WELCOME TO

WIRELESS AND MOBILE

NETWORK SECURITY
 Part 6: Bluetooth Security

1. Introduction
2. Bluetooth technical specification
3. Bluetooth security
4. Conclusion

11/3/2021 503075 – Welcome 2

 Introduction

✓ Bluetooth is a wireless communication technology intended

to simplify shortrange connections between devices.
✓ The technology can be used when several devices which
were not intended to meet need to communicate.
✓ The specification of Bluetooth was developed by the
“Bluetooth Special Interest Group” (SIG) trade association.
✓ the IEEE 802.15 working group for Wireless Personal Area
Networks (WPANs) proposed the Bluetooth specification
version 1.0.
✓ Bluetooth allows point-to-point and point-to-multipoint
connections by minimizing users’ intervention.

11/3/2021 503075 – Welcome 3

 Introduction

❖ The standards of WPAN technologies:

▪ IEEE 802.15.1

11/3/2021 503075 – Welcome 4

 Introduction

❖ The standards of WPAN technologies:

▪ IEEE 802.15.2

11/3/2021 503075 – Welcome 5

 Introduction

❖ The standards of WPAN technologies:

▪ IEEE 802.15.3

11/3/2021 503075 – Welcome 6

 Introduction

❖ The standards of WPAN technologies:

▪ IEEE 802.15.4

11/3/2021 503075 – Welcome 7

 Introduction

❖ The standards of WPAN technologies:

▪ IEEE 802.15.5

11/3/2021 503075 – Welcome 8

 Bluetooth technical
specification

❖ Organization of Bluetooth nodes in the network

11/3/2021 503075 – Welcome 9

 Bluetooth technical
specification
❖ Protocol architecture in a Bluetooth node

11/3/2021 503075 – Welcome 10

 Bluetooth technical
specification
❖ Radio physical layer
✓ This layer is responsible for the transmission and
reception of information on a physical channel. The
specification of this layer defines the physical
characteristics of the channel.

11/3/2021 503075 – Welcome 11

 Bluetooth technical
specification
❖ Baseband
✓ The baseband is the architectural layer which manages
physical and logical channels. It also provides multiple
functions such as error correction, hop selection, flow
control, security and power control.

11/3/2021 503075 – Welcome 12

 Bluetooth technical
specification
❖ Link controller
✓ The link controller defines how the piconet is created
and how devices can be added to and released from the
piconet.

11/3/2021 503075 – Welcome 13

 Bluetooth technical
specification
❖ Bluetooth device addressing
✓ There are four types of addresses to identify a Bluetooth
device:
▪ BD_ADDR corresponds to “Bluetooth Device Address”.
▪ LT_ADDR means “Logical Transport Address”.
▪ PM_ADDR means “Parked Member Address”.
▪ AR_ADDR means “Access Request Address”

11/3/2021 503075 – Welcome 14

 Bluetooth technical
specification
❖ SCO and ACL logical transports
✓ The logical transports with distinct packet types
▪ SCO logical transport is a symmetric and synchronous
connection-oriented link.
▪ ACL (Asynchronous Connection-Less) logical transport is an
asynchronous connection-less link.

11/3/2021 503075 – Welcome 15

 Bluetooth technical
specification
❖ Link Manager
✓ The Link Manager is used for setup and control links
between two devices.
✓ The Link Manager also supports the security procedures
like authentication, pairing, link key management and
encryption.
✓ The pairing procedure is based on a PIN code in order
to restrict service access to only the allowed users.

11/3/2021 503075 – Welcome 16

 Bluetooth technical
specification
❖ Host Control Interface layer
✓ The HCI() layer provides a standard command
interface to the Baseband controller and Link Manager.
✓ This layer ensures the interoperability between different
implementations of higher layers and the Bluetooth
controller.
✓ There are three types of HCI messages: command
messages, event messages and data messages.

11/3/2021 503075 – Welcome 17

 Bluetooth technical
specification
❖ L2CAP layer
✓ L2CAP stands for “Logical Link Control and
Adaptation Protocol”. It provides higher level protocol
multiplexing, packet segmentation and reassembly.
✓ There are three types of L2CAP channels:
▪ Bidirectional signaling channels
▪ point-to-point and bidirectional connection-oriented channels,
▪ point-tomultipoint unidirectional connectionless channels.

11/3/2021 503075 – Welcome 18

 Bluetooth technical
specification
❖ Service Level Protocol
✓ This layer is a set of protocols providing a service to
applications. The following protocols will be described:
SDP, RFCOMM, TCS, AT and OBEX.

11/3/2021 503075 – Welcome 19

 Bluetooth technical
specification
❖ Bluetooth profiles
✓ Advanced Audio Distribution Profile (A2DP)
✓ Audio/Video Remote Control Profile (AVRCP)
✓ Basic Printing Profile (BPP)
✓ Cordless Telephony Profile (CTP)
✓ Dial-Up Networking Profile (DUNP)
✓ File Transfer Profile (FTP)
✓ Generic Object Exchange Profile (GOEP)
✓ Hands-Free Profile (HFP)

11/3/2021 503075 – Welcome 20

 Bluetooth technical
specification
❖ Bluetooth profiles
✓ Human Interface Device (HID) profile
✓ HeadSet Profile (HSP)
✓ InterCom Profile (ICP)
✓ Serial Port Profile (SPP)
✓ Video Distribution Profile (VDP)

11/3/2021 503075 – Welcome 21

 Bluetooth security
▪ The easiest and most well-known way to attack is to capture
the signal and listen to the victim’s communication.
▪ Another type of attack consists of usurping the identity of a
confident person and accessing the victim’s data.
▪ Each protocol defines its security mechanisms in
authentication and encryption.

11/3/2021 503075 – Welcome 22

 Bluetooth security

▪ The different types of key in Bluetooth

✓ The link key is a 128-bit random number
✓ The PIN code has a major role in Bluetooth security

11/3/2021 503075 – Welcome 23

 Bluetooth security

▪ Security mode in Bluetooth

▪ Security mode 1: non-secure
▪ Security mode 2: service level enforced security
▪ Security mode 3: link level enforced security

11/3/2021 503075 – Welcome 24

 Bluetooth security

▪ Authentication and pairing

▪ Creation of the initialization key (Kinit)
▪ creation of the link key (KAB)
▪ Mutual authentication
▪ Before the pairing procedure, a PIN code is set on the two
devices.

11/3/2021 503075 – Welcome 25

 Bluetooth security
▪ Authentication and pairing
▪ Creation of the initialization key (Kinit)

11/3/2021 503075 – Welcome 26

 Bluetooth security
▪ Authentication and pairing
▪ Creation of the link key (KAB)

11/3/2021 503075 – Welcome 27

 Bluetooth security
▪ Authentication and pairing
▪ Mutual authentication

11/3/2021 503075 – Welcome 28

 Bluetooth security
▪ Bluetooth encoding
▪ In Bluetooth, the transmitted data are ciphered with the E0
algorithm. This algorithm is a stream cipher to protect the
communication. E0 generates a pseudorandom sequence
which is combined with data through the XOR operator. The
result is the ciphered message. E0 accepts a cipher key
which may have a variable length. In general, the length of
the key is 128 bits.
▪

11/3/2021 503075 – Welcome 29

 Bluetooth security
▪ Attacks
▪ Attacks on the pairing [4]

11/3/2021 503075 – Welcome 30

 Bluetooth security

▪ Attacks
✓ Cryptanalytic attacks
✓ Attacks on the Bluetooth stack [8]
✓ Bluetooth snarfing [8]
✓ Bluejacking [9]
✓ Bluebugging [10]
✓ Bluetooth wardriving [11]

11/3/2021 503075 – Welcome 31

 Conclusion

• Bluetooth is a comparatively recent technology. More

and more devices support it. This technology allows
short-range wireless communication (up to 100
meters) between many devices. The goal of Bluetooth
is to specify an integrated circuit on a large scale that
can be installed on a multitude of types of equipment
and at a very low cost.

11/3/2021 503075 – Welcome 32

 Q&A

11/3/2021 502047 – Welcome 33