Bluetooth is not a dental condition

Opinion
Feb 26, 20095 mins

* NIST guide to Bluetooth security

Computer scientists Karen Scarfone of the Computer Security Division of the Information Technology Laboratory at the NIST has collaborated with John Padgette, an associate at Booz Allen Hamilton to write a new Special Publication entitled “Guide to Bluetooth Security,” which summarizes the security issues and provides recommendations for protecting sensitive information carried via these wireless systems.

Technical jargon can sometimes cause confusion or amusement among non-technical friends; for example, it still amuses my wife to hear that I am going to the Vermont InfraGard meeting – she persists in claiming that it sounds like a brand of deodorant.

Bluetooth technology “is a short-range communications technology intended to replace the cables connecting portable and/or fixed devices while maintaining high levels of security. The key features of Bluetooth technology are robustness, low power, and low cost. The Bluetooth specification defines a uniform structure for a wide range of devices to connect and communicate with each other.” 

Computer scientists Karen Scarfone of the Computer Security Division of the Information Technology Laboratory at the National Institute of Standards and Technology (NIST) has collaborated with John Padgette, an associate at Booz Allen Hamilton to write a new (September 2008) Special Publication entitled “Guide to Bluetooth Security” (NIST SP800-121), which summarizes the security issues and provides recommendations for protecting sensitive information carried via these wireless systems.

The brief (43-page) document provides an overview of the technology. The diagrams in section 2 are excellent and indeed, the entire publication can serve instructors well for courses on data communications and network security.

The recommendations, which are discussed in detail, are as follows (I am quoting directly from the Executive Summary):

• Organizations should use the strongest Bluetooth security mode available for their Bluetooth devices.

The Bluetooth specifications define four security modes, and each version of Bluetooth supports some, but not all, of these modes. The modes vary primarily by how well they protect Bluetooth communications from potential attack. Security Mode 3 is considered the strongest mode because it requires authentication and encryption to be established before the Bluetooth physical link is completely established. Security Modes 2 and 4 also use authentication and encryption, but only after the Bluetooth physical link has already been fully established and logical channels partially established. Security Mode 1 provides no security functionality. The available modes vary based on the Bluetooth specification versions of both devices, so organizations should choose the most secure mode available for each case.

• Organizations using Bluetooth technology should address Bluetooth technology in their security policies and change default settings of Bluetooth devices to reflect the policies.

A security policy that defines requirements for Bluetooth security is the foundation for all other Bluetooth-related countermeasures. The policy should include a list of approved uses for Bluetooth, a list of the types of information that may be transferred over Bluetooth networks, and requirements for selecting and using Bluetooth personal identification numbers (PIN). After establishing Bluetooth security policy, organizations should ensure that Bluetooth devices’ default settings are reviewed and changed as needed so that they comply with the security policy requirements. For example, a typical requirement is that unneeded Bluetooth profiles and services be disabled to reduce the number vulnerabilities that attackers could attempt to exploit. When available, a centralized security policy management approach should be used to ensure device configurations are compliant.

• Organizations should ensure that their Bluetooth users are made aware of their security-related responsibilities regarding Bluetooth use.

A security awareness program helps users to follow security practices that help prevent security incidents. For example, users should be provided with a list of precautionary measures they should take to better protect handheld Bluetooth devices from theft. Users should also be made aware of other actions to take involving Bluetooth device security, such as ensuring that Bluetooth devices are turned off when they are not needed to minimize exposure to malicious activities, and performing Bluetooth device pairing as infrequently as possible and ideally in a physically secure area where attackers cannot observe key entry and eavesdrop on Bluetooth pairing-related communications.

As usual, the SP provides clear, up-to-date information on all aspects of the topic. For example, Table 4-1 summarizes “Key Problems with Existing (Native) Bluetooth Security” and provides an explanation of each one. The problems (minus the explanations) are as follows:

Versions Before Bluetooth v1.21 Unit key is reusable and becomes public once used.

2 Unit key sharing can lead to eavesdropping.

Versions Before Bluetooth v2.13 Short PINs are allowed.

4 PIN management is lacking.

5 Encryption keystream repeats after 23.3 hours of use.

All Versions6 Link keys are stored improperly.

7 Attempts for authentication are repeated.

8 Strength of the challenge-response pseudo-random generator is not known.

9 Encryption key length is negotiable.

10 The master key is shared.

11 No user authentication exists.

12 The E0stream cipher algorithm used for Bluetooth encryption is weak.

13 Privacy may be compromised if the Bluetooth device address (BD_ADDR) is captured and associated with a particular user.

14 Device authentication is simple shared-key challenge-response.

15 End-to-end security is not performed.

16 Security services are limited.

17 Discoverable and/or connectable devices are prone to attack.

Section 4.2 lists and defines Bluetooth threats, which I am paraphrasing:

Bluesnarfing: forcing a connection to a Bluetooth device for complete control, including routing “all incoming calls from the user’s device to the attacker’s device”Bluejacking: similar to phishing via mobile phoneBluebugging: exploiting firmware flaws to gain control of the phoneCar Whisperer: man-in-the-middle control of automobile hands-free phone equipmentDenial of Service: saturating bandwidth, disabling the device, draining the battery (“These types of attacks are not significant and, due to the proximity required for Bluetooth use, can usually be easily averted by simply walking away.”Fuzzing Attacks: seeing how the equipment reacts to non-standard data and then using the newly-discovered mechanisms for new attack tools

Once again, congratulations to the NIST team!