Essential Bluetooth Security Knowledge You Must Know

The DHS 4300A series manual, released by the U.S. Department of Homeland Security, aims to guide the secure use of wireless technologies in sensitive systems. The manual includes usage specifications for various wireless technologies such as RFID and Bluetooth. Next, we will analyze the guidance requirements for Bluetooth technology in this manual. DHS 4300A –Q6 (Bluetooth Security) was released on December 15, 2014, and the main purpose of the document is to ensure minimum security baseline during the installation, configuration, use, and management of Bluetooth-enabled devices.

Figure 1 DHS 4300A Sensitive Systems Manual

Bluetooth is a wireless open standard technology used for exchanging voice or data between devices over short distances without interconnecting cables. Its effective range varies depending on propagation conditions, material cover, antenna configuration, battery status, etc., but the effective range of most Bluetooth devices is 10m or less. This technology has been integrated into many types of devices, including mobile phones, laptops, printers, keyboards, mice, and headsets, and is mainly used to establish self-organized Wireless Personal Area Networks (WPAN) between devices, as shown in Figure 2. Bluetooth versions 1.1 and 1.2 only support a maximum transmission speed of 1 Mbps, known as Basic Rate (BR), and can achieve approximately 720 kbps of payload throughput. The Enhanced Data Rate (EDR) introduced in version 2.0 specifies data rates of up to 3 Mbps and approximately 2.1 Mbps of throughput.

Figure 2 Ad hoc Bluetooth Network

The document provides examples of how Bluetooth technology can enhance the ability of departmental personnel to perform tasks and meet business needs:

● Bluetooth keyboard for tablets in office environments;

● Bluetooth headsets for office personnel;

● Bluetooth PIV card readers;

● Hands-free mobile phones used in vehicles;

● Data transmission between checkpoint basic units and mobile devices;

● Collecting fingerprints of suspects or persons of interest encountered on-site during law enforcement or investigation.

From the above, it is evident that the demand for Bluetooth technology is urgent, and it offers significant usability advantages over wired devices and peripherals.

However, like any wireless technology, Bluetooth communication is susceptible to various threats. The technology has been implemented using a wide variety of chipsets, operating systems, and physical device configurations, leading to a multitude of different security programming interfaces and default settings. These complexities add to the vulnerabilities in wireless communications, making Bluetooth susceptible to general wireless threats as well as its own inherent vulnerabilities. Common attacks include:

● Bluebugging: An attacker takes control of a phone, making calls, eavesdropping on conversations, and reading contacts and calendars;

● Bluejacking: Sending anonymous, unsolicited messages to a Bluetooth-enabled phone and making it invisible;

● Blueprinting: Remotely collecting Bluetooth device fingerprints;

● BlueSmack: Executing denial-of-service attacks via Bluetooth connections, rendering devices unusable;

● Bluesnarfing: Providing attackers complete access to calendars, contacts, emails, and text messages;

● BlueStumbling: Allowing attackers to locate and identify users based on Bluetooth device addresses.

Bluetooth specifications include four security modes, each providing different methods and levels of protection.

Devices using Security Mode 1 are considered insecure. In this security mode, security features (authentication and encryption) are never activated, making devices and connections vulnerable to attacks. In fact, Bluetooth devices in this mode are “non-discriminatory” and do not employ any mechanisms to prevent other Bluetooth devices from establishing connections. If a remote device initiates pairing, authentication, or encryption requests, Security Mode 1 devices will accept those requests without any authentication. Due to its high vulnerability, the document states that DHS must not use Security Mode 1.

Security Mode 2 is a service-level enforced security mode that can initiate security procedures after link establishment but before logical channel establishment. In this security mode, the local security manager controls access to specific services. Access control and interfaces with other protocols and device users are maintained by a separate centralized security manager. This policy can define different security policies and trust levels for applications with varying security needs, restricting access and granting access to certain services without providing access to other services. In this mode, the concept of authorization is introduced (i.e., the process of deciding whether a specific device is allowed to access a certain service).

Security Mode 3 provides the best security. It is a link-level enforced security mode where Bluetooth devices initiate security procedures before the link is fully established. Bluetooth devices operating in Security Mode 3 authorize authentication and encryption for all connections of the device. Therefore, service discovery cannot occur until authentication, encryption, and authorization are performed. Once a device is authenticated, service-level authorization is typically not enforced by Security Mode 3 devices. When an authenticated remote device uses Bluetooth services without the local device owner’s knowledge, service-level authorization should be enforced to prevent “authentication abuse”.

Security Mode 4 uses Secure Simple Pairing (SSP) strategy, where the Elliptic Curve Diffie-Hellman (ECDH) key protocol replaces outdated key protocols during link key generation.

To enhance the security of Bluetooth technology as much as possible, the document provides guiding opinions from management, technical, and operational deployment perspectives.

● Ensure Bluetooth users are aware of security-related responsibilities associated with Bluetooth usage and provide a range of preventive measures to better protect handheld Bluetooth devices from theft;

● Enable Bluetooth only when necessary (e.g., turn off Bluetooth on mobile devices and disable headsets when not in use);

● Minimize the distance between Bluetooth-connected devices while the Bluetooth link is active;

● Minimize the duration of voice calls;

● Reduce the opportunity for signal interception by maximizing the distance from other Bluetooth devices, other people, and untrusted areas;

● When pairing, mobile devices will attempt to find other Bluetooth-enabled devices. Always verify and confirm the devices being paired. Do not enter passwords in case of unexpected prompts;

● Remove lost, stolen, or unused devices from the paired device list;

● Regularly conduct comprehensive security assessments to fully understand Bluetooth security status;

● Ensure a thorough understanding from an architectural perspective of the wireless devices and networks involving Bluetooth technology, and maintain corresponding records;

● Maintain a complete list of all Bluetooth devices and addresses;

● Individuals should keep track of developments in Bluetooth security products and standards as well as technological threats and vulnerabilities.

● Change the default settings of Bluetooth devices;

● Set Bluetooth power to the lowest available to minimize signal range. The minimum Bluetooth power used should be sufficient to maintain communication between authorized users;

● Choose a sufficiently long, random, and private PIN code, avoiding static and weak PINs (e.g., all zeros);

● Ensure the link key is not based on a unit key. Using a shared unit key may lead to successful spoofing, man-in-the-middle attacks (MITM), and eavesdropping attacks;

● Use random and unique keys for each group of paired devices based on key entry association models. If a static key is used for multiple groups of paired devices, the MITM protection provided by the key entry association model will be reduced;

● Lock the Bluetooth stack on each device to ensure that only necessary and approved profiles and services are available, disabling unnecessary and unapproved services;

● Set Bluetooth devices to non-discoverable by default and keep them non-discoverable unless pairing is required. The default Bluetooth device name sent during discovery should be changed to a non-identifying value;

● Encrypt all Bluetooth connections and use it to protect all data transmissions during Bluetooth connections; otherwise, transmitted data may be subject to eavesdropping;

● If using multi-hop wireless communication, ensure encryption is enabled on every link in the communication chain. An insecure link will affect the entire communication chain;

● Ensure mutual device authentication is performed on all connections;

● Configure the encryption key size to the maximum allowable (128-bit). Using the maximum allowed key can prevent brute force attacks;

● Ensure Bluetooth functionality is disabled when not in use. Bluetooth functionality should be disabled on all devices unless the user explicitly enables Bluetooth to establish a connection. This can minimize potential malicious activities. For devices that do not support disabling Bluetooth (e.g., headsets), the entire device should be turned off when not in use;

● Pair as infrequently as possible. Ideally, in secure areas where attackers cannot physically observe key entries or intercept Bluetooth pairing messages. Users should not respond to any PIN request messages unless they have initiated pairing and are certain that one of their devices sent the PIN request. Pairing is a critical security function that requires users to maintain basic security awareness against potential eavesdropping;

● Basic Rate/Enhanced Data Rate (BR/EDR) service-level security modes (i.e., Security Mode 2 or 4) should only be used in controlled and well-known environments. Security Mode 3 provides the best security;

● Ensure portable devices with Bluetooth interfaces are configured with passwords or enabled access PINs. This helps prevent unauthorized access if the device is lost or stolen;

● If a Bluetooth device is lost or stolen, the user should immediately remove the lost device from the paired device lists of all other Bluetooth devices;

● Install antivirus software on hosts with Bluetooth enabled that support host-based security software;

● Conduct comprehensive testing and regularly deploy Bluetooth software and firmware patches and upgrades;

● Do not accept any transmissions from unknown or suspicious devices. These types of transmissions typically include messages, files, and images;

● Fully understand the implications of deploying any security features or products before deployment.

Wireless communication technologies facilitate various aspects of life and work, but they also introduce more security risks. It is extremely important to use wireless communication technologies legally and reasonably within a regulatory security framework. This article, based on the DHS 4300A series manual, provides guidance for the use of Bluetooth technology in sensitive systems, safeguarding the development of Bluetooth technology.

Editor: Gao Qi