In any wireless networking setup, security is a concern. Devices can easily grab radio waves out of the air, so people who send sensitive information over a wireless connection need to take precautions to make sure those signals aren't intercepted. Bluetooth technology is no different — it's wireless and therefore susceptible to spying and remote access, just like WiFi is susceptible if the network isn't secure.
With Bluetooth, though, the automatic nature of the connection, which is a huge benefit in terms of time and effort, can also be a benefit to people looking to send you data without your permission.
Bluetooth offers several security modes, and device manufacturers determine which mode to include in a Bluetooth-enabled gadget. In almost all cases, Bluetooth users can establish "trusted devices" that can exchange data without asking permission.
When any other device tries to establish a connection to the user's gadget, the user has to decide whether or not to allow it. Service-level security and device-level security work together to protect Bluetooth devices from unauthorized data transmission. Security methods include authorization and identification procedures that limit the use of Bluetooth services to the registered user and require that users make a conscious decision to open a file or accept a data transfer.
As long as these measures are enabled on the user's phone or other device, unauthorized access is unlikely. A user can also simply switch his Bluetooth mode to "non-discoverable" and avoid connecting with other Bluetooth devices entirely. If a user makes use of the Bluetooth network primarily for syncing devices at home, this might be a good way to avoid any chance of a security breach while in public.
Still, early cell-phone virus writers took advantage of Bluetooth's automated connection process to send out infected files.
However, since most phones use a secure Bluetooth connection that requires authorization and authentication before accepting data from an unknown device, the infected file typically doesn't get very far.
When the virus arrives in the user's cell phone or smartphone, the user has to agree to open it and then agree to install it.
How Bluetooth Works
This has, so far, stopped most cell-phone viruses from doing much damage. Other problems like "bluejacking," "bluebugging" and "car whisperer" have turned up as Bluetooth-specific security issues.
Bluejacking involves Bluetooth users sending messages to other Bluetooth users within range. Although sensitive information may not be revealed, unwanted messages may show up on your device. Bluesnarfing is similar to bluejacking, but the messages sent out include code that force the receiving phone to reply, sending back contact information [source: Mobile Resource Group ].
Bluebugging allows hackers to remotely access a user's phone and use its features, including placing calls and sending text messages, and the user doesn't realize it's happening.Bluetooth is best known as the wireless technology that powers hands-free earpieces and connects your phone to audio, navigation, and electronics through the Internet of Things IoT.
While most of the problems identified five to ten years ago have been resolved by now, some remain. And there's also good reason to be cautious about new, as-yet-undiscovered problems.
Here are a few examples of the mobile security threats in which Bluetooth makes us vulnerable, along with tips to secure your mobile workforce devices. Potential impacts could include charges for expensive premium-rate or international calls, theft of sensitive data or drive-by malware downloads. Bluetooth encryption is supposed to stop criminals listening in to your data or phone calls.
To combat this threat : Ban devices that use Bluetooth 1. Malicious attackers can crash your devices, block them from receiving phone calls and drain your battery.
For example, security researcher Joshua Wright demonstrated the use of such an antenna to hack a Bluetooth device in a Starbucks from across the street. Wright has also demonstrated serious flaws in many popular Bluetooth headsets. By exploiting these vulnerabilities, attackers can eavesdrop on your conversations with the people around you, not just your phone calls. Built-in hands-free car kits can also be vulnerable. The device becomes, in effect, a mobile bugging device, transmitting everything it hears to an attacker.
To combat this threat : Make sure you change the default PIN code to something hard to guess. Keep in mind, mobile devices present a variety of risks that need to be addressed, and Bluetooth security is just one often-overlooked piece of the mobile security puzzle. Denial of service Malicious attackers can crash your devices, block them from receiving phone calls and drain your battery. To combat this threat : Once again, switch off your Bluetooth when not in use!
Bluetooth headsets Wright has also demonstrated serious flaws in many popular Bluetooth headsets. Find the right cybersecurity solution for you.Bluetooth protocol comprises of a number of protocols which can be divided into four categories.
Each of these protocols is responsible for specific type of task and stands on its own. In the previous Bluetooth article we talked about the basic terms, the specific values of power, frequency, range and many more.
Introduction to BLE security for IoT
The concept of master, slaves, Pico nets and scatter net forming ad-hoc network. This part of Bluetooth will deal with the protocols responsible for the working of Bluetooth technology.
The four categories in which these protocols are divided are shown below:. Bluetooth Core Protocols. The baseband enable the radio frequency link between Bluetooth devices to form a Pico-net. Information is exchanged in packets in Bluetooth. A packet is a binary data unit that carries information required by the user which can be routed through a computer network. Both circuit switching and packet switching is used to transfer the packets in the network.
Packet-switched networks move data in separate, small blocks — packets — based on the destination address in each packet. When received, packets are reassembled in the proper sequence to make up the message.
Circuit-switched networks require dedicated point-to-point connections during calls and generally used in telephone lines for exchange. The Link Manager Protocol. The link manager protocol is responsible for setting a link between two Bluetooth devices.
This protocol layer is responsible for security issues like authentication, encryption, exchanging and checking the link and encryption keys. The Bluetooth logical link control and adaptation layer supports higher level multiplexing, segmentation and reassembly of packets and quality of service communication and groups. This layer is not responsible for reliability and uses ARQ to ensure it. SDP is the basis for discovery of services on all Bluetooth devices. This is essential for all Bluetooth models because with SDP device information, services and the characteristics of the services can be queried and after that connection between two or more Bluetooth devices may be established.
Other service discovery protocols such as Jini,UpnP etc. Cable replacement protocol. It is a simple transport protocol with additional provisions for emulating the nine circuits of RS serial ports over L2CAP part of the Bluetooth protocol stack. It supports large base for applications that uses serial communication. It provides a reliable data stream, multiple connections, flow control and serial cable line settings. Telephony Control Protocol. Specification TCS Binary.
The TCS binary protocol defines the call control signaling for establishment of speech and data calls between two Bluetooth devices. It is bit oriented protocol. The HCI provides a command interface to the base band controller, link manager and access to the hardware status and control registers.
The interface provides a uniform method of accessing the Bluetooth baseband capabilities. The Host control transport layer removes transport dependencies and provides a common driver interface.
These are used as the lower layer protocols for transporting packets or data-grams on their specified IP addresses. This protocol is also utilized by Bluetooth thus enabling the possibility for application to use either the Bluetooth radio or IrDA technologies. Each of these protocols is arranged neatly as layers one above the other forming a stack of protocols.
A stack is a pile of objects or things arranged neatly. Hence, Bluetooth is defined as layered protocol architecture because each layer supports the layer above and below it. The complete protocol stack consists of both Bluetooth specific protocols which are clearly defined or developed for Bluetooth like LMP and non-Bluetooth specific that were designed to enable the re-use of existing protocols for various functions.
These were used to speed up the development of Bluetooth protocol at higher layers at the same time adaptation to work with Bluetooth devices and ensure interoperability.The Bluetooth specification is huge and quite complex. As a researcher, it helps when looking at the various Internet of Things IoT devices to understand what a vendor of an IoT device actually implemented.
This is important when one has to deal with environments where older and less secure Bluetooth implementations on older IoT devices have to interact with the new IoT devices which are capable of better security, and you have to determine what security is actually being used. Before we explain current Bluetooth security, we should go back in time a bit.
Bluetooth was invented inbut really came into use during the s. There is no one Bluetooth protocol; it is a collection of different protocols grouped together under a single specification. In an effort to explain a concept like LE Privacy, we must explain a chunk of the Bluetooth history of security implementations. Eventually, these were combined in Bluetooth 4.
Remember that comment about Bluetooth being complex? The current standard, as of this writing, is Bluetooth 5 there is no 5. As we will see later on, a lot of IoT vendors try to support legacy authentication protocols dating back as far as Bluetooth 2.
In the OSI Model, there are seven layers—yes I can hear you groaning—but I just need to reference a few of them quickly. It is responsible for pairing, encryption and signing. As mentioned earlier, with Bluetooth 4.
Bluetooth Protocol (Part 2): Types, Data Exchange, Security
These are simply groupings of characteristics, but their nature affects the security aspect of various devices, so it helps to know the background. Bluetooth Smart is implemented on peripheral devices like headphones, speakers, fitness trackers, medical devices and so on.
These devices are battery-powered and often pair to devices that they may lose contact with for extended periods of time. They may only require periodic connection to their paired host, like during data transfer. Additionally, they can maintain a pairing despite long sleep periods between wake modes—even preventing a second device from pairing. Bluetooth Smart Ready are devices that can talk to Bluetooth Smart and use all of the capabilities.
Your smartphone or your laptop are good examples of Bluetooth Smart Ready devices. If you have an old Bluetooth 2. For example, how does one maintain pairing in a secure fashion between a computer and a fitness tracker that will periodically upload its data? There are also four security levels appropriately numbered 1 through 4, with 4 being the most secure. Yes you can mix levels and modes.
Secure Connection Only Mode is Secure Mode 1 with Security Level 4, meaning that all incoming and outgoing traffic in a Bluetooth device involve authenticated connections and encryption only.Bluetooth is the invisible glue that binds devices together.
Which means that when it has bugs, it affects everything from iPhones and Android devices to scooters and even physical authentication keys used to secure other accounts. As with any computing standard, there's always the possibility of vulnerabilities in the actual code of the Bluetooth protocol itself, or in its lighter-weight sibling Bluetooth Low Energy. But security researchers say that the big reason Bluetooth bugs come up has more to do with sheer scale of the written standard—development of which is facilitated by the consortium known as the Bluetooth Special Interest Group.
Bluetooth offers so many options for deployment that developers don't necessarily have full mastery of the available choices, which can result in faulty implementations.
Bluetooth, as you probably know from your portable speaker, wireless keyboard, or toothbrush, allows two proximal devices to connect to each other over the air.
The pairing can last however long both devices are in use, as with a fitness tracker and smartphone. Or it can be temporary, a way of setting a device up or authenticating a user.
Bluetooth Low Energy is a condensed version of the protocol for devices that have limited computing and power resources. Fundamentally, both Bluetooth and BLE open up a channel for two devices to communicate—an extremely useful arrangement, but one that also opens the door for dangerous interactions. Without strong cryptographic authentication checks, malicious third parties can use Bluetooth and BLE to connect to a device they shouldn't have access to, or trick targets into thinking their rogue device is a trusted one.
Ken Kolderup, vice president of marketing at the Bluetooth SIG, says that the group is very aware of the challenge and importance of training developers to get a handle on Bluetooth's massive scope. He says the documentation is so extensive because the protocol doesn't only define a radio frequency layer for Bluetooth, but also has components at every layer of tech, from hardware up through applications, to guarantee interoperability between Bluetooth devices. The standard offers operational modes for everything from no security all the way up to AES encryption or 'secure connections only' mode.
We've put into it as much as the community has asked for. A recent example, though, helps illustrate how the process can break down. The device had been designed to use a Bluetooth Low Energy configuration called "Just Works Mode," which lets devices pair without any passwords or other cryptographic protections. As a result, McAfee researchers could connect to any lock, analyze the device's BLE commands, and discern which gave the unlock order.
Further, BoxLock had configured this command to be in read-write mode, so once the attackers knew what to target, they could initiate an unlock.
BoxLock has since patched the vulnerabilities. BoxLock ran into two common Bluetooth issues. It deployed a relatively insecure version of it for a device—a lock—that demands heightened security. And it made life easier for hackers by leaving Bluetooth traffic out in the open. Part of this is the fact that Bluetooth has not been as comprehensively studied by the security community as some things, and it's not as clear to vendors and manufacturers what the potential flaws are.
Bluetooth has certainly been investigated to a degree, but researchers say that the lack of intense scrutiny historically stems again from just how involved it is to even read the standard, much less understand how it works and all the possible implementations. On the plus side, this has created a sort of security by obscurity, in which attackers have found it easier to develop attacks against other protocols and systems rather than taking the time to work out how to mess with Bluetooth.
Many device manufacturers have engineered around this by designing their own security as a kind of 'add on' layer that they use over Bluetooth. This is probably wise, given what a mess the protocol itself has been. But in recent years, the Bluetooth standstill has begun to erode.
After high-profile vulnerabilities like BlueBorne, researchers are increasingly focused on raising awareness about Bluetooth implementation and configuration issues.
And attackers are starting to consider Bluetooth as a real option for launching attacks.In the Bluetooth Core specification, there are three major architectural layers: Controller, Host and Application.
In the Host Layer, there is a module called Security Manager SM which defines the methods and protocols for pairing and key distribution, the corresponding security toolbox, and the Security Manager Protocol SMP which defines the pairing command frame format, frame structure and timeout restriction. The Security Manager SM uses a key distribution approach to perform identity and encryption functionalities in radio communication.
Pairing is performed to establish keys which can then be used to encrypt a link. A transport specific key distribution is then performed to share the keys. The keys can be used to encrypt a link in future reconnections, verify signed data, or perform random address resolution. In general, there are 3-phase for paring. In the Bluetooth 4. Figure 1 is a pairing flowchart which applies to both legacy pairing and secure connections.
Today, we will look at Phase 1: Pairing Feature Exchange. After combined those capabilities of Input and Output, here is a matrix defining what IO capabilities the Bluetooth device should have.
OOB, or Out-of-Band, uses an external means of communication to exchange some information used in the pairing process. Bonding is the exchange of long-term keys after pairing occurs, and storing those keys for later use — it is the creation of permanent security between devices. Pairing is the mechanism that allows bonding to occur. This blog focuses on the procedure for the pairing feature exchange—if you are interested in MITM, please refer to the Bluetooth Core Specification v4.
So this flag is an indicator to determine Phase 2 pairing method. The keypress field is a 1-bit flag that is used only in the Passkey Entry protocol and is ignored in other protocols. We will go into this in the next blog article. These two fields have the same definition as below. I will explain when we talk about key distribution in the future series blog. When the exchange of pairing feature starts, the initiator and responder will exchange their pairing feature information with each other through pairing request and response.
The guide will equip you with a solid understanding of key Bluetooth Low Energy concepts before guiding you through a series of software development projects that will allow you to put the theory into practice.
He has more than 8 years of experience in design and development of wireless sensor networks, specializing in short range, low power wireless technology. Watch Nordic address some of the most common myths concerning Bluetooth range, discuss the….
Watch Now. Watch this in-depth overview of the Bluetooth mesh specifications that explores some new capabilities…. Watch this technical overview of the new features introduced in version 5. From frequency hopping to forward error correction, watch Mohammad Afaneh share some things you….With a handful of protocols leading the Internet of things, Bluetooth security for IoT becomes extremely important.
For the consumer to industrial-focused IoT, leveraging the mesh networks Bluetooth low energy is helping build Industry 4. Companies that build IoT devices for a large number of users should test security vulnerabilities during product development.
With Bluetooth 5. But, when you connect your safety critical systems, you consumer products and your daily workflow using Bluetooth low energy. How secure is Bluetooth? The short answer? Very big. But you probably already knew that. According to SecurityWeekhe used a Raspberry Pi to connect to the WiFi network and download the numbers of many Bluetooth connected devices, including his teddy bear.
He then used that information to hack into his bear and turn on lights remotely, as well as recording a message from the audience.
With the release of Bluetooth 5, there are several new features designed to expand the features and capabilities for Internet of Things IoT devices. Here are just a few of the new features, according to SecurityIntelligence :.
While these improvements mean that using Bluetooth for connected devices instead of WiFi becomes more feasible, it also opens up other security concerns.
The increased bandwidth and connection distance means that an attacker can access Bluetooth connections from even further away than before. And with the new 2 Mbps data transfer speed, they could get the data they need and be off before you even notice. While many have been patched over the years as the Bluetooth protocol has matured, many vulnerabilities still exist even in the most recent version of Bluetooth.
Here is a selection of current security limitations:. For even more Bluetooth attacks and vulnerabilities, see this paper. A report from Trinity College in Dublin lays out a list of security vulnerabilities inherent in wireless and Bluetooth connections. See the report for the full list, but some of the more unsettling implications are described below:. What exactly is a Man in the Middle attack?
So how do we protect against this? There are three levels of MITM encryption you can use:. Further reading on MITM:. While using a strong passkey can help protect against MITM attacks, Slawomir Jasek from the security firm SecuRing warns that it does not protect against passive eavesdropping. Passive eavesdropping is a little different from MITM because it does not seek to change or impersonate the data.
It simply sits there, watching and gathering information. In fact, Jasek mentions that up to 80 percent of Bluetooth smart devices are vulnerable to MITM attacks because companies often do not implement bonding and encryption standards. Since Bluetooth 2. Of course, you should always check the MAC address, but that can be spoofed. Data transmission over Bluetooth LE in version 5.
This encryption is performed in the Bluetooth Controller. According to the Bluetooth Specification Version 5. Each security level satisfies the requirements for the levels below it e. LE Security Mode 1 Level 4 satisfies the requirements for levels 1, 2, and 3. LE Security Mode 2 is only used for connection-based data signing transferring data between two devices on an unencrypted connection.