Bluetooth Digital Free Love
By Niall McKay, Tue Aug 13 00:00:00 GMT 2002

It might be the age of paranoia but digital devices using Bluetooth are about to enter the age of free love. But will it be safe?


We are entering the age of digital free love when computing devices will be able to talk, transfer files and even run applications and services on each other. The glue that will tie all this networked bliss together is Bluetooth - a short-range wireless technology originally designed for consumer electronics devices such as TVs, home stereo systems and telephone headsets. With Bluetooth, the idea goes, one can eliminate all those troublesome wires in the home.

However, the proliferation of digital devices such as cameras, PDAs, MP3 music players, laptop computers, photo-printers in both the home and office means that the technology maybe be used in environments for which is was not really designed. Indeed it seems that many digerati, having got a taste for wireless from 802.11 and advanced cellular networks, want to banish copper wire forever. Except for power. So Bluetooth, like many technologies before it, is being pitched as the cure-all for the digital-ills of the world.

Of course, like free love (and cure ails for that matter) all this wireless promiscuity is a great fantasy but often a problematic reality. At issue, is the difficulty of getting these devices to work smoothly and securely together. Anybody, who has tried to enable WEP on a home or office 802.11 network will know what I am talking about. Also like free-love getting two devices together is called coupling or paring or bonding. Frankly, if the coupling becomes too difficult to do securely then it’s likely that the parties will throw caution to the wind and take risks.

“The initial set-up is the main weakness of with the technology,” says Mike Sullivan VP of Business Development for Bluesoft Inc. a Bluetooth security vendor. “If you have to start messing with it then you’re probably going to give up and just use it in un-secure mode.

But who cares? Surely, Bluetooth has yet to make its way into the mainstream market. Right? Wrong. Despite the technology’s apparently slow start it is beginning to make some progress.

Coming of Age

In fact, the research firm IDC recently reported the Bluetooth will come of age next year and that revenue will grow from a $76.6 million in 2001 to $2.6 billion in 2006. The Gartner Group is even more bullish predicting that by 2004 forty percent of all electronic trading will be done using a hand-held terminals and Bluetooth will be one of the key enabling technologies.

Indeed, it’s difficult to find a technology vendor who is not building Bluetooth support into their product line. Already Sony is providing Bluetooth in laptops, phones, and video cameras in the Japanese market. Cell-phone manufactures have started shipping wireless headsets that connect to a phone or PDA in your pocket or bag over Bluetooth and Apple Computer is making Bluetooth an integral part of its iPod music player so when the user enters their home it will do the equivalent of shouting "hi honey I'm home" and connect to the speakers and synchronize with you PC.

Further more, Bluetooth is being touted as one of the key technologies used in telematics or in-car computer control systems. Later this year Chrysler's will release its UConnect Bluetooth hands-free car kit and healthcare technology provider CodeBlue Communications is building Bluetooth-based hospital patient data-management applications, patient life data monitors, and telemedicine emergency devices. So what’s the problem? Well the technical specification has few security weaknesses, according to Ollie Whitehouse, Director of Security Architecture at the security consultancy @Stake. Although @Stake did find one. With Bluetooth the user is able to choose if other Bluetooth device holders can see their device. However, Whitehouse was able to over ride this function by with a brute force attack.

“Apart from that it’s pretty secure,” says Whitehouse. “But the problem is not with the specification but with applications vendors implementation of the specification.”

Patrick Connolly CTO of Rococo Software a company that provides tools for building Bluetooth applications agrees. The problem is that the Bluetooth Special Interest Group (the organization that developed the specification) does not define the Application Programming Interface (as with Sun and Java), it just defines the protocol stack.” While this is a deliberate move because it makes certain aspect of programming easier, it also makes it easier for application developers and hardware providers to make errors.

Whitehouse, for example, discovered a number of security flaws (mostly insignificant and now fixed) with Red-M's Bluetooth wireless access point. One flaw, for example, allowed insiders create a backdoor into the product.

While it’s likely that those darling hackers (good or bad) will discover a number of flaws with Bluetooth it’s safe to say that the Bluetooth SIG have certainly taken a lot more trouble to secure the technology that their WiFi or 802.11 collogues.

Basically, there are three levels of security.

None. Your device is a rake and will talk anyone in the vicinity.

Secure. Or Service-level enforced. Where your device does not initiate before a channel is opened between the two devices.

Very secure. Where a connection will not be made until both device users have been identified.

Then there are trusted devices such as your own PDA and laptop computer and untrusted devices such as the cash register in a bar in the shady part of town.

Most Bluetooth users will be using the second secure mode. So, to initiate a secure session you first have to find a quiet spot, in much the same way you would if you wanted to have a private conversation with a friend or colleague. That way you can be sure that nobody is overhearing your digital conversation. Once you find a quiet spot there the devices go through three stages.

Bonding, where the devices create a shared link encryption key, authentication, where each uses taps in their personal identification number, and encryption where the device information is coded so that even if there is an eavesdropper in the vicinity they could not understand the conversation. Furthermore, the channel jumps around the allocated spectrum, which makes it more secure.

Most of the weaknesses will stem from the usability of the model. First of all, if the technology industry is anything each vendor will come out with some added security features thus rendering a secure mode between two different vendors products impossible. I for example could not connect my Sony phone with a Nokia device because of different implementations of the same standard.

Secondly, chances are that all the tapping in of PINs will be bothersome to many users. Thirdly, while each device will have a unique address. Say you attend a communications conference and the world’s top 1,000 software geniuses are there. How many Mr. Sing’s Nokia will you find? Furthermore, the chances are that a lot of people will use really stupid PINs such as 1234 or Bill Gates is a … That is why BlueSoft Inc. a Silicon Valley vendor produced its own Bluetooth security technology. The product uses the Diffie-Hellman public key encryption mechanism so that each user can be identified.

“That way the security relies on what I have (device), what I know (my public key encryption password, and who I am (because the public key is held by a certificate authority).”

However, according to a report published by Juha T. Vainio with the Department of Computer Science and Engineering Helsinki University of Technology Bluetooth is not quite ready for prime time. “It seems that the security of Bluetooth is still inadequate for any serious, security sensitive work. After the basic problems have been corrected, the more sophisticated security methods may be implemented on the upper levels. The security specification only considers simple issues and the more functional security has to be built above it. The secure routing protocols for larger ad hoc networks must also be implemented separately.”

Indeed, many believe that that in order to make Bluetooth really secure, for say, banking applications some sort of Biometric verification will need to be added at the application layer.

Seamus McAteer, principal analyst with the Zelos Group says that security is less concern if you are simply sharing music and photos with your buddies. “But you don't want your car to be hacked,” he says. “That’s a Spielberg movie waiting to happen.”

Niall McKay is a freelance journalist based in Silicon Valley. He can be reached at www.niall.org .