ITL Bulletin for November 2008

[InfoSec News <alerts () infosecnews org>]

Forwarded from: Elizabeth Lennon <elizabeth.lennon (at) nist.gov>

ITL BULLETIN FOR NOVEMBER 2008

BLUETOOTH SECURITY: PROTECTING WIRELESS NETWORKS AND DEVICES


Shirley Radack, Editor
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
U.S. Department of Commerce

Wireless devices and networks provide practical, cost-effective access 
to online information and to voice communications for many people. 
Bluetooth technology, which was originally developed in the 1990s, is 
the foundation for wireless personal area networks (WPANs), also 
referred to as ad hoc or peer-to-peer (P2P) networks. Bluetooth 
technology has been integrated into many types of business and consumer 
devices, such as cellular phones, personal digital assistants (PDAs), 
laptops, automobiles, printers, and headsets.Β 

With their wireless devices, users are able to form ad hoc networks that 
support voice and data communications. They can share applications 
between devices, and send information to their printers and other 
peripheral devices without the need for cable connections. Using PDAs 
and cell phones, users can update and synchronize their personal 
databases in address books and calendars that are on different devices, 
and they can gain access to network services such as wireless email and 
web browsing. All of these capabilities offer innovative approaches and 
cost savings for government, retail, manufacturing, public safety, and 
many other applications.

The Information Technology Laboratory of the National Institute of 
Standards and Technology (NIST) recently issued a new guide to Bluetooth 
technology and to the security issues that are related to the use of 
Bluetooth devices. The new publication updates an earlier publication 
that dealt with security for Bluetooth and IEEE 802.11 standard wireless 
technologies. See the More Information section at the end of this 
bulletin for other NIST publications dealing with wireless network 
security issues.Β 


NIST Special Publication (SP) 800-121, Guide to Bluetooth Security:Β  
Recommendations of the National Institute of Standards and Technology

NIST SP 800-121, Guide to Bluetooth Security: Recommendations of the 
National Institute of Standards and Technology, was issued in October 
2008. Written by Karen Scarfone of NIST and by John Padgette of Booz 
Allen Hamilton, the publication helps organizations protect their 
Bluetooth devices from security threats and vulnerabilities.Β 

NIST SP 800-121 overviews Bluetooth technology and discusses the primary 
characteristics of networks and devices. Topics addressed include the 
frequency-hopping scheme and the radio link power control properties 
that enable Bluetooth devices to find and establish communication with 
each other. The architecture of Bluetooth networks is explained, and 
diagrams of basic network topologies are provided.Β 

One section of NIST SP 800-121 is devoted to a discussion of the 
security features that are defined in the Bluetooth specifications and 
that support four modes of security. Also discussed are three modes of 
encryption that facilitate the cryptographic protection of the 
confidentiality of information.Β 

Another major section of the guide covers the common vulnerabilities and 
threats involving Bluetooth technologies and recommends countermeasures 
to improve Bluetooth security. To help organizations manage their 
reviews of the security of their Bluetooth devices and information, NIST 
has included in the publication detailed security checklists. The 
checklists itemize recommendations or guidelines and areas of concern 
for the security of Bluetooth devices. The security threats and 
vulnerabilities associated with each of these areas and the risk 
mitigation practices for securing the devices from these threats are 
delineated. The column format of the checklists enables staff members to 
review and check off the items that are relevant to their organizations.

The appendices provide a glossary of terms, lists of acronyms and 
abbreviations used in the document, references to Bluetooth 
specifications and papers, and Bluetooth online resources.
Β 
NIST SP 800-121 is available at
http://csrc.nist.gov/publications/PubsSPs.html.

Β 

Bluetooth Technology

Bluetooth is an open standard for short-range radio frequency (RF) 
communication.Β  Bluetooth technology was originally conceived by 
Ericsson in 1994. Ericsson, IBM, Intel, Nokia, and Toshiba formed the 
Bluetooth Special Interest Group, a not-for-profit trade association 
organized to promote the development of Bluetooth products and serving 
as the governing body for Bluetooth specifications. Bluetooth standards 
are developed by the IEEE 802.15 Working Group for Wireless Personal 
Area Networks that formed in early 1999 as IEEE 802.15.1-2002.Β 

Bluetooth technology is used primarily to establish wireless personal 
area networks (WPANs), commonly referred to as ad hoc or peer-to-peer 
(P2P) networks. Bluetooth is a low-cost, low-power technology that 
provides a mechanism for creating small wireless networks on an ad hoc 
basis, known as piconets. A piconet is composed of two or more Bluetooth 
devices in close physical proximity that operate on the same channel 
using the same frequency-hopping sequence. An example of a piconet is a 
Bluetooth-based connection between a cellular phone and a 
Bluetooth-enabled ear bud.Β 

Bluetooth piconets are established on a temporary and changing basis. 
This property offers communication flexibility and scalability between 
mobile devices, and it enables easy file sharing and synchronization of 
information between Bluetooth devices. A Bluetooth-enabled device can 
form a piconet to support file sharing capabilities with other Bluetooth 
devices, such as laptops. For example, a laptop can use a Bluetooth 
connection to have a mobile phone establish a dial-up connection, so 
that the laptop can access the Internet through the phone.

Bluetooth operates in the unlicensed 2.4 gigahertz (GHz) to 2.4835 GHz 
Industrial, Scientific, and Medical (ISM) frequency band. Other 
technologies also operate in this band, including the IEEE 802.11b/g 
WLAN standard, making the band somewhat crowded because of the volume of 
wireless transmissions. Bluetooth employs frequency-hopping spread 
spectrum (FHSS) technology for all transmissions. FHSS reduces 
interference and transmission errors and provides a limited level of 
transmission security.Β 

With FHSS technology, communications between Bluetooth devices use 79 
different radio channels by hopping, or changing, frequencies about 
1,600 times per second for data/voice links and about 3,200 times per 
second during page and inquiry scanning. A channel is used for a very 
short period (usually 625 microseconds for data/voice links), followed 
by a hop designated by a predetermined pseudo-random sequence to another 
channel; this process is repeated continuously in the frequency-hopping 
sequence.

Bluetooth also provides for radio link power control, which permits 
devices to negotiate and adjust their radio power according to signal 
strength measurements. Each device in a Bluetooth network can determine 
its received signal strength indication (RSSI) and make a request of the 
other network device to adjust its relative radio power level by 
incrementally increasing or decreasing the transmission power. This 
operation can be performed to conserve power and also to keep the 
received signal characteristics within a preferred range.Β 

Several versions of Bluetooth have been developed; the most recent are 
version 2.0 + Enhanced Data Rate (EDR) (November 2004) and version 2.1 + 
EDR (July 2007).Β  Version 2.0 + EDR provides transmission speeds of up 
to 3Mbits/second, faster than previous versions, and version 2.1 + EDR 
provides a significant security improvement for link key generation and 
management in the form of Secure Simple Pairing (SSP). NIST SP 800-121 
addresses the security of both of these versions of Bluetooth, as well 
as the earlier versions 1.1 and 1.2.

Β 
Security Features of Bluetooth Technology

The Bluetooth standard provides three basic security services:

* Authentication to verify the identity of communicating devices. User 
 authentication is not provided.

* Confidentiality to prevent the compromise of information and ensure 
 that only authorized devices can access and view data.

* Authorization to allow the control of resources by ensuring that a 
 device is authorized to use a service before permitting it to do so.


Four security modes are specified in the various versions of Bluetooth 
specifications:Β 

* Security Mode 1 is not secure. There are no capabilities for security 
 authentication and encryption. This mode is supported only by version 
 2.0 + EDR and earlier devices.Β 

* Security Mode 2 has a security manager, as specified in the Bluetooth 
 architecture, which controls access to specific services and devices. 
 The centralized security manager maintains policies for access control 
 and interfaces with other protocols and device users. Varying security 
 policies and trust levels to restrict access may be defined for 
 applications with different security requirements operating in 
 parallel. It is possible to grant access to some services without 
 providing access to other services. This mode allows for 
 authorization, the process of deciding if a specific device is allowed 
 to have access to a specific service. All Bluetooth devices can 
 support Security Mode 2; however, version 2.1 + EDR devices can only 
 support it for backward compatibility with version 2.0 + EDR (or 
 earlier) devices.

* Security Mode 3 requires a Bluetooth device to initiate security 
 procedures before the physical network link is fully established. 
 Bluetooth devices operating in Security Mode 3 mandate authentication 
 and encryption for all connections to and from the device. This mode 
 facilitates encryption and unidirectional or mutual authentication. 
 The authentication and encryption features are based on a separate 
 secret link key that is shared by paired devices, once the pairing has 
 been established. Security Mode 3 is only supported in version 2.0 + 
 EDR (or earlier) devices.Β 

* Security Mode 4 was introduced in Bluetooth version 2.1 + EDR. This 
 mode is a service level-enforced security mode in which security 
 procedures are initiated after link setup. Secure Simple Pairing uses 
 Elliptic Curve Diffie Hellman (ECDH) techniques for key exchange and 
 link key generation. Device authentication and encryption algorithms 
 are identical to the algorithms in Bluetooth version 2.0 + EDR and 
 earlier versions. Security requirements for services protected by 
 Security Mode 4 must be classified as one of the following: 
 authenticated link key required, unauthenticated link key required, or 
 no security required. Whether or not a link key is authenticated 
 depends on the Secure Simple Pairing association model used.Β 

Bluetooth does not address other security services such as audit and 
non-repudiation; if such services are needed, they must be provided 
through additional means.

Β  Vulnerabilities and Threats

Bluetooth technology and associated devices are susceptible to general 
wireless networking threats, such as denial of service attacks, 
eavesdropping, man-in-the-middle attacks, message modification, and 
resource misappropriation. They are also threatened by more specific 
Bluetooth-related attacks that target known vulnerabilities in Bluetooth 
implementations and specifications. Attacks against improperly secured 
Bluetooth implementations can provide attackers with unauthorized access 
to sensitive information and unauthorized usage of Bluetooth devices and 
other systems or networks to which the devices are connected.

Organizations should assess the risks to their wireless networks as part 
of their overall risk management processes, and select controls that are 
based on their assessments and that address specific threats and 
vulnerabilities. Some of the needed controls cannot be achieved through 
the security features built into the Bluetooth specifications, and may 
have to be supplemented by the selection of security controls based on 
the organization’s risk assessments and its specific requirements. 
Bluetooth security should be managed throughout the entire life cycle of 
Bluetooth devices and networks.

NIST SP 800-121 lists the currently known vulnerabilities of Bluetooth 
technology and recommends that organizations monitor the development of 
new vulnerabilities as version 2.1 of the Bluetooth specification 
becomes more widely adopted. New vulnerabilities and threats will 
require the implementation of additional security controls.

Β  NIST’s Recommendations for Bluetooth Security


NIST recommends that organizations carry out the following activities to 
protect their Bluetooth networks and devices:Β Β 

Use the strongest Bluetooth security mode available for their Bluetooth 
devices.

All versions of Bluetooth technology support some, but not all, of the 
four security modes defined by the Bluetooth specifications. The modes 
vary primarily by how well they protect Bluetooth communications from 
potential attacks. Security Mode 3 is considered the strongest mode 
because it requires authentication and encryption to be established 
before the Bluetooth physical link is completely established. Security 
Modes 2 and 4 also use authentication and encryption, but only after the 
Bluetooth physical link has already been fully established and logical 
channels partially established. Security Mode 1 provides no security 
functionality. The available modes vary based on the Bluetooth 
specification versions of the devices being used; therefore, 
organizations should choose the most secure mode available for each 
case.

Address the use of Bluetooth technology in organizational security 
policies and change the default settings of Bluetooth devices to reflect 
the policies.

A security policy that defines the requirements for Bluetooth security 
is the foundation for all other Bluetooth-related countermeasures. The 
policy should include a list of approved uses for Bluetooth, a list of 
the types of information that may be transferred over Bluetooth 
networks, and requirements for selecting and using Bluetooth personal 
identification numbers (PINs). After establishing their Bluetooth 
security policies, organizations should ensure that default settings of 
Bluetooth devices are reviewed and changed as needed to assure that the 
settings comply with the security policy requirements. For example, 
organizations may require that unneeded Bluetooth profiles and services 
be disabled to reduce the number of vulnerabilities that attackers could 
attempt to exploit. When available, a centralized security policy 
management approach should be used to ensure that device configurations 
are compliant.

Ensure that the Bluetooth users are made aware of their organization’s 
policies for security-related responsibilities regarding Bluetooth use.

A security awareness program helps users to follow security practices 
that help prevent security incidents. For example, users should be 
provided with a list of precautionary measures that they should take to 
better protect handheld Bluetooth devices from theft.Β  Users should also 
be made aware of other actions to take involving Bluetooth device 
security, such as ensuring that Bluetooth devices are turned off when 
they are not needed to minimize exposure to malicious activities, and 
performing Bluetooth device pairing as infrequently as possible and 
ideally in a physically secure area where attackers cannot observe key 
entry and eavesdrop on Bluetooth pairing-related communications.

Β 

More Information

Because of the constantly changing nature of the wireless security 
industry and the threats and vulnerabilities to wireless technologies, 
organizations are strongly encouraged to take advantage of the resources 
that are listed in the appendices to NIST SP 800-121 for current and 
detailed information.

Publications developed by NIST help information management and 
information security personnel in planning and implementing a 
comprehensive approach to information security. The security of 
Bluetooth devices depends upon attention to basic issues such as 
security planning, security awareness and training, risk management, 
application of cryptographic methods, and use of security controls. 
Organizations can draw upon NIST standards and guidelines on these 
issues and other issues related to the protection of networks and 
devices, including:Β 

Federal Information Processing Standard (FIPS) 199, Standards for 
Security Categorization of Federal Information and Information Systems

FIPS 200, Minimum Security Requirements for Federal Information and 
Information Systems

NIST SP 800-30, Risk Management Guide for Information Technology Systems

NIST SP 800-32, Introduction to Public Key Technology and the Federal 
PKI Infrastructure

NIST SP 800-48, Rev. 1, Guide to Securing Legacy IEEE 802.11 Wireless 
Networks

NIST SP 800-50, Building an Information Technology Security Awareness 
and Training Program

NIST SP 800-53, Rev. 2, Recommended Security Controls for Federal 
Information Systems

NIST SP 800-64, Security Considerations in the Information System 
Development Life Cycle

NIST SP 800-70, Security Configuration Checklists Program for IT 
Products: Guidance for Checklists Users and Developers

NIST SP 800-97, Establishing Wireless Robust Security Networks: A Guide 
to IEEE 802.11i

NIST SP 800-111, Guide to Storage Encryption Technologies for End User 
Devices

NIST SP 800-114, User's Guide to Securing External Devices for Telework 
and Remote Access


For information about NIST standards and guidelines that are listed 
above, as well as other security-related publications, see 
http://csrc.nist.gov/publications/index.html.

Β 

Disclaimer

Any mention of commercial products or reference to commercial 
organizations is for information only; it does not imply recommendation 
or endorsement by NIST nor does it imply that the products mentioned are 
necessarily the best available for the purpose.

Β 

_______________________________________________      
Help InfoSecNews.org with a donation!
http://www.infosecnews.org/donate.html