Building around Bluetooth

Increasing support for Bluetooth is prompting companies to take notice and assimilate the technology into their security and purchasing policies, says Meta Group's Peter Firstbrook

  • E-Mail
By  Richard Agnew Published  December 8, 2003

|~||~||~|Bluetooth is quietly creeping into numerous mainstream consumer products and computing devices. End-user demand will begin to force IT organisations (ITOs) to buy and support Bluetooth devices. Prescient ITOs will attempt to get ahead of the demand by creating policy and purchasing criteria for Bluetooth products.

Short-range wireless Bluetooth technology is being embedded into numerous consumer devices, from laptops and cell phones to cars. Bluetooth now has broad support in operating systems (OSs). In 3Q02, Microsoft announced native Bluetooth support in Windows XP - joining Pocket PC, Windows CE .Net, Apple (Mac OSX), Palm, and most cell phone OSs.

A corollary of Metcalf's law - the value of a network is a function of the number of nodes on it - is that early adopters of network technology are usually frustrated by the lack of counterparts with which to communicate. During 2004/05, we expect ITOs to face increasing end user demand for Bluetooth-enabled office products and support to allow communications with consumer devices owned by end users.

ITOs should develop some technical expertise in Bluetooth to create corporate usage policies and advise users about compatibility, security and usability limitations of these devices. They should also define the benefits and costs of Bluetooth to the business to influence corporate adoption rates. In some organisations, the IT group will even have a role in testing, developing, and supporting industrial applications for Bluetooth. The primary avenues of Bluetooth infiltration into the enterprise will be via cell phones, laptops, and personal digital assistants (PDAs). The number of Bluetooth devices expected to ship in 2003 is estimated at between 100 million and 125 million, and Meta expects shipments to increase 75% annually until 2005. The mobile phone market consumes 80% of Bluetooth chips.
In 2003, approximately 20% of mobile phones will ship with Bluetooth, and we expect this number to increase to 50% by 2006. Bluetooth for PCs - via USB dongel - and laptops - embedded or via PCMCIA or USB- will be the focus of 2004 as users request wireless synchronisation with mobile devices.

The utility of Bluetooth will also spark an increased demand for mobile e-mail. Closely following in 2005, users will expect Bluetooth enabled-printers - internal or via flash slots - at least in public spaces. By 2006/07, ultra wideband (UWB) technology may challenge Bluetooth where very high bandwidth is necessary. Despite infighting on the technical proposals, UWB standards are still on track for late 2004.

Bluetooth is a short-range (10 metres) wireless cable replacement designed primarily to enable two devices to communicate with each other at speeds of up to 1Mbits/s. It is not a replacement for 802.11. Wi-Fi is a networking technology designed to allow multiple computers to wirelessly connect to the network. 802.11b and 802.11g operate in the same spectrum as Bluetooth and will cause interference.
Bluetooth has a more offensive strategy for dealing with interference to accommodate voice traffic. Since late packets in voice traffic are unacceptable, Bluetooth blasts away small packets while frequency hopping across 79 channels, not stopping to resend lost packets. The result is what appears to be noise to the more polite network citizen, 802.11, which uses a request-to-send / clear-to-send scheme.
Numerous Bluetooth devices in one area could also crowd out 802.11.

However, point applications can use both technologies in the same device without serious interference due to the limited traffic of each. The next version of Bluetooth, V.1.2, currently prototyping, with GA due in 4Q03) will employ adaptive channel hopping, resulting in less contention with Wi-Fi. Moreover, contention with Bluetooth will decrease further when Wi-Fi migrates to dual band technology.
The Bluetooth stack goes well beyond simple link-layer technology by including bits of code, named 'profiles,' that developers input into applications to achieve 23 common tasks. This does not mean, however, that all applications will support Bluetooth in the same way.
There is plenty of opportunity for poor implementation to impede usability, compatibility and security, but profiles do solve numerous implementation issues. The Bluetooth Special interest Group (SIG) has created a '5-Minute Ready' programme that provides best-practice advice to device developers. The goal is to create programmes that enable users to understand the functionality of a Bluetooth feature in five minutes or less. This should ease the support burden for ITOs, but there will still be plenty of application-layer issues to contend with.

The Bluetooth SIG spent considerable time developing a comprehensive security model for link-level protection - 128-bit encryption, device authentication and authorisation - from the ground up. Still, for high trust requirements, application developers or ITOs should overlay application security on top of the link-level security to enable end-to-end protection.

The limited range of Bluetooth and automatic power-level adjustment, which limits the radius of a signal, makes remote eavesdropping more difficult. However, Class 3 radios exist to boost the receptive range of Bluetooth to 100 metres. Bluetooth devices can create ad hoc links with authenticated peers or permanent links, called 'pairing', which eliminates a repeated authentication process for trusted devices, for example, a headset and a phone. The weakest link in Bluetooth security occurs when pairing devices.

Pairing uses the Bluetooth address of the device - a fixed address established by the manufacturer - and a personal ID number (PIN) to establish a link key, which then becomes the shared secret for subsequent communication. During pairing, it is possible for a hacker to guess a short PIN and thus the link key, and then eavesdrop on all future conversations or impersonate devices in the pairing.
It is not trivial to guess the link key, and this interaction is only minutes long, but users should be advised to use long PIN numbers and conduct pairing of devices in as private a location as possible.
Security may also be affected by application or end-user settings. Some devices are discoverable by default, so that other devices can attempt to communicate with them, and some allow full OS rights to peers by default once connected. Devices should be discoverable only when they are used to communicate with others, and rights assigned to peers should be limited.

Users may impede security by allowing unauthenticated access rights to speed file-transfer operations with peers. This practice can create an opportunity for hackers to quietly drop off Trojan horse files or viruses. Currently, there are no known practical exploits of Bluetooth security vulnerabilities, though at least one programme exists - Redfang - to discover devices by testing sequential addresses in a given range.

Given sufficient time, it is possible for this exploit to expose the device address and attempt a pairing. A shared PIN is still required to gain rights on the attacked machine. As with any system, vulnerabilities are exposed at a faster rate as the technology gets into the hands of more users and developers. ITOs should investigate Bluetooth security features of devices and advise end users regarding best practices to minimise security risks. In general, it is a good practice to assume that Bluetooth is unsafe for high trust environments until it is proven trustworthy.

Broad industry support for Bluetooth is now a reality and the number of products that support it are increasing dramatically. ITOs should develop some technical expertise in Bluetooth to create a corporate usage policy and to advise users about compatibility, security, and usability limitations of these devices. ITOs should also define the benefits and costs of Bluetooth to the business to influence corporate adoption rates.

Peter Firstbrook is a senior research analyst with the Meta Group. Meta Group is a leading research and consulting firm, focusing on information technology and business transformation strategies.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code