Bluetooth’s functionality and ubiquity on mobile
devices provides some exciting opportunities for mobile application
developers, but as is often the case with technology, as the use of
Bluetooth has increased, so have related security problems. A variety of
issues from weaknesses in the specifications to implementation flaws
have put Bluetooth security in the news, with these security issues
resulting in the loss of private data, eavesdropping, and unauthorized
device control.
This article provides
an introduction to Bluetooth’s operation and security characteristics.
Common threats and security vulnerabilities are covered, as are
recommendations for controlling the risk and increasing the security of
Bluetooth-enabled devices and applications.
History and Standards
Bluetooth was originally
conceived as an internal project at Ericsson Mobile Communications to
create a wireless keyboard system. The technology proved to be useful
for other objectives, and additional work was performed within Ericsson
to apply the wireless connectivity to more generic purposes. To further
the development and acceptance of the technology, the Bluetooth Special
Interest Group (SIG) was formed in 1998 to help shepherd the emerging
standard and promote the spread of Bluetooth to other practical
applications (Bluetooth Security,
p. 3). Since 1998, the Bluetooth SIG has administered and published the
Bluetooth specifications and managed, marketed, and evangelized the
technology.
Note
The
book Bluetooth Security (Artech House, 2004), by Christian Gehrmann,
Joakim Persson, and Ben Smeets, is referenced numerous times in this
chapter.
There
have been a number of official specification releases by the SIG,
starting with 1.0 and leading to the most recent version, 2.1, which was
made official in July 2007. In addition to the management of the
official specifications by the Bluetooth SIG, IEEE working group 802.15
is tasked with standards for wireless personal area networks (WPANs),
which includes Bluetooth technology. IEEE project 802.15.1 is the WPAN
standard based on Bluetooth’s specification (www.ieee802.org/15/pub/TG1.html).
Common Uses
Certainly Bluetooth has come a
long way since its humble origins (and rather limited scope). In 2008,
the number of Bluetooth devices in the market exceeded 2 billion,
according to a May 2008 press release from the Bluetooth SIG. The
variety of usage scenarios continues to expand, although mobile phone
headsets are still the most common use. Other uses for Bluetooth
technology include:
Wireless keyboard, mouse, and printer connectivity Device synchronization (for example, PDA to desktop) File transfer (for example, camera phone to desktop or photo printer) Gaming console integration (including Nintendo Wii remotes and Sony PS3 headsets) Tethering
for Internet access (using a data-enabled mobile phone as a modem for
Internet access from a laptop with Bluetooth providing inter device
connectivity) Hands-free and voice-activated mobile phone kits for cars
Alternatives
Although it’s likely the
most common option for personal area networking, Bluetooth is not the
only choice. Numerous options exist and are being developed to provide
alternatives to Bluetooth. A few of the more significant choices are
discussed here briefly, although because Bluetooth is aimed at providing
wireless cable replacement, wired alternatives such as serial and USB
are not considered.
Certified Wireless USB A short-range, high-bandwidth solution designed to allow interoperability with/replacement of standard (wired) USB (see www.usb.org/developers/wusb/).
A number of vendors have introduced or announced compatible products,
and it is likely that the popularity of wired USB will carry over to
Certified Wireless USB. IrDA (Infrared Data Association) A specification for wireless communications via infrared transmission (see http://irda.org/).
Many laptops, printers, and PDAs support IrDA, and external adapters
are inexpensive. Additionally, data transmission rates for IrDA are
higher than Bluetooth (up to 16Mbps). However, because infrared
communications require line of sight between communicating systems, IrDA
only lends itself to applications where endpoints are relatively
immobile, which contradicts some of the flexibility and operational
goals of a WPAN. ZigBee Wireless networking technology based on the IEEE 802.15.4 standard (see www.zigbee.org/en/).
ZigBee is marketed toward monitoring and sensory applications, versus
the typical personal use cases with which Bluetooth is most often
associated. Kleer
Kleer, a semiconductor company, has created an alternative to Bluetooth
that also uses the Industrial Science and Medical (ISM) band (see www.kleer.com/products/wirelessaudiofaq.php).
Kleer’s technology is currently focused on audio (although video and
other data is supported). Kleer technology has been sold under the RCA
brand, and they have also forged a deal with Thomson to supply RF
technology for Thomson’s wireless headsets.
802.11 a/b/g/n
Standard WLAN technology can be employed for some of Bluetooth’s
standard uses, but 802.11 is typically used for infrastructure
connectivity where clients need full network connectivity (typically
TCP/IP). Additionally, cost, power consumption, and configuration
complexity will tend to be much higher with 802.11 systems. It is
expected that both 802.11 wireless networking and Bluetooth will
continue to develop and thrive in their respective target markets
without a great deal of functional crossover between the two
technologies. HiperLAN (1 and 2)
A wireless networking standard managed by the European
Telecommunications Standard Institute (ETSI). More similar in
functionality to 802.11 wireless networking, HiperLAN technology has
been around since the early 1990s, but its market penetration is nowhere
near either Bluetooth or 802.11 WLAN.
HomeRF
An obsolete wireless networking specification that was intended to
provide personal device connectivity. The working group that managed the
specification was disbanded as 802.11 and Bluetooth became more
widespread.
Although there are a number
of alternatives, the market momentum of Bluetooth in conjunction with
its well organized and supported SIG will make Bluetooth an ideal choice
for WPAN connectivity for mobile application developers for the
foreseeable future.
Future
The most current Bluetooth
version is v2.1 + EDR, which was published in July 2007. The next major
release (likely to be v3.0, code-named “Seattle”) is designed to have
much higher transmission speeds, faster connection speeds, and may
include support for Ultra-Wideband (UWB) and WLAN technology. In
addition, versions using even lower power levels are on the Bluetooth
roadmap (see www.wirelessweek.com//Bluetooth-SIG-2009-Update.aspx).
|
