A

SEMINAR REPORT

ON

“BLUETOOTH”

SUBMITTED IN PARTIAL FULFILLMENT

FOR THE AWARD OF THE

DEGREE OF

BACHELOR OF TECHNOLOGY

IN

ELECTRONICS ENGINEERING

SUBMITTED TO:- SUBMITTED BY:- Er. NARANG Sunil Panjeta(Lec 1805262

ECN-3

HARYANA ENGINEERING COLLEGE

JAGADHRI

KURUKSHETRA UNIVERSITY , KURUKSHETRA

(2005-2009)

1. INTRODUCTION

When you use computers, entertainment systems or telephones, the various pieces and

parts of the systems make up a community of electronic devices. These devices

communicate with each other using a variety of wires, cables, radio signals and infrared

light beams, and an even greater variety of connectors, plugs and protocols.

There are lots of different ways that electronic devices can connect to one another. For

example:

Component cables

Electrical wires

Ethernet cables

WiFi

Infrared signals

The art of connecting things is becoming more and more complex every day. In this

article, we will look at a method of connecting devices, called Bluetooth, that can

streamline the process. A Bluetooth connection is wireless and automatic, and it has a

number of interesting features that can simplify our daily lives.

A unique new wireless technology specifically designed for short range (10-100) meters

with modest performance of 780Kbps dynamically configurable and hoc networking with

low power. It is well suited for handheld applications and support both voice and data.

Uses 2.4 GHZ unlicensed ISM band. Frequency hopping spread spectrum radio for

higher interference immunity. Supports point to point and point to multipoint connection

with single radio link. Designed to provide low cost, robust, efficient, high capacity voice

and data networking. Uses a combination of circuit and packet switching.

Bluetooth wireless technology is finally here. Originally conceived as a low-power short

range radio technology designed to replace cables for interconnecting devices such as

printers, keyboards, and mice, its perceived potential has evolved into far more

sophisticated usage models. The requirement to do this in a totally automated, seamless,

and user-friendly fashion, without adding appreciable cost, weight, or power drain to the

associated host is an enormous engineering challenge.

Bluetooth devices can form piconets of up to seven slaves and one master, enabling

discovery of services and subsequent implementation of many varied usage models

including wireless headsets, Internet bridges, and wireless operations such as file

exchange, data synchronization, and printing.

Despite talk of Bluetooth competing with wireless LANs, Bluetooth products work over

shorter distances and are designed to solve different problems. The Bluetooth SIG

publishes the Bluetooth specification. The IEEE has formed the 802.15 working group to

define standards for wireless PANs. The 802.15.1 standard for WPAN™s will be

modeled after the Bluetooth specification from the Bluetooth SIG. Microsoft® has

announced support for Bluetooth in the next release of Windows® XP. The waters of

Bluetooth security have yet to be tested. However, the Bluetooth specification has a

robust key management scheme built in, as well as upper layers of security. Bluetooth

uses the national standard AES algorithm for encryption and the general consensus is that

the options for Bluetooth security are strong and robust.

2.2. BLUTOOTHBLUTOOTH

“Bluetooth wireless technology is an open specification for a low-cost, low-“Bluetooth wireless technology is an open specification for a low-cost, low-

power, short-range radio technology for ad-hoc wireless communication of voicepower, short-range radio technology for ad-hoc wireless communication of voice

and data anywhere in the world.”and data anywhere in the world.”

What is Bluetooth?What is Bluetooth?

Bluetooth is a short-range wireless communications technology.Bluetooth is a short-range wireless communications technology.

Why this name?Why this name?

It was taken from the 10th century Danish King Harald Blatand whoIt was taken from the 10th century Danish King Harald Blatand who

unified Denmark and Norway.unified Denmark and Norway.

When does it appear?When does it appear?

1994 – Ericsson study on a wireless technology to link mobile phones &1994 – Ericsson study on a wireless technology to link mobile phones &

accessories.accessories.

5 companies joined to form the Bluetooth Special Interest Group (SIG) in5 companies joined to form the Bluetooth Special Interest Group (SIG) in

1998.1998.

First specification released in July 19First specification released in July 1999.99.

Fig 1 (a) Fig 1 (a) One of the first modules (Ericsson) (b) A recent moduleOne of the first modules (Ericsson) (b) A recent module

a.a.

b. bluetooth connecting examplEb. bluetooth connecting examplE

2.1 TIMELINE2.1 TIMELINE

1994 : Ericsson study complete / vision1994 : Ericsson study complete / vision

1995 : Engineering work begins1995 : Engineering work begins

1997 : Intel agrees to collaborate1997 : Intel agrees to collaborate

1998 : Bluetooth SIG formed: Ericsson, Intel, IBM, Nokia & Toshiba1998 : Bluetooth SIG formed: Ericsson, Intel, IBM, Nokia & Toshiba

1999 : Bluetooth Specification 1.0A1999 : Bluetooth Specification 1.0A

SIG promoter group expanded: SIG promoter group expanded:

3Com, Lucent, Microsoft & Motorola 3Com, Lucent, Microsoft & Motorola

2000 : Bluetooth Specification 1.0B, 2000+ adopters2000 : Bluetooth Specification 1.0B, 2000+ adopters

2001 : First retail products released, Specification 1.12001 : First retail products released, Specification 1.1

2003 : Bluetooth Specification 1.22003 : Bluetooth Specification 1.2

2005 : Bluetooth Specification 2.0 (?)2005 : Bluetooth Specification 2.0 (?)

2.2 BLEUTOOTH GOALS & VISION2.2 BLEUTOOTH GOALS & VISION

Originally conceived as a cable replacement technologyOriginally conceived as a cable replacement technology

Short-Range Wireless SolutionsShort-Range Wireless Solutions

Open SpecificationOpen Specification

Voice and Data CapabilityVoice and Data Capability

Worldwide UsabilityWorldwide Usability

Other usage models began to develop:Other usage models began to develop:

Personal Area Network (PAN)Personal Area Network (PAN)

Ad-hoc networksAd-hoc networks

Data/voice access pointSData/voice access pointS

Wireless telematicsWireless telematics

2.3 CORE BLUETOOTH PRODUCTS 2.3 CORE BLUETOOTH PRODUCTS

•• Notebook PCs & Desktop computersNotebook PCs & Desktop computers

•• PrintersPrinters

•• PDAsPDAs

•• Other handheld devicesOther handheld devices

•• Cell phonesCell phones

•• Wireless peripherals:Wireless peripherals:

•• HeadsetsHeadsets

•• CameCamerasras

•• CD PlayerCD Player

•• TV/VCR/DVDTV/VCR/DVD

•• Access PointsAccess Points

•• Telephone Answering DevicesTelephone Answering Devices

•• Cordless PhonesCordless Phones

•• CarsCars

Example : The Networked HomeExample : The Networked Home

2.4 . ADVANTAGES

Simple to install and expand

Need not be in line of sight

Low Cost

Perfect for File transfer and printing application

Simultaneous handling of data and voice on the same channel

Easy to handle

2.5 APPLICATIONS OF BLUETOOTH

1. PC and Peripheral networking.

2. Hidden Computing.

3. Data synchronization for Address book and calendars.

4. Cell phone acting as a modem for PDA or Laptop.

5. Personal Area Networking (PAN).

6. Enabling a collection of YOUR personal devices to cooperatively work together

2.6 TECHNICAL FEATURES

Connection Type Spread Spectrum (Frequency Hopping) &

Time Division Duplex (1600 hops/sec)

Spectrum 2.4 GHz ISM Open Band (79 MHz of

spectrum = 79 channels)

Modulation Gaussian Frequency Shift Keying

Transmission Power 1 mw – 100 mw

Data Rate 1 Mbps

Range 30 ft

Supported Stations 8 devices

Data Security –Authentication Key 128 bit key

Data Security –Encryption Key 8-128 bits (configurable)

Module size 9 x 9 mm

2.7 A Comparison`

3. ABOUT THE NAME

For those who know little about the technology, and even for those who are more than a

little acquainted with it, the name Bluetooth may seem odd. You may wonder, in fact,

how it relates to wireless technology, or speculate that perhaps it’s derived somehow

from the founding members of the SIG. Neither of these ideas is correct.

The name is a romantic gesture that in some sense indicates the excitement the

technology generates as well as the belief in its value as a revolutionary concept. To

combine these qualities in a name required ingenuity and delving into the past. The name

Bluetooth comes from Danish history. Harald Blatand, who was called Bluetooth, was

the son of King Gorm the Old, who ruled Jutland, the main peninsula of Denmark. By the

time Harald became king, he was a skilled Viking warrior. So, when his sister asked for

help to secure control in Norway after her husband died, Harald quickly seized the

opportunity to unite the countries and expand his kingdom. By 960 A.D. according to the

story, Harald was at the height of his powers, and ruled both Denmark and Norway. He

was later credited with bringing Christianity to his Viking realm.

Although it’s popularly believed that King Harald had a blue tooth, and various stories

explain how this came about, it’s more likely that the Bluetooth name is the English

derivative of the original Viking word, Blâtand. The Bluetooth name was chosen for the

wireless technology because its developers and promoters hope it will unite the mobile

world, just as King Harald united his world

4.4. BLUETOOTH CONNECTION & OPERATIONBLUETOOTH CONNECTION & OPERATION

4.1 HOW BLUETOOTH CREATE A CONNECTION 4.1 HOW BLUETOOTH CREATE A CONNECTION

Bluetooth takes small-area networking to the next level by removing the need for user

intervention and keeping transmission power extremely low to save battery power.

Picture this: You're on your Bluetooth-enabled cell phone, standing outside the door to

your house. You tell the person on the other end of the line to call you back in five

minutes so you can get in the house and put your stuff away. As soon as you walk in the

house, the map you received on your cell phone from your car's Bluetooth-enabled GPS

system is automatically sent to your Bluetooth-enabled computer, because your cell

phone picked up a Bluetooth signal from your PC and automatically sent the data you

designated for transfer. Five minutes later, when your friend calls you back, your

Bluetooth-enabled home phone rings instead of your cell phone. The person called the

same number, but your home phone picked up the Bluetooth signal from your cell phone

and automatically re-routed the call because it realized you were home. And each

transmission signal to and from your cell phone consumes just 1 milliwatt of power, so

your cell phone charge is virtually unaffected by all of this activity.

Bluetooth is essentially a networking standard that works at two levels:

It provides agreement at the physical level -- Bluetooth is a radio-frequency

standard.

It provides agreement at the protocol level, where products have to agree on

when bits are sent, how many will be sent at a time, and how the parties in a

conversation can be sure that the message received is the same as the message

sent.

The big draws of Bluetooth are that it is wireless, inexpensive and automatic. There are

other ways to get around using wires, including infrared communication. Infrared (IR)

refers to light waves of a lower frequency than human eyes can receive and interpret.

Infrared is used in most television remote control systems. Infrared communications are

fairly reliable and don't cost very much to build into a device, but there are a couple of

drawbacks. First, infrared is a "line of sight" technology. For example, you have to point

Fig Photo courtesy Bluetooth SIG

Bluetooth wireless PC card

the remote control at the television or DVD player to make things happen. The second

drawback is that infrared is almost always a "one to one" technology. You can send data

between your desktop computer and your laptop computer, but not your laptop computer

and your PDA at the same time. (See How Remote Controls Work to learn more about

qualities of infrared are actually advantageous in some regards. Because infrared

transmitters and receivers have to be lined up with each other, interference between

devices is uncommon. The one-to-one nature of infrared communications is useful in that

you can make sure a message goes only to the intended recipient, even in a room full of

infrared receivers.

Bluetooth is intended to get around the problems that come with infrared systems. The

older Bluetooth 1.0 standard has a maximum transfer speed of 1 megabit per second

(Mbps), while Bluetooth 2.0 can manage up to 3 Mbps. Bluetooth 2.0 is backward-

compatible with 1.0 devices.

4.2 HOW BLUETOOTH OPERATES4.2 HOW BLUETOOTH OPERATES

Bluetooth networking transmits data via low-power radio waves. It communicates on a

frequency of 2.45 gigahertz (actually between 2.402 GHz and 2.480 GHz, to be exact).

This frequency band has been set aside by international agreement for the use of

industrial, scientific and medical devices (ISM).

A number of devices that you may already use take advantage of this same radio-

frequency band. Baby monitors, garage-door openers and the newest generation of

cordless phones all make use of frequencies in the ISM band. Making sure that Bluetooth

and these other devices don't interfere with one another has been a crucial part of the

design process.

One of the ways Bluetooth devices avoid interfering with other systems is by sending out

very weak signals of about 1 milliwatt. By comparison, the most powerful cell phones

can transmit a signal of 3 watts. The low power limits the range of a Bluetooth device to

about 10 meters (32 feet), cutting the chances of interference between your computer

system and your portable telephone or television. Even with the low power, Bluetooth

doesn't require line of sight between communicating devices. The walls in your house

won't stop a Bluetooth signal, making the standard useful for controlling several devices

in different rooms.

Bluetooth can connect up to Bluetooth can connect up to eight deviceseight devices simultaneously. With all of those devices in simultaneously. With all of those devices in

the same 10-meter (32-foot) radius, you might think they'd interfere with one another, butthe same 10-meter (32-foot) radius, you might think they'd interfere with one another, but

it's unlikely. Bluetooth uses a technique called it's unlikely. Bluetooth uses a technique called spread-spectrum frequency hoppingspread-spectrum frequency hopping

that makes it rare for more than one device to be transmitting on the same frequency atthat makes it rare for more than one device to be transmitting on the same frequency at

the same time. In this technique, a device will use 79 individual, randomly chosenthe same time. In this technique, a device will use 79 individual, randomly chosen

frequencies within a designated range, changing from one to another on a regular basis.frequencies within a designated range, changing from one to another on a regular basis.

In the case of Bluetooth, the transmitters change frequencies 1,600 times every second,In the case of Bluetooth, the transmitters change frequencies 1,600 times every second,

meaning that more devices can make full use of a limited slice of the meaning that more devices can make full use of a limited slice of the radio spectrumradio spectrum..

Since every Bluetooth transmitter uses spread-spectrum transmitting automatically, it’sSince every Bluetooth transmitter uses spread-spectrum transmitting automatically, it’s

unlikely that two transmitters will be on the same frequency at the same time. This sameunlikely that two transmitters will be on the same frequency at the same time. This same

technique minimizes the risk that portable phones or baby monitors will disrupt Bluetoothtechnique minimizes the risk that portable phones or baby monitors will disrupt Bluetooth

devices, since any interference on a particular frequency will last only a tiny fraction of adevices, since any interference on a particular frequency will last only a tiny fraction of a

secondsecond

When Bluetooth-capable devices come within range of one another, an electronic

conversation takes place to determine whether they have data to share or whether one

needs to control the other. The user doesn't have to press a button or give a command --

the electronic conversation happens automatically. Once the conversation has occurred,

the devices -- whether they're part of a computer system or a stereo -- form a network.

Bluetooth systems create a personal-area network (PAN), or piconet, that may fill a room

or may encompass no more distance than that between the cell phone on a belt-clip and

the headset on your head. Once a piconet is established, the members randomly hop

frequencies in unison so they stay in touch with one another and avoid other piconets that

may be operating in the same room

5. THE PROMISE OF BLUETOOTH – WHAT IT CAN DO

The promise of Bluetooth is extremely ambitious. If Bluetooth lives up to its potential, it

will revolutionize the way people interact with information technology. Originally

conceived as a low-power short-range radio technology designed to replace cables for

interconnecting devices such as printers, keyboards, and mice, its perceived potential has

evolved into much more. It has given rise to the concept of the Personal Area Network

(PAN), a technology of convenience where everything within the Personal Operating

Space (POS) of an individual that is related to communicating information (both voice

and data) is automatically tied into a seamless peer-to-peer network that self-configures

to make information easily accessible. Scenarios for its usage are many and diverse and

are only limited by the imaginations of the companies that create the products.

5.1 COMPARED WITH WIRELESS LANS

There is even talk of Bluetooth competing with WLANs, but Bluetooth products work

over shorter distances and are designed to solve different problems. While the

functionality of a WLAN device stands alone as a network component, the functionality

of a Bluetooth component requires a host. The host can be any number of Bluetooth

enabled devices such as cell phones, headsets, keyboards, PDAs, vending machines,

cameras, and bar code readers.

5.2 USAGE MODEL EXAMPLES.

Following are examples of some usage models for Bluetooth devices.

5.2.1 Wireless Headset

The leading adoption of Bluetooth will initially be in the arena of mobile phones.

Nearly every major mobile phone manufacturer has already released Bluetooth-

enabled models of their popular phones. The driver for this adoption is the ability to use

a wireless headset with the phone. The impact of mobile phone radiation on health has

been under scrutiny for some time, especially since the phone is usually held near the

head. The radio frequency energy emitted by a Bluetooth wireless headset is a fraction

of that emitted by a mobile phone. Additionally, the convenience of being cordless

means the phone can be used even if it is in a briefcase or the trunk.

5.2.2 Internet Bridge

Bluetooth wireless technology can be used to allow a mobile phone or cordless

modem to provide Dial-Up Networking (DUN) capabilities for a PC, allowing it to

connect to the Internet without a physical phone line. This enables a laptop to

automatically utilize the user’s nearby cell phone to dial and connect to a dial-up

service. The user doesn’t need to touch the phone, which might be in a briefcase or

coat pocket.

5.2.3 File Exchange

The ability to perform peer-to-peer file exchange without the presence of a network

infrastructure has many advantages. For example, a salesperson may choose to share

the contents of an electronic slide presentation (as well as datasheets, business cards,

and other electronic collateral) with the audience. Bluetooth enables the automatic

detection of any Bluetooth devices in the room, enabling the transfer (with the

receiver’s permission) of all selected files. (This could also be done with a wireless

LAN, but all parties involved would have to configure their clients to use compatible

network settings. This is not required for Bluetooth.)

5.2.4 Synchronization

Bluetooth allows for data synchronization between devices. For example, a desktop

computer that is Bluetooth enabled can wirelessly synchronize its contact list, task

information, calendar, etc., to a user’s phone, PDA, or notebook. Several Bluetooth-

based synchronization models already exist for both Pocket PC and Palm-based PDAs.

5.2.5 Printing

HP is making printers and notebooks with embedded Bluetooth technology.

Bluetooth-enabled devices can automatically detect Bluetooth-enabled printers in their

area and wirelessly send documents to the printer without going through lengthy

network and printing setup processes. Mobile users who frequently visit remote offices

will find Bluetooth printing a significant improvement in convenience to their current

experience.

5.3 AN ENGINEERING CHALLENGE

The demands of creating Bluetooth-enabled products are very challenging.

Consider the following:

Bluetooth must have a very flexible application topology. For example, you might

want your PDA to be able to communicate with any nearby printer, but do you

want your cell phone to send its audio to any nearby hands-free headset?

Bluetooth must be automatically configurable. If a Bluetooth product can’t figure

out whom it should and shouldn’t talk to and how, the marketplace will consider

it too complicated to use.

Bluetooth must have quality of service (QoS) features to support voice.

No one wants cell phones with shorter battery life, so the power required to

support Bluetooth capability must be very low.

No one wants PDAs that are larger, so adding Bluetooth capability to a device

should not noticeably increase its size.

In order to replace cables, Bluetooth cannot cost more than cables. This means

that Bluetooth technology cannot add more than $5 to the cost of the host device.

The phrase “Wireless connections made easy,” which is printed on the cover page of the

more than 1,500 pages of engineering specifications that define Bluetooth, means easy

for the user, but hard for the engineers designing the products. For the reasons outlined

above, Bluetooth presents some of the most demanding engineering challenges in the

telecommunications arena, and products are only just now beginning to appear on the

market.

5.4 BLUETOOTH PRODUCT CERTIFICATION

The Bluetooth Special Interest Group1 (SIG) is a group of companies that cooperate to

define Bluetooth standards and qualify Bluetooth products. A product that has passed

certain testing criteria can be stamped with the Bluetooth logo, assuring a certain level of

interoperability.

6. BLUETOOTH BASICS – HOW IT WORKS

6.1 NETWORK TOPOLOGY

Any Bluetooth device can be a master or a slave, depending on the application scenario.

Bluetooth employs frequency hopping spread spectrum (FHSS) to communicate. So in

order for multiple Bluetooth devices to communicate, they must all synchronize to the

same hopping sequence. The master sets the hopping sequence, and the slaves

synchronize to the Master. A piconet is formed by a master and up to seven active slaves.

The slaves in a piconet only communicate with the master. A scatter net can be formed

by linking two or more piconets. When a device is present in more than one piconet, it

must time-share and synchronize to the master of the piconet with which it is currently

communicating.

While the topology and hierarchical structure of WLAN networks are relatively simple,

Bluetooth networks are far more diverse and dynamic. They are constantly being formed,

modified, and dissolved, as Bluetooth devices move in and out of range of one another.

And because different Bluetooth devices can represent many different usage profiles,

there are any different ways in which Bluetooth devices can interact.

6.2 SERVICE DISCOVERY

The concept of service discovery is utilized to determine what kind of Bluetooth devices

are present and what services they desire or offer. When a Bluetooth device requires a

service, it begins a discovery process by sending out a query for other Bluetooth devices

and the information needed to establish a connection with them. Once other Bluetooth

devices are found and communication is established, the Service Discovery Protocol

(SDP) is utilized to determine what services are supported and what kinds of connections

should be made. In order for the above to happen, devices willing to connect must be

located. Some devices may be set up so that they are invisible. In this case, they can scan

for other Bluetooth devices, but will not respond if they are likewise queried.

Applications determine whether a device is connectable or discoverable, and thus

applications determine the topologies of networks and their internal hierarchies.

6.3 ACL AND SCO LINKS

Once a connection has been established between two devices an Asynchronous

Connection-Less (ACL) link is formed between them. An ACL link provides packet-

switched communication and is the most common link used to handle data traffic. A

master has the option to change an ACL link to a Synchronous Connection Oriented

(SCO) link. An SCO link provides a Quos feature by reserving time slots for transmission

of time-critical Information such as voice. A piconet can have up to three full-duplex

voice links.

6.4 STANDARD PROFILES TO ENABLE USAGE MODELS.

The number and variety of different Bluetooth usage models mean that Bluetooth devices

must call from a large collection of different protocols and functions to implement a

specific usage model. In order to ensure that all usage models will work among devices

from many different manufacturers, this collection of protocols and functions must be

standardized. Bluetooth profiles are standardized definitions of protocols and functions

required for specific kinds of tasks. The current Bluetooth Standard 1.1 contains 13

profiles, with more being continually added. One or more of these profiles are utilized

when implementing various usage models. Some profiles are dependent upon others.

Some of the most basic are:

6.4.1 General Access Profile (Gap)

This profile is required by all usage models and defines how Bluetooth devices

discover and connect to one another, as well as defines security protocols. All

Bluetooth devices must conform to at least the GAP to ensure basic interoperability

between devices.

6.4.2 SERVICE DISCOVERY APPLICATION PROFILE (SDAP)

The SDAP uses parts of the GAP to define the discovery of services for Bluetooth

devices.

6.4.3 SERIAL PORT PROFILE

This profile defines how to set up and connect virtual serial ports between two

devices. This serial cable emulation can then be used for tasks such as data transfer and

printing.

6.4.4 GENERIC OBJECT EXCHANGE PROFILE (GOEP)

GOEP is dependent on the Serial Port Profile and is used by applications to handle

object exchanges. This capability is then used, in turn, by other profiles to perform such

functions as Object Push, File Transfer, and Synchronization (see below).

6.4.5 OBJECT PUSH

This profile is used for the exchange of small objects, such as electronic calling cards.

6.4.6 FILE TRANSFER

This profile is used to transfer files between two Bluetooth devices.

6.4.7 SYNCHRONIZATION

This profile is used to synchronize calendars and address information between

devices.

New profiles not yet part of the standard include the following: a Basic Printing Profile to

facilitate printing of text emails, short messages, and formatted documents; a Hands Free

Profile to enable a mobile phone to be used with a hands-free device in a car; a Basic

Imaging Profile enabling Bluetooth devices to negotiate the size and encoding of

exchanged images; and a Hardcopy Cable Replacement Profile, used by devices such as

laptops and desktop computers that utilize printer drivers.

6.5 POWER LEVELS AND RANGE

Most Bluetooth devices, dependent on batteries for power, are designated as class 3

devices and are designed to operate at a power level of 0 dBm (1 mW), which provides a

range of up to 10 m. Class 2 devices can utilize as much as 4 dBm (2.5 mW) output

power, and class 1 devices can utilize up to 20 dBm (100 mW) of output power. Class 1

devices can have a range up to 100 m. Bluetooth class 2 and 3 devices can optionally

implement adaptive power control. Required for class 1 devices, this mechanism allows a

Bluetooth radio to reduce power to the minimum level required to maintain its link, thus

saving power and reducing the potential for interfering with other nearby networks.

3. THE EVOLVING BLUETOOTH STANDARD

THE BLUETOOTH SIG

Since the original Bluetooth specification was published in 1999, more than 2000

additional companies have signed on as associate members, able to participate in

development of future standards and extensions by contributing efforts to various

working groups.

THE CURRENT SPECIFICATION

The current specification, Ver. 1.12, defines a radio which operates in the

unregulated Industrial, Scientific, and Medical (ISM) band as follows:

2.4 GHz, FHSS w/1600 hops/s over 79 channels: 1 Mbps

The fundamental elements of a Bluetooth product are defined in the two lowest

protocol layers, the radio layer and the baseband layer. Included in these layers

are hardware tasks such as frequency hopping control and clock synchronization,

as well as packet assembly with associated FEC (Forward Error Correction) and

ARQ (Automatic Repeat Request).

The link manager layer is responsible for searching for other Bluetooth devices,

creating and tearing down piconets, as well as authentication and encryption.

Higher layer definitions include the Bluetooth profiles.

ENHANCING THE SPECIFICATION

The Bluetooth SIG is currently working on a new specification, due for

publication sometime in 2002. In the interest of maintaining backwards

compatibility, most of this work is confined to describing new profiles.

One of the most intriguing is a car profile that describes the use of personal

devices like pagers, cell phones, and laptops in an automotive environment.

Envisioned usages include the automatic adjustment of various settings in an

automobile, such as seat and mirror positions and radio tuning, based on personal

preferences stored in a Bluetooth device. Another profile would link a cell phone,

car radio, and text-to-speech software on a laptop, to allow email to be spoken

audibly over the car radio.

In addition to developing new profiles, other working groups are developing

extensions to enhance Bluetooth operations. The radio working group is

developing optional extensions to the current Bluetooth standard that include

higher data rates and handoff capability to support roaming, and the coexistence

working group is collaborating with the IEEE 802.11 and 802.15 working groups

to address interference concerns and ensure that Bluetooth can coexist in the same

environment with WLANs.

4. SECURITY ISSUES AND ATTACKS

In November 2003, it was. discovered that there are serious flaws in the authentication

and/or data transfer mechanisms on some bluetooth enabled devices. Specifically, three

vulnerabilities have been found:

Firstly, confidential data can be obtained, anonymously, and without the owner's

knowledge or consent, from some bluetooth enabled mobile phones. This data includes,

at least, the entire phonebook and calendar, and the phone's IMEI.

Secondly, it has been found that the complete memory contents of some mobile phones

can be accessed by a previously trusted ("paired") device that has since been removed

from the trusted list. This data includes not only the phonebook and calendar, but media

files such as pictures and text messages. In essence, the entire device can be "backed up"

to an attacker's own system.

Thirdly, access can be gained to the AT command set of the device, giving full access to

the higher level commands and channels, such as data, voice and messaging. This third

vulnerability was identified by Martin Herfurt, and they have since started working

together on finding additional possible exploits resulting from this vulnerability.

Finally, the current trend for "Bluejacking" is promoting an environment which puts

consumer devices at greater risk from the above attacks.

Vulnerabilities

8.1 The SNARF attack:

It is possible, on some makes of device, to connect to the device without alerting the

owner of the target device of the request, and gain access to restricted portions of the

stored data therein, including the entire phonebook (and any images or other data

associated with the entries), calendar, realtime clock, business card, properties, change

log, IMEI (International Mobile Equipment Identity [6], which uniquely identifies the

phone to the mobile network, and is used in illegal phone 'cloning'). This is normally only

possible if the device is in "discoverable" or "visible" mode, but there are tools available

on the Internet that allow even this safety net to be bypassed[4]. Further details will not

be released at this time (see below for more on this), but the attack can and will be

demonstrated to manufacturers and press if required.

8.2 The BACKDOOR attack:

The backdoor attack involves establishing a trust relationship through the "pairing"

mechanism, but ensuring that it no longer appears in the target's register of paired

devices. In this way, unless the owner is actually observing their device at the precise

moment a connection is established, they are unlikely to notice anything untoward, and

the attacker may be free to continue to use any resource that a trusted relationship with

that device grants access to (but note that so far we have only tested file transfers). This

means that not only can data be retrieved from the phone, but other services, such as

modems or Internet, WAP and GPRS gateways may be accessed without the owner's

knowledge or consent. Indications are that once the backdoor is installed, the above

SNARF attack will function on devices that previously denied access, and without the

restrictions of a plain SNARF attack, so we strongly suspect that the other services will

prove to be available also.

8.3 The BLUEBUG attack:

The bluebug attack creates a serial profile connection to the device, thereby giving full

access to the AT command set, which can then be exploited using standard off the shelf

tools, such as PPP for networking and gnokii for messaging, contact management, diverts

and initiating calls. With this facility, it is possible to use the phone to initiate calls to

premium rate numbers, send sms messages, read sms messages, connect to data services

such as the Internet, and even monitor conversations in the vicinity of the phone. This

latter is done via a voice call over the GSM network, so the listening post can be

anywhere in the world. Bluetooth access is only required for a few seconds in order to set

up the call. Call forwarding diverts can be set up, allowing the owner's incoming calls to

be intercepted, either to provide a channel for calls to more expensive destinations, or for

identity theft by impersonation of the victim.

8.4 Bluejacking

Although known to the technical community and early adopters for some time, the

process now known as "Bluejacking"[1] has recently come to the fore in the consumer

arena, and is becoming a popular mechanism for exchanging anonymous messages in

public places. The technique involves abusing the bluetooth "pairing"[2] protocol, the

system by which bluetooth devices authenticate each other, to pass a message during the

initial "handshake" phase. This is possible because the "name" of the initiating bluetooth

device is displayed on the target device as part of the handshake exchange, and, as the

protocal allows a large user defined name field - up to 248 characters - the field itself can

be used to pass the message. This is all well and good, and, on the face of it, fairly

harmless, but, unfortunately, there is a down side. There is a potential security problem

with this, and the more the practice grows and is accepted by the user community, and

leveraged as a marketing tool by the vendors, the worse it will get. The problem lies in

the fact that the protocol being abused is designed for information exchange. The ability

to interface with other devices and exchange, update and synchronise data, is the raison

d'être of bluetooth. The bluejacking technique is using the first part of a process that

allows that exchange to take place, and is therefore open to further abuse if the handshake

completes and the "bluejacker" successfully pairs with the target device. If such an event

occurs, then all data on the target device bacomes available to the initiator, including such

things as phone books, calendars, pictures and text messages. As the current wave of

PDA and telephony integration progresses, the volume and quality of such data will

increase with the devices' capabilities, leading to far more serious potential compromise.

Given the furore that errupted when a second-hand Blackberry PDA was sold without the

previous owner's data having been wiped[3], it is alarming to think of the consequences

of a single bluejacker gathering an entire corporate staff's contact details by simply

attending a conference or camping outside their building or in their foyer with a bluetooth

capable device and evil intent. Of course, corporates are not the only potential targets - a

bluejacking expedition to, say, The House of Commons, or The US Senate, could provide

some interesting, valuable and, who's to say, potentially damaging or compromising data.

The above may sound alarmist and far fetched, and the general reaction would probably

be that most users would not be duped into allowing the connection to complete, so the

risk is small. However, in today's society of instant messaging, the average consumer is

under a constant barrage of unsolicted messages in one form or another, whether it be by

SPAM email, or "You have won!" style SMS text messages, and do not tend to treat them

with much suspicion (although they may well be sceptical about the veracity of the

offers). Another message popping up on their 'phone saying something along the lines of

"You have won 10,000 pounds! Enter this 4 digit PIN number and then dial 0900-

SUCKER to collect your prize!" is unlikely to cause much alarm, and is more than likely

to succeed in many cases.

8.5 VARIOUS OTHER ATTACKS

BLUEBUG is the name of a bluetooth security loophole on some bluetooth-enabled cell

phones. Exploiting this loophole allows the unauthorized downloading phone books and

call lists, the sending and reading of SMS messages from the attacked phone and many

more things.

LONG DISTANCE SNARF- An eye-opener to those who believe that the range of the

wireless technology Bluetooth is 100 meter maximum. The Long-Distance-Snarf

Experiment that took place in the early morning of proofs this assumption wrong

BLUETONE--The information on this page is intended to help people that want to

modify their bluetooth equipment in order to connect an external (directional) antenna to

their Bluetooth dongle. This Bluetooth tuning makes it possible to concentrate the

emission of bluetooth signals to one direction instead of any direction. This direction of

signals enhances the range of bluetooth radios

BLUEPRINTING--Blueprinting is a method to remotely find out details about bluetooth-

enabled devices. Blueprinting can be used for generating statistics about manufacturers

and models and to find out whether there are devices in range that have issues with

Bluetooth security

BLOOVER--Since Adam Laurie's BlueSnarf experiment and the subsequent BlueBug

experiment it is proven that some Bluetooth-enabled phones have security issues. Until

now, attackers need laptops for the snarfing of other people's information. Unless

attackers do a long-distance-snarf, people would see that there is somebody with a laptop

trying to do strange things. Blooover is a proof-of-concept tool that is intended to run on

BT AUDIT--The Bluetooth architecture consists out of two main protocols, L2CAP and

RFCOMM which is layered on top of L2CAP. Since these protocols utilize ports (as they

are named in the popular TCP/IP UDP/IP architecture). It makes sense to have the ability

to scan these in order to find so called open ports and possible vulnerable applications

bound to them.

BLUESMACK- BlueSmack is a Bluetooth attack that knocks out some Bluetooth-

enabled devices immediately. This Denial of Service attack can be conducted using

standard tools that ship with the official Linux Bluez utils package

BT CLASS-Each Bluetooth device has a device class (type of device and services it

provides) which is part of the responds to an inquiry. The device class has a total length

of 24 bits and is separated in three parts

9. BLUETOOTH SECURITY

Bluetooth security, when compared with WLAN security, is both more complex and

simpler. It is more complex in the sense that there are many different options for security

based on different application scenarios. It is simpler in the sense that, for the most part,

they are transparent to the user. With WLANs it is up to the network administrator to add

security at higher levels. With Bluetooth, since the Bluetooth spec includes all levels,

higher-level security features are already built into the devices when appropriate.

Bluetooth security includes both authentication and confidentiality, and is based around

the SAFER+ encryption algorithm. SAFER+ is a block cipher, but in this application is

implemented as a stream cipher. SAFER+ was thoroughly analyzed and tested during the

NIST’s search for a national encryption standard. Although some versions were found to

have very minor weaknesses, the 128-bit version as used in Bluetooth is considered very

strong.

9.1 LINK LAYER SECURITY – KEYS AND MORE KEYS

The Bluetooth Baseband (link layer) specification defines methods for both

authentication and encryption that are subsequently utilized by higher layers.

These methods utilize a number of keys generated by a process that begins with three

basic device entities: a public 48-bit device address, a random number generator, and a

secret PIN which is either built into the unit by the manufacturer or programmed by the

user. A typical PIN may consist of just four decimal digits. However, for applications

requiring more security a PIN code up to 128-bits long can be entered. The first of many

keys is created the first time the Bluetooth device is installed on the host

and is typically never changed. This is referred to as the unit key.

9.1.1 Authentication

When a Bluetooth session (defined as the time interval for which the device is

part of a piconet) is initiated, a series of additional keys is generated. One of these

keys, referred to as the link key or authentication key, is a one-time 128-bit secret

key that is used only during that session. The process of authentication employs

the encryption of a random number by each device to verify that each is sharing

the same secret link key.

9.1.2 Encryption

If encryption is required by the application, an encryption key is further derived

from the

link key, a ciphering offset number, and a random number. While the

authentication key is always 128-bits, the encryption key may be shorter to

accommodate government restrictions on encryption, which vary from country to

country. A new encryption key is generated each time the device enters

encryption mode. The authentication key, however, is used during the entire

session.

9.2 APPLICATION LAYER SECURITY

The Bluetooth General Access Profile defines three security modes:

Mode 1 is non-secure. Authentication is optional.

Mode 2 gives service-level enforced security. The service provided by the

application decides whether or not authentication or encryption is required. The

Bluetooth SIG has published the Bluetooth Security Architecture white paper5

that defines a suitable architecture for implementing service-level enforced

security on Bluetooth devices. The white paper splits devices into different

categories and trust levels, as well as suggesting three security levels for services.

The utilization of a database is suggested for enabling the user to authorize

devices to utilize only particular services. Because the implementation of security

at this level does not affect interoperability, this white paper is advisory only, and

is not part of the Bluetooth specification.

Mode 3 is link-level enforced security. Both devices must implement security

procedures in order for a connection to be established. In addition to the above

modes, a device can be configured to not respond to paging, so that other devices

cannot connect to it. Or it can be configured so that only devices that already

know its address can connect to it. Such numerous and complex levels of security

are necessary to accommodate the large variety of different usage scenarios. It

falls on the designers of Bluetooth products to ensure that the complexity of

Bluetooth is hidden from the user, while still providing the user with necessary

security options.

10. WORKAROUNDS AND FIXES

We are not aware of any workarounds for the SNARF or BLUEBUG attacks at this time,

other than to switch off Bluetooth.

To permanently remove a pairing, and protect against future BACKDOOR attacks, it

seems you must perform a factory reset, but this will, of course, erase all your personal

data. To avoid Blue jacking, "just say no”. The above methods work to the best of our

knowledge, but, as the devices affected are running closed-source proprietory software, it

not possible to verify that without the collaboration of the manufacturers. We therefore

make no claims as to the level of protection they provide, and you must continue to use

Bluetooth at your own risk.

11. Device Authentication In Bluetooth Technology

Bluetooth technology provides a method for authenticating devices. Device

authentication is provided using a shared secret between the two devices. The common

shared secret is called a link key. This link key is established in a special communications

session called pairing. All paired devices (devices that have had a previous connection to

establish security procedures) share a common link key. There are two types of link keys

defined in the unit keys and combination keys.

A device using a unit key uses the same secret for all of its connections. Unit keys are

appropriate for devices with limited memory or a limited user interface. During the

pairing procedure the unit key is transferred (encrypted) to the other unit. Note that only

one of the two paired units is allowed to use a unit key. Combination keys are link keys

that are unique to a particular pair of devices.

The combination key is only used to protect the communication between these two

devices. Clearly a device that uses a unit key is not as secure as a device that uses a

combination key. Since the unit key is common to all devices with which the device has

been paired, all such devices have knowledge of the unit key.

Consequently they are able to eavesdrop on any traffic based on this key. In addition,

they could, in theory, be modified to impersonate other devices using the key. Thus,

when using a unit key there is no protection against attacks from other devices with

which the device has been paired.

As a result, the Bluetooth SIG discourages the use of unit keys in secure applications.

Authentication is performed with a challenge response scheme utilizing the E1 algorithm.

E1 is a modification of the block cipher SAFER+. The scheme operates as follows: The

verifier issues a 128 bit long challenge. The claimant then applies E1 using the challenge,

its 48-bit Bluetooth address, and the current link key. He then returns the 32 most

significant bits of the128 bit result2.

The verifier confirms the response, in which case the authentication has succeeded. In

this case, the roles are switched and the same procedure is applied again, thereby

accomplishing mutual authentication.

The Bluetooth challenge response algorithm differs from that used in 802.11b in very

important ways. In 802.11b the challenge and response

form a plaintext/cipher text pair. This fact, combined with the simplicity of the

encryption method (XOR), allow an intruder to easily determine the authentication key

string by listening to one authentication procedure. In contrast, the Bluetooth

authentication method never transmits the complete challenge response pair. In addition,

the E1 algorithm is not easily invertible. Thus even if an attacker has recorded an

authentication challenge response session, he cannot (directly) use this data to compute

the authentication key.

12. BLUETOOTH PAIRING

Pairing is the procedure where a relationship (link key) is established between two

previously unknown devices. The link key is derived when the devices are initially paired

(i.e. the link key does not exist before the pairing procedure). Pairing is facilitated with

yet another key, the initialization key. This key is computed by a pair of devices using the

Bluetooth addresses of each device, a random number, and a shared secret (PIN). Since it

is only used in the initial pairing, the initialization key is only used once. The initial

pairing is the most profitable area of attack on a Bluetooth device. If the attacker can

guess or steal the PIN during the initial pairing, then he can perform a much more

efficient search to derive the link key. This search is further simplified if the

communications occurring while the devices are paired is recorded. For this reason the

Bluetooth SIG strongly encourages the use of long, random PINs and suggests that

pairing be performed only in a private place. Assuming that both devices have a man-

machine interface (such as a keypad) it is also suggested that the PIN be manually

entered into both devices or in any case communicated out-of-band (not transmitted over

the Bluetooth wireless link). Thus, long PINs provide improved security since the PIN

cannot be received over-the-air. To steal the PIN an attacker must guess or record it by

some other means such as direct observation of the user, a more difficult procedure if the

PIN is long and the pairing is performed in private.

As a communication standard, Bluetooth security focuses on the link level. It provides

both entity authentication and link privacy. Since these functions are focused at the lower

network layers, message authentication and secure end-to- end links are not provided.

However, many applications, such as e-mail and browser transactions require end-to-end

security. As with other communication standards, this function is expected to be provided

at higher network layers by specific application providers.

Accordingly, the Bluetooth SIG encourages the reuse of existing transport, session and

application layer security. Accordingly the Bluetooth SIG strongly encourages pairing in

a private place and the use of robust PINs. In addition, simple devices that use unit keys

should not be relied upon to communicate highly secure data.

13. BLUESNARFING

SNARF and bluesnarfing are words that have been spooking through the Internet during

the last months. These words relate to a recently discovered security flaw in Bluetooth-

enabled devices. This report is about a field-trial that has evaluated this security loophole

at the CeBIT 2004 in Hannover. As described in, the SNARF attack enables access to

restricted portions of the device. SNARF is a word coming from computer-hacker jargon.

To snarf something means “to grab a large document or file and use it without the

author’s permission”. So it is possible to, for example read out the affected devices’

phone books. These phone books contain numbers and associated names of persons that

are either stored in the device phone-book, on the SIM card or in the lists of missed,

received or dialed contacts. It is also possible to retrieve and send SMS messages from

the affected phone or to initiate phone calls to any existing number (this feature is of

special interest if you are the running a premium service number yourself.

In theory, all supported AT-commands could be issued to the respective device, but

according to statements of the manufacturers some of the commands are not permitted by

means of this disallowed connection. But there would be no reason of preventing

commands from a connection that the firmware discloses by accident.

13.1 The BlueSnarf Field Trial

The environment was build up by open-source software ran on a laptop computer.

13.2 The Environment Setup

The hardware used for this trial was a COMPAQ Evo N600c with two low-cost MSI

Bluetooth USB-dongles. The software used with this hardware was linux-2.6.22together

with Qualcomm’s Bluetooth stack implementation Bluez (bluez-libs-2-.5, bluez-utils-2.4

and bluez-sdp-1.5). The actual application was implemented in PERL and C. For better

data-mining capabilities, an enterprise-level SQLDBMS (postgresql-7.4.1) has been used

in order to store and access the collected device-information.

13.3 Collected Data Samples and Results

In total, 1269 different devices have been discovered in the period from March 18th to

21st March 2004 at the place described above. Due to the limited range of about ten

meters, not all of the Bluetooth-enabled devices at this place could have been detected.

But still, the number of discovered devices is very high.

13.4 Discovered Device Vendors

The determination of the vendor is done by means of the Bluetooth address. Similar to

the hardware-address (MAC address) of Ethernet network interface cards, also the

Bluetooth address refers to the manufacturer of the Bluetooth chip-set. Table 1 shows the

vendor and the three first bytes of the Bluetooth addresses that are associated with the

respective vendor. Also a value expressing the distribution among the vendors is

provided in this table.

The 70 percent of discovered Nokia handsets clearly represent Nokia’s market-leadership

in Europe. Interestingly, many companies use the Nokia 6310i as a company phone. One

possible reason for this could be the compatibility to the Nokiacar-kits that have been

installed over years in many company cars.

13.5 Vendor Address-Bytes Percentage

Table 13.5.1 : Device Vendors

Nokia 00:02: EE, 00:60:57, 00:E0:03 70

SonyEricsson 00:0A:D9 11.35

Siemens 00:01:E3 8.2

Unknown miscellaneous 8.1

Other miscellaneous 2.1

13.6 Discovered Models

It cannot be determined from the device’s Bluetooth address which model of the

respective vendor this is. Therefore, the Bluetooth name that on many devices defaults to

the model number has been used to identify the model of the discovered device. The

Bluetooth name of the devices can be set by the user and is therefore not itself a reliable

information to determine the model number. It is worth mentioning that many people use

their full name as identification for their device.

The tables 2, 3 and 4 show the numbers of models that could have been uniquely

determined by their names. So, this graph is not totally correct, but gives a coarse idea on

the vendor/model distribution.

The graph displayed in table 2 supports the assumption that has been made before, that

obviously many companies are using the Nokia 6310i phone for their employees.

13.7 Device Number Percentage

Table 13.7.1: Recognized Nokia Models

Unrecognized 669 75.1

Nokia 6310/6310i 135 15.2

Nokia 6600 48 5.4

Nokia 3650 28 3.1

Nokia 7650 11 1.2

Characteristic for the German/European market was the relatively high presence

Unrecognized

T610

P900

P800

13.8 Device Number Percentage

Table 13.8.1: Recognized SonyEricsson Models

Unrecognized 106 72.1

SonyEricsson T610 33 22.5

SonyEricsson P900 7 4.8

SonyEricsson P800 1 0.6

of Siemens phones. At the moment, only the phones belonging to the 55 series and the

new SX1 are supporting Bluetooth. Unrecognized S55/SL55, SX1

13.9 Device Number Percentage

Unrecognized 69 66.3, Siemens S55/SL55 30 28.9, Siemens SX1 5 4.8

13.10 Discovered Vulnerable Devices

As written in, there are a number of devices that are vulnerable to the SNARF attack.

According to this document there is the Ericsson phone T68/T68i, the SonyEricsson

phones R520m, T610 and Z1010 and the Nokia phones 6310/6310i, 8910/8910i and

7650. Adam Laurie also provides information, whether the respective devices are

attackable in invisible or visible mode, only. Since the setup used for this field trial did

not use a brute-force approach (as presented by @stake) for detecting also invisible

devices, this study only confirms the vulnerability of visible devices. Due to limited

market take-up and the resulting low penetration-rate of some devices, the vulnerability

of some of the listed devices cannot be confirmed by this study.

As displayed in figures 2 and 3, the two top-selling Bluetooth-enabled models of

SonyEricsson and Nokia are vulnerable to the SNARF attack. Experiments with the

SonyEricsson T610 showed that this model is generally not vulnerable to the SNARF

attack. During an earlier presentation of the SNARF attacking February it happened that

T610 phones with recent versions of the T610 firmware were disclosing personal

information. Obviously, newer versions of the T610 firmware do allow SNARF attacks.

Nokia 6310/6310i as mentioned above, this study confirms that the Nokia 6310 and the

more enhanced Nokia 6310i are very vulnerable to the SNARF attack. About 33 percent

of all discovered devices of this type were disclosing personal phone book entries without

requiring user-interaction. Since the snarf-process takes an average Time of 30 seconds

(from the discovery to the end of the attack), it is very likely that a lot more devices could

have been read out. Too many people were just passing the location so that they left the

Bluetooth-covered area too early to be snarfed. SonyEricsson T610 In future when the

newer firmware is running on an increased number of T610-devices the success rate of

the SNARF attack will also increase. In the CeBIT 2004 field trail only 6 percent of all

discovered T610 devices could be read out. Siemens Phones As far as it has been

observed in the CeBIT field trial, Siemens phones are not vulnerable to the SNARF

attack. Bluetooth-enabled Siemens phones like the S55 merely seem to be rather

paranoid. Every time a usual scan-request is received by these phones they cowardly ask

for the user’s confirmation. Actually, this behavior is quite annoying.

13.11 Other Experiences

In preparation for the trial-setup, the Ericsson T68i (which is also on the list of vulnerable

devices) has been checked. It can be confirmed, that this phone is vulnerable. Total

Snarfed 50, SonyEricsson T61033 to the SNARF attack but switches into the hidden

mode automatically (three minutes after activation of the Bluetooth interface). In hidden

mode this phone is not vulnerable.

13.12 What Has Been Done?

The SNARF attack used at the CeBIT was intended to finish as fast as possible. That is

why only the first 10 entries of each phone book were read out. About 50 numbers from

each snarfed phone have been retrieved.

13.13 What Could Have Been Done?

As mentioned in the introduction there could have been done a variety of different things

with an unauthorized Bluetooth connection to the phone. The following paragraphs give

some ideas on the things this security flaw would also allow the attacker to do.

13.13.1 Sending a SMS

The only good way to get to know the number of the snarfed phone is to send an SMS

from the attacked phone to another device. Depending on the manufacturer of the phone,

SMS messages can either be provided in 7bit encoded ASCII-text and/or have to be

provided as a SMS-PDU which is rather tricky to generate. For the creation of SMS-

PDUs there is a tool called PDUSpy in the download section of Nokia phones allow to

issue text-mode and PDU-mode messages to the device, while SonyEricsson phones (and

also Siemens phones) only accept PDU-encoded SMS messages. The sending of an SMS

is not visible to the user. Usually, the issued SMS is not stored in the sent-box of the

snarfed phone. In rare cases, the SMS settings of the snarfed phone are set to require a

report that is generated at the receiving phone. In this case the sender that was not aware

of having sent a message would receive a reception-report from the attacker’s phone

(which includes a phone number). By sending PDU encoded messages, it can be

controlled by setting a flag whether a reception report is generated or not.

This method to get the victim’s phone number is causing costs to the holder of the phone.

That is why it has not been done in the CeBIT field-trial. But it works for sure (at least on

Nokia devices).

It would also be possible to get the device’s phone number by initiating a phone call to

the number of a phone that is able to display the caller’s number. However, this method

would disclose the number of the dialed phone to the owner of the attacked phone,

because every call initiation is writing an entry into the dialed contacts list (DC phone

book).

13.13.2 Initiating a Phone Call

It is possible to initiate phone calls to virtually any other number. It would be very

lucrative to initiate calls to a premium service number that is ran by the attacker. As

mentioned before, dialed numbers are usually stored in the phone’s calling lists and are

also stored at the provider-site for billing purposes. Therefore, this kind of abuse is rather

unlikely. It would also be very easy to find out and sue the person being responsible for

this premium service.

13.13.3 Writing a Phone Book Entry

As mentioned before, every phone call is writing an entry into the “dialed contacts” or

DC phone book of the respective device. By writing a phone book entry into the DC

phone book, the traces on the device that evidence that a call has been made can be

replaced by any number. Since the operator also stores dialed numbers for billing

purposes, this kind of obfuscation would only delay the process of finding the responsible

person. Of course it is also possible to do some nasty phone book entries. Just imagine an

entry that has ’Darling’ as a name and the number of a person you dislike. This owner of

the phone could then get into some trouble with his/her spouse. In the CeBIT-trial no

phone book entries have been done. Such entries would most likely overwrite existing

ones.

13.13.4 Future Work

Ongoing experiments include a SNARF application on Java/J2ME phones. As a

Requirement for this, the respective phones would have to have the MIDP 2.0 API

Implemented together with the optionally provided Bluetooth-API. The only phone that

has these features at the moment is the Nokia 6600.

13.13.5 Blueprinting

Blueprinting aims to set a standard for Bluetooth fingerprinting devices. The idea is

similar to IP fingerprinting techniques as used in tools like an map where it is possible to

determine a hosts operating system by specific behavior of the IP stack. With

Blueprinting it is possible to determine the manufacturer, the device model and the

firmware version of the respective device. The complexity of the introduced method is

intentionally simple so that this procedure can be executed on constrained devices that

are not capable of calculating common hashes such as MD5: the J2ME Connected

Limited Device Configuration (CLDC) Version 1.0 (as used in many mobile handsets)

can perform it. There are many different reasons that justify a method that allows the

identification of Bluetooth-enabled devices by the characteristics of their radio interface.

13.13.6 Device Statistics

One of the purposes that Blueprinting could be used for is statistical examination of

different environments. This way, it is possible to create statistics over manufacturer and

device models in special places as it was done in the CeBIT field trial report. There are

more scenarios where the determination of Bluetooth device properties is making sense.

13.13.7 Automated Application Distribution

There are many different mobile handsets that all have different operating system

platforms running. One of the most popular platforms is Symbian but there is a number of

other platforms Mobile device manufacturers are developing applications for many

different purposes. In order to deliver the application for the right platform, the

application distributor needs to know about the requesting device model, so that the

application that is pushed to the device might be a version that supports e.g. the bigger

display of a certain device. Unfortunately, there are also malicious applications like the

proof-of-concept virus CIBER that could profit from an identification method like

Blueprinting.

13.13.8 Security Audits

Early implementations of the Bluetooth standard in devices of various device

manufacturers are subject to more or less severe security issues. Attacks like the

BlueSnarf attack, the Bluebug attack or the Blue Smack attack, which enable the

extraction of sensitive information, the abuse of telecommunications services or the

denial of service are subject to the firmware and the model of some phones. In order to

communicate eventual security issues to the respective manufacturers it is important to

know about the properties of the concerned device. Blueprinting contributes to the efforts

done in order to make Bluetooth devices more secure.

13.13.9 Device Information

Blueprinting encapsulates the necessary information in order to determine device specific

properties such as the manufacturer, the model information and the firmware version.

Since mobile phones and PDAs make up the biggest group of Bluetooth enabled devices,

Blueprinting mainly focuses on these devices. The method relies on device specific

information that has been collected in experiments such as the CeBIT experiment, and,

therefore, is not as detailed as it could be. Every Bluetooth enabled device has some

characteristics that are either unique (Bluetooth device address), manufacturer specific

(the first part of the Bluetooth device address) or model-specific (service description

records). Blueprinting is combining the different information that Bluetooth-enabled

devices reveal in order to identify the manufacturer as well as the model of the device.

The firmware version that runs on certain devices can be derived based upon devices

different characteristics.

13.13.10 Bluetooth Device Address

As mentioned above the Bluetooth device address (BD ADDR) is unique and globally

refers to one single device. This BD ADDR address consists out of 48 bits (6 bytes) that

are usually notated like MAC addresses (e.g. MM:MM:MM:XX:XX:XX). The address is

programmed into the Bluetooth radio. The first three bytes of this address (the bytes that

are denoted by M’s above) refer to the manufacturer of the chipset. An actual list of all

these codes that refer to different manufacturers can be found in the OUI database hosted

by IEEE.

Unfortunately, it is not possible to tell anything about the device model by interpretation

of the remaining three bytes. These bytes (denoted by X’s above) are used randomly in

different models. Therefore, for identifying a manufacturer’s model, Blueprinting takes

the SDP profiles, which can be queried from devices that offer services, into account.

13.13.11 SDP Profiles

Service Description Protocol (SDP) profiles are a concept that is used by Bluetooth in

order to identify a certain service to other devices. This is done for auto configuration

purposes and to help a user setup a connection to the specific device. SDP Profiles are

served by the device’s sdp server and provide information on how to access the offered

profiles. Every SDP profile entry has some properties that can be used to identify the

device.

13.13.12 Blueprinting

Blueprinting uses specific information from SDP profiles of a device to create a hash for

the respective device. According to the standard, there is always a field that holds the

Service.

Table 13.13.12.1 OPUSH Profile from a Nokia 6310i

Service Name: OBEX Object Push

Service RecHandle: 0x1000c

Service Class ID List:"OBEX Object Push" (0x1105)

Protocol Descriptor List:"L2CAP" (0x0100)

"RFCOMM" (0x0003)Channel: 9"OBEX" (0x0008)

Language Base Attr List: code ISO639: 0x656e

encoding: 0x6a

base offset: 0x100

Profile Descriptor List:"OBEX Object Push" (0x1105)

Version: 0x0100

Record Handle, which is a 32 bit number that is assigned by the SDP server when a

service is registered during startup of the device (e.g. 0x1000c in table 1). In the case of

mobile phones, the Record Handles for the profile entries at the SDP server are not

dynamically assigned but statically coded in the phone’s firmware. The other value that is

taken into the hash is the RFCOMM channel or the L2CAP psm number that the service

can be accessed under. In the above profile, this would be RFCOMM channel 9. One part

of a device’s Blueprinting hash is the sum of the Rechanneled times the Channel for all

running services. The following example shows this by the example of a Nokia 6310i

SDP profile export.

13.13.12.1 RecHandle Channel Product

0x1000b 2 131094

0x1000c 9 589932

0x1000d 1 65549

0x1000e 15 983250

0x1000f 3 196653

0x10010 13 852176

0x10011 12 786636

3605290

13.13.12.2 Blueprinting Software

The Blueprint software is a proof-of-concept implementation of the herein described

Bluetooth fingerprinting technique. For simplicity, it was implemented in Perl and reads

the output of sdptool. Blueprint uses a simple text based database which contains

fingerprints and information about the associated device. The implementation also

combines the actual fingerprint with the manufacturer part of the BD ADDR to achieve a

higher matching rate.

version: V 5.22 15-11-02 NPL-1

date: n/a

type: mobile phone

note: vulnerable to Bluebug attack

13.14 RELATED WORK

13.14.1 Bluetooth Security Device Database

The Bluetooth Device Security Database was created after various security related bugs

where found on embedded Bluetooth devices. The btdsd projects goal is to collect

information on (default) security settings of Bluetooth enabled devices. The collection

shows that nearly all manufacturers have different default security settings and security

features implemented. The database was used in the evaluation of the Blueprinting

technique.

13.14.2 Future Work

The work described here is the basis for ongoing work in this area. The trifinite.group is

inviting everyone to contribute in all future efforts. Continued progress relies on

developing a more comprehensive set of SDP profiles, which can be sent via email. For

information on how to contribute, check the Bluetooth Device Security Database page .

13.14.3 Non-SDP Fingerprinting

Blueprinting, so far, only uses the Service Discovery Protocol (SDP) information for

identifying devices. In the future, data from higher and lower level protocols should be

used for identification as well. Examples could be: Link Manager (LM) commands (when

connecting to a specific service) or Obex behavior.

13.14.4 Conclusions

Blueprinting is a novel method for the identification of Bluetooth-enabled devices by

means of their radio interface and the Bluetooth stack of the operating system. The

information gathered so far about the SDP profiles demonstrates a decreasing diversity in

mobile phone operating systems; the prevalent usage of e.g. Symbian. The increasing

uniformity is evident from similar Blueprinting hashes even when the hardware and the

manufacturer of the products differ. In the future, current trends dictate the variety of

Blueprinting hashes will most likely decrease. The fact that many phones have the same

operating system could result in serious trouble once a security flaw is discovered for a

common operating system.

13.14.5 Blueprint Device Hashes

This section lists the hashes that have been collected so far. Some of the devices have

multiple entries. The explanation for this is that these devices have different firmware

versions that result in a different Blueprinting hash.

14. BLUETOOTH AND WINDOWS XP

Microsoft® has announced support for Bluetooth in the next release of Windows® XP as

follows:

Microsoft is creating native support in the Microsoft® Windows® operating system for

Bluetooth wireless technology. This support is entirely new and is not based on existing

software from other companies. The specific delivery vehicles are to be determined.

Microsoft supports the Bluetooth technology as a wireless bus, complementing USB and

IEEE 1394. The goal for Microsoft software support is to Windows work with several

types of devices that implement Bluetooth wireless technology, such as PC peripherals,

PC companions, and devices bridged to network resources through a PC.

Support for Bluetooth wireless technology is not in the first release of Windows XP,

because there is not a sufficient array of production-quality devices that conform to the

Bluetooth specification for Microsoft to test. However, Microsoft is actively developing

support for Bluetooth technology and will ship this support in a future release. Quality,

reliability and compatibility are principal ship goals for Windows XP, and Microsoft will

not compromise on the customer experience

15. FUTURE OF BLUETOOTH

Success of Bluetooth depends on how well it is integrated into consumer products

Consumers are more interested in applications than the technology

Bluetooth must be successfully integrated into consumer products

Must provide benefits for consumer

Must not destroy current product benefits

Key Success Factors

Interoperability

Mass Production at Low Cost

Ease of Use

End User Experience

16. SUMMARY

It can be said that the name Bluetooth refers not only to a technology, but also to a

standard and a specification. And few standards have taken off as Bluetooth has,

capturing the attention anddevelopment money of major corporations throughout the

world. If it can live up to its expectations and meet the needs of a global marketplace in

an easy-to-use, straightforward manner, it promises to become (like its eponymous King

Harald) a uniting force in the wireless communications world. This chapter helps you get

started with Bluetooth technology by covering the basics:

The origin of the Bluetooth name

An overview of the Bluetooth components

An introduction to the terminology of Bluetooth

A quick look at Bluetooth networking concepts

17. BIBLIOGRAPHY

1. Bluetooth SIG, http://www.bluetooth.com

2. Bluetooth specifications,

http://www.bluetooth.com/developer/specification/specification.asp

3. A good explanation of the seven-layer OSI Reference Model,

http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/introint.htm#xtocid13

0454

4. Bluetooth support in Windows XP,

http://www.microsoft.com/hwdev/tech/network/bluetooth/

5. Bluetooth Security Architecture white paper,

http://www.bluetooth.com/developer/whitepaper/whitepaper.asp

6. For more detail contact me SUNIL PANJETA 09466669662