluetooth enables fast and
reliable transmission for both voice and data.
Bluetooth-enabled devices allow users to
eliminate cables from their digital peripherals,
making cable clutter a thing of the past.
Bluetooth devices can also provide a bridge to
existing networks.
The goal of Bluetooth is to connect different
devices together, wirelessly, in a small
environment, such as an office or home.Bluetooth can be used to connect almost any
device to any other device, for example, to
connect a PDA and a mobile phone.
Bluetooth is inexpensive, takes little power to
operate, and maintains a low profile. The
standard effectively does the following:
¾ Eliminates wires and cables between
stationary and mobile devices
¾ Facilitates data and voice communications
¾ Offers the possibility of ad hoc networks and
delivers synchronicity between personal
devices
Operating Band Bluetooth transceivers operate in the unlicensed
2.4-GHz ISM band that is reserved for
industrial, scientific, and medical applications.
This band is available in most parts of the world
(varies in some countries). The band is similar to
the band wireless LAN devices and other IEEE
802.11-compliant devices occupy. Table 1
summarizes the characteristics of Bluetooth
networks.
7/27/2019 Bluetooth Airdefense
http://slidepdf.com/reader/full/bluetooth-airdefense 2/7
www.airdefense.net 2 Copyright 2004, AirDefense, Inc.
Characteristics Description
Physical Layer Frequency Hopping
Spread Spectrum (FHSS)
Frequency Band 2.4 GHz – 2.45 GHz (ISM
band)
Hop Frequency 1,600 hops/sec.
Data Rate 1 Mbps (raw). Higher bit
rates are anticipated
Operating Range About 30 feet to 330 feet
Table 1. Key Characteristics of BluetoothTechnology
How Bluetooth Devices Network Bluetooth networks are comprised of wireless
stations or clients only, unlike a wireless LAN,
which is comprised of both wireless user stations
and access points. A Bluetooth client may be
any Bluetooth-enabled device.
Bluetooth devices automatically locate each
other and form networks. As with all ad hoc
networks, Bluetooth network topologies
establish themselves on a temporary, random
basis.
Bluetooth networks maintain a “master-slave”
relationship between devices. Any Bluetooth
device can become a master or slave. This
relationship forms a piconet . Up to eight
Bluetooth devices may be networked together in
a piconet, in which one device is designated as
the master of the network with up to seven
slaves connected directly to that network. The
master device controls and sets up the network
(including defining the network’s hopping
scheme).
Devices in a Bluetooth piconet operate on the
same channel and follow the same frequency
hopping sequence. Although only one device
can act as the master for each network, a slave in
one network can act as the master for other
networks, thus creating a chain of networks.This series of piconets, called scatternets, allows
several devices to inter-network over an
extended distance. Figure 1 illustrates a typical
piconet and scatternet.
Figure 1. A Typical Bluetooth Piconet &
Scatternet.
Range of Bluetooth DevicesThe operating range of a Bluetooth-enabled
device depends on its Class, which in turn
depends on the power level of the device.
DeviceType
Power Level
Operating Range
Class 3 100 mW Up to 330 feet
Class 2 10 mW Up to 30 feet
Class 1 1 mW Less than 30 feet
Table 2. Range of Bluetooth Devices by Class
At a 330-foot range, Bluetooth can compete with
other wireless LAN technologies and
applications. Additionally, as with the data rates,
it is anticipated that even greater distances will
be achieved in the future.
Benefits of Using BluetoothBluetooth technology can result in increased
efficiency and reduced costs. The efficiencies
and cost savings are attractive for the home user
and enterprise business user alike. Key benefits
of Bluetooth include:
¾ Cable replacement for most device and
peripheral interconnections, such as a mouse,
7/27/2019 Bluetooth Airdefense
http://slidepdf.com/reader/full/bluetooth-airdefense 3/7
Copyright 2004, AirDefense, Inc. 3 www.airdefense.net.
keyboard, and PC
¾ Ease of file sharing between Bluetooth-
devices, for example, a PDA can access the
files of a laptop
¾ Wireless synchronization with other
Bluetooth-enabled devices, without user
input¾ Automated wireless applications that
interface with the LAN and Internet
¾ Internet connectivity for a wide variety of
devices and applications, for example, a
Bluetooth mobile phone can act as a wireless
modem for laptops
2. Bluetooth Security Features
As a wireless technology, Bluetooth comes with
some inherent, limited security features that
users can optionally (but rarely) implement for both devices and services. Bluetooth supports
authentication, authorization, and encryption
(confidentiality) protocols; security modes,
including link-level; separate access control for
devices and services; and the use of several
types of identifiers (IDs), depending on the
device.
Security protocolsBluetooth supports the following protocols:
¾ Authentication provides an abortmechanism if a device cannot authenticate
properly. This addresses, “Do I know with
whom I am communicating?”
¾ Authorization allows the control of
resources. This addresses , “Has this device
been authorized to use this service?”
¾ Encryption attempts to prevent information
compromise from eavesdropping (passive
attack). This addresses , “Are only authorized
persons allowed to view my data?”
Link-Level Security ModeBluetooth supports link-level security. Link-
level security provides a means for a secure link
layer; pairing with PINs to establish secret pair-
wise link keys; challenge–response
authentication with knowledge of the link key;
and encryption. Figure 2 depicts the Bluetooth
radio path for link-level security.
Figure 2. Bluetooth Air-Interface Security
As illustrated in figure 2, Bluetooth can provide
security on the link level, i.e., on various
wireless links on the radio paths only. Link
encryption and authentication may be provided, but true end-to-end security is not possible. In
the figure, security services are provided
between the PDA and the printer, between the
cell phone and laptop, and between the laptop
and the desktop.
Security Enforcement Bluetooth uses pairing, PINs, and frequency
hopping to enforce security.
Encryption and authentication are based on a
secret linked key that is shared by a pair of
Bluetooth devices. To generate this key,
Bluetooth uses a pairing procedure the first time
two devices communicate with one another. In
this manner, two Bluetooth devices authenticate
each other by passing a message during the
initial handshake phase.
Pairing is the driving force behind Bluetooth, as
it is designed for information exchange. Pairing
enables Bluetooth to interface with other devices
and exchange, update, and synchronize data.
To communicate, Bluetooth devices use a PIN
in their initialization process. Some Bluetoothdevices only allow the user to enter an ID
number for each use, while others allow storage
of the PIN in nonvolatile memory.
Additionally, Bluetooth uses a frequency
hopping technique to keep transmissions from
7/27/2019 Bluetooth Airdefense
http://slidepdf.com/reader/full/bluetooth-airdefense 4/7
www.airdefense.net 4 Copyright 2004, AirDefense, Inc.
breaking up. This technique, which consists of
skipping around the radio band 1,600 times per
second, improves the signal clarity. Also, by
limiting communication to only synchronized
devices, frequency hopping makes it slightly
more difficult for an attacker to locate the
Bluetooth transmission. This provides someadditional protection from eavesdropping and
malicious access.
3. Security Risks
How secure are Bluetooth devices that use only
available Bluetooth default security? Even when
users choose to implement Bluetooth default
security, vulnerabilities do exist that provide a
motivation for using enhanced security. Some
Bluetooth devices have serious flaws in their
authentication and data transfer mechanisms (see
table 3.)
“Though Bluetooth devices have security
features built in, most devices ship with
unsecured default configurations that create
gaping security holes.”
InStat/MicroDesign Resources
Security Issue / Vulnerability Comments
Shared master key. The Bluetooth SIG needs to develop a better broadcast keyingscheme.
No user authentication. Bluetooth only provides device authentication. Application-levelsecurity and user authentication is optional.
Eavesdropping, resulting from device key
sharing.
A hacker may be able to compromise the security, i.e., gain
unauthorized access to between two other users.
Compromise of privacy if the Bluetooth
device address (BD_ADDR) is captured andassociated with a particular user.
Once the BD_ADDR is associated with a particular user, that
user’s activities could be logged, resulting in a loss of privacy.
Device authentication is simple shared-keychallenge-response.
One-way only challenge-response authentication is subject toman-in-the middle attacks. Mutual authentication is required to
provide verification that users and the network are legitimate.
End-to-end security is not performed. Only individual links are encrypted and authenticated. Data is
decrypted at intermediate points. Application software above the
Bluetooth software can be developed.
Limited security services. Audit, non-repudiation, and other services do not exist. If needed,these can be developed at particular points in a Bluetooth network.
Viruses and DoS attacks, via the Internet
and Email.
Data is vulnerable to third-party providers.
Source: NIST
Table 3. Key Security Issues with Bluetooth Networks.
7/27/2019 Bluetooth Airdefense
http://slidepdf.com/reader/full/bluetooth-airdefense 5/7
Copyright 2004, AirDefense, Inc. 5 www.airdefense.net.
Insecure Configurations
Using default security configurations in a
Bluetooth network is an open invitation for
attack on both the Bluetooth network, andyour enterprise backbone.
“Like wireless LAN devices, Bluetooth
devices are being rapidly deployed with little
or no security, However because of the
pervasiveness of these unsecured devices left
in default settings, they stand to be an
attractive target for exploitation.”
Pete Lindstrom, research director,Spire Security
Bluetooth networks in many enterprises connect
back to a wired network at some point. Hackers
can use an insecure networked Bluetooth laptopas an entry point into the entire enterprise
network, gaining access to customer credit
cards, records, and other sensitive information
that may not even exist on the Bluetooth
network.
Eavesdropping and BackdoorsHackers can use wireless microphones as
bugging devices. There have been recorded
incidents of successful attacks on PCs using
hacker “toolkits,” such as Back Orifice and
NetBus. A hacker with a program such as Back Orifice installed on a device in the Bluetooth
network could access other Bluetooth devices
and networks that have limited or no security.
Bluetooth devices are further vulnerable because
the system authenticates the devices, not the
users. As a result, a compromised device can
gain access to the network and compromise both
the network and the devices on the network.
Authorized Remote User VulnerabilitiesAuthorized remote users pose a threat to
Bluetooth networks. Remote users are notalways subject to the same security requirements
as onsite users. They frequently use links that
are not secure, whether at home or while
traveling. In the process of connecting, remote
users transmit user IDs and passwords, which a
hacker can capture using a network sniffer. The
hacker does not have to be in close proximity to
a user to intercept traffic. Once the device or
link is compromised, all devices in that
Bluetooth network are vulnerable to attack.
For example, a compromised link allows a
hacker to monitor data traffic, while a
compromised device allows the hacker to
request and receive sensitive data.
In addition, remote users often delegate
authority (rights) to a host machine (e.g., a
shared server) to execute programs. If the
remote device is compromised and the
authorized user had granted rights to the
machine, the hacker could then use those rights
to compromise the network. An example of this
is a PDA automatically requesting a laptop to
send and download emails. If the user had
enabled (i.e., had delegated authority to) the
PDA to download email from the laptop, ahacker could use the compromised PDA to
obtain the email.
Signal Jamming & InterferencesBesides the typical Denial-of-Service (DoS)
attacks directed against LANs and Internet
services, Bluetooth devices are also susceptible
to signal jamming. Bluetooth devices share
bandwidth with microwave ovens, cordless
phones, and other wireless networks and are thus
vulnerable to interference. Hackers can interfere
with the flow of information (i.e., disrupt therouting protocol by feeding the network
inaccurate information) by using devices that
transmit in the 2.4-GHz ISM band.
SNARF AttacksDiscovered by A.L. Digital's chief security
officer Adam Laurie while testing phones for his
own company's deployment, the SNARF (also
called “grab”) attack bypasses the security net of
most handsets and enables hackers to breach and
compromise confidential data, including an
individual subscriber’s phonebook, calendar, business card data, and associated attachments,
such as still and moving images, e.g., friends
and family photos. All this data can be taken
anonymously from some very well-known
Bluetooth-enabled mobiles and it is
accomplished completely without the handset
owners knowledge or consent.
7/27/2019 Bluetooth Airdefense
http://slidepdf.com/reader/full/bluetooth-airdefense 6/7
www.airdefense.net 6 Copyright 2004, AirDefense, Inc.
Additionally, hackers can use the SNARF attack
to obtain the phone’s International Mobile
Equipment Identity (IMEI), which remotely
identifies the phone to the mobile network. The
IMEI is used in illegal phone cloning.
Backdoor AttacksThe complete memory contents of some mobile
phones can be accessed when an attacker
establishes a trust relationship through the
Bluetooth pairing procedure, while ensuring thatit no longer appears in the target’s register of
paired devices. This data includes not only the
phonebook and calendar, but also media files,
such as pictures and text messages. In essence,
the entire device can be backed up to the
hacker’s own system. Not only can the hacker
acquire data from the phone, but the hacker can
also access other services, such as modems or Internet, and WAP or GPRS gateways.
Bluejacking Bluejacking is a technique that is similar in
concept to a buffer overflow attack against a
wired network.
The technique involves abusing the Bluetooth
pairing procedure, made possible because the
name of the initiating Bluetooth device displays
on the target device as part of the handshake
exchange. As pairing allows a large user definedname field (up to 248 characters), the field itself
can be used to pass the message. This presents a
potential security problem.
During Bluejacking, the hacker successfully
pairs with the target device using the first part of
the handshake exchange. If this occurs, all data
on the target device becomes available to the
hacker, including phone books, calendars,
pictures, and text messages. Bluejacking can
provide the means for a hacker to hijack
valuable data from corporations, government bodies, and the like. Bluejacking can succeed
because of the number of users who are often
duped by a constant barrage of unsolicited
messages, such as SPAM email or SMS text
messages.
4. Mitigating Security Risks
Countermeasures are now available to help
secure Bluetooth networks. There are
countermeasures that enterprise IT management
can take to establish security policies; there are
limited software solutions inherent in Bluetooth;and now there is the industry’s first commercial-
grade Bluetooth monitoring system,
AirDefense BlueWatch™.
Management CountermeasuresEnterprises that use Bluetooth technology can
reduce risks by establishing and documenting
security policies that address the use of
Bluetooth devices and user responsibilities.
Security policies should include a list of
approved uses for Bluetooth devices, the type of
information that may be transferred in thenetwork, and disciplinary actions resulting from
misuse. Security policies should also specify a
set scheme for password use.
Secure Bluetooth ConfigurationsSoftware solutions inherent in Bluetooth
technology include the PIN and private
authentication. Bluetooth enforces PIN codes at
the link level. Because the PIN codes are
necessary for authentication and link security,
administrators should ensure that Bluetooth
devices use PIN codes other than the default (or lowest) setting.
Passwords are fundamental measures that add an
extra layer of security. As Bluetooth devices can
store and automatically access link-level PIN
codes from memory, a Bluetooth device should
employ device authentication as an extra layer of
security. Enterprises should incorporate
application-level software that requires
password authentication in Bluetooth devices.
Monitoring with AirDefense AirDefense BlueWatch is the industry’s firstcommercial-grade Bluetooth monitoring
solution. BlueWatch is part of the suite of
AirDefense products that monitor the airwaves
to enhance the security of wireless networks.
BlueWatch is a Windows-based software
program that scans for the presence of Bluetooth
7/27/2019 Bluetooth Airdefense
http://slidepdf.com/reader/full/bluetooth-airdefense 7/7
Copyright 2004, AirDefense, Inc. 7 www.airdefense.net.
devices and their key attributes. BlueWatch can
enable individual users and enterprises to
identify rogue and insecure Bluetooth devices in
their air space, enabling them to take proactive
steps to mitigate the risk of security breaches.
“Monitoring tools like AirDefense BlueWatch can play a critical role in
providing visibility of unsanctioned or
insecure Bluetooth devices and the security
vulnerabilities they introduce.”
Pete Lindstrom, research director,Spire Security
AirDefense BlueWatch runs on a standard
Windows® XP® or Windows 2000® platform,
on PCs and laptops. It uses a plug-in USB
Bluetooth adapter that is compatible with
WIDCOMM® Bluetooth drivers. (Most PC
devices use a WIDCOMM Bluetooth driver.This includes adapters from Linksys® and
Belkin®, commonly available at consumer
electronics stores.) AirDefense recommends
using a Class 3 adapter for the greatest range of
330 feet (100 meters).
BlueWatch monitors the airwaves to:
¾ Identify different types of Bluetooth devices,
including laptops, PDAs, keyboards and cell
phones.
¾ Provide Key Attributes, including thedevice class, device name, and manufacturer.
¾ Provide Connection Information,
indicating if Bluetooth devices are paired or
connected.
¾ Identify Available Services on each device,
including network access, fax, and audio
gateway.
"Many of our new company-issued devices
are Bluetooth enabled. Although this is a
convenience for many of our associates,
there is a risk that sensitive data may becompromised. AirDefense BlueWatch
provides a monitoring solution that we can
use to identify and track how and with whom
these devices communicate."
Michael Ciarochi, senior security engineer,HomeBanc Mortgage
Conclusion
As businesses and consumers continue their
rapid adoption of wireless technologies, all
enterprises must address the growing security
concerns from new airborne threats. Companies
spend millions of dollars securing their networks. When a company’s network is left
exposed by insecure devices such as Bluetooth
devices, hackers can enter the organization and
compromise the company’s corporate backbone,
rendering investments in information technology
security obsolete. The implications from a
security breach can impact the company’s
reputation, intellectual property and regulated
information.
Organizations should take protective steps to
monitor for Bluetooth devices in their air spaceto mitigate these new types of risks.
About AirDefense
AirDefense is the thought leader and innovator
of wireless network security and operational
support solutions. Founded in 2001, AirDefense
pioneered the concept of 24x7 monitoring of the
airwaves and now provides the most advanced
solutions for rogue wireless LAN detection, policy enforcement, intrusion protection and
monitoring the health of wireless networks. Blue
chip companies and government agencies rely
upon AirDefense solutions to secure and manage
wireless networks around the globe.
For more information or feedback on this white
paper, please contact:
AirDefense, Inc.
4800 North Point Parkway
Suite 100
Alpharetta, Georgia 30022Email: www.airdefense.net
Phone: 770.663.8115
All trademarks are the property of their respective
owners.
Top Related