Home / Blog / Analyzing Bluetooth

Analyzing Bluetooth

Posted on 08/01/2016, by INCIBE
bluetooth-analysis

The adoption of wireless communication devices for industrial purposes is usually something that happens gradually. In this process, some initial requirements are adopted that include the creation of isolated environments within the production system (subsequent to testing in development and test environments), to test the correct operation of the devices to be used and to avoid any potential plant shut-downs caused by the collateral effects of the roll out of a new technology.

Origins

Bluetooth technology began to be developed in the year 1994 by Ericsson as an alternative to cable. To establish communication it uses a frequency-hopping spread spectrum modulation (FHSS) con 79 frecuencias, with 79 frequencies, which makes it one of the wireless technologies least affected by problems arising from noise and interference, thanks to the use it makes of frequencies. Moreover, this modulation ensures its transmissions are difficult to intercept, thanks to continuous emission frequency hopping in an order only known by the transmitter and receiver.

Bluetooth technology, which in reality is a set of protocols, is governed by the standard IEEE 802.15.1 and there are two specifications of its latest version, Bluetooth 4.

  • Classic Bluetooth: This is a specific technology for devices with a high demand for small transistors. All of the old Bluetooth specifications are grouped in this category.
  • Bluetooth Low Energy (BLE): This technology is ideal for applications that require the communication of small quantities of data on an occasional or periodic basis.

To establish Bluetooth communication, specific hardware is required for this protocol which includes a base band module, a radio module and an antenna. The aim of Bluetooth specification is for all applications to be capable of operating with each other. To achieve this interoperability, applications on remote devices must be executed on an identical protocol stack.

Bluetooth technology

The Bluetooth protocol stack includes specific Bluetooth protocols, such as Link Manager Protocol (LMP) and Logical Link Control and Adaptation Protocol (L2CAP) along with non-specific protocols like Objects Exchange Protocol (OBEX) and User Datagram Protocol (UDP). Apart from all of these protocols, the Bluetooth specification defines the Host Controller Interface (HCI), which is responsible for providing a command interact to the base band controller and the link manager and for providing access to hardware status and control registers.

Pila Bluetooth

- Structure of the communications stack in various types of Bluetooth -

Generically, some of the technical characteristics of Bluetooth include:

  • Communication distance of up to 1 km (in a straight line with no obstacles).
  • Use of frequency on the free 2.4 GHz. band.
  • High-reliability transmission through redundant transmission channels.
  • Delay time reduced (5-10 ms).
  • Capacity to function in environments where there are large numbers of devices due to the use of frequency.

Looking at each specification separately, the following characteristics can be highlighted:

Classic Bluetooth

  • Rapid and cyclical transmission of small quantities of data.
  • Transmission of up to 780 kbps.
  • Large quantity of devices connected to the same radio environment functioning without interferences.
  • High availability of consumer products.

 

Low Energy Bluetooth

  • Large number of communication nodes with low latency requirements.
  • Very low energy consumption.
  • Similar level of robustness to Classic Bluetooth specification.
  • Good characteristics in real time, if the number of connected nodes is not too high.
  • Very brief awakening and reconnection time.

 

Security aspects

The security features incorporated into Bluetooth are similar to those of other wireless protocols used in industry such as ZigBee or WirelessHART, highlighting: 

  • 128 bits encryption
  • Authentication
  •  Medium robustness due to:
    • Adaptive Frequency Hopping (AFH), that includes:
      • Forward error connection (FEC) allows the receiver to correct errors in the transmission if it is necessary to resend.
      • Channels with wide frequency bandwidth 
      • Low sensitivity to reflections or multiple routes

These security features can be applied under three operation modes:

No security: all security mechanisms (authentication and encryption) are turned off. Devices allow all other devices to connect with them.

Service level security: security is initialized after establishing a channel between the LM (Link Manager) level and the L2CAP level. The security policies and confidence levels are applied independently, allows access to applications with different requirements.

Link level security: all routines are within the Bluetooth chip and nothing is transmitted on the level. Security is initialized before establishing a channel and all communications are encrypted. In addition to the encryption of communication, it uses a shared secret Link Key (PIN) between the two devices communicating and the MAC security level. This methodology consists of sharing the secret Link Key between a pair of devices every time they communicate for the first time.

Seguridad BT

- Establishment of Bluetooth security -

Use in Industrial Control Systems

The use of Bluetooth technology in industrial control systems focuses on the exchange of data both at a low level (Bluetooth Controller) and at a high level (Host Controller).

Esquema de comunicación BT

- Bluetooth Communication Scheme -

Classic Bluetooth is oriented towards integration in atomization devices in series and field networks; however, Bluetooth Low Energy is designed for sensors, actuators or small devices that require very small consumption levels.

red industrial con comuniaciones BT

Industrial Network with Bluetooth Communications -

Security Problems

The security of Bluetooth technology is not immune from problems. Therefore, there are some documented weaknesses in its security capabilities.

  • It allows the use of short PIN codes, from 1 to 16 bytes (8-128 bits).
  • There is no defined method sufficiently robust to generate and distribute the PIN. Its distribution in a network with many elements is often difficult.
  • The length of the encryption key is negotiable, allowing the use of different sizes, including those shorter than 128 bits.
  • In link level security mode, the master key is share, which is why it is necessary to develop a scheme for the transmission of keys that are reliable and secure.
  • There is no user authentication. Only authentication of devices is implemented.
  • There is no limit to the number of authentication attempts there can be, nor is the device blocked after a certain number of failed attempts.
  • Authentication is based on challenge-response through the use of hashes. As it is designed, the scheme is vulnerable to MITM attacks
  • It is not demonstrated that the pseudorandom number generator for the challenge-response procedure is cryptographically safe, as it may periodically produce static numbers or repetitions.
  • Security services are limited. Non-repudiation information registry services, etc. are not implemented.
  • Weaknesses of the encryption system in Bluetooth specifications prior to 4.2, which, according to its specification, will follow the FIPS standard which guarantees certain privacy in respect of the tracking of devices and the data sent.
    • It is optional
    • The algorithms used for the block cipher system are weak and allow short keys.
    • The clock signal used in the block cipher is only partially used, which allows for "man in middle" attacks.
    • The encrypted data may be manipulated depending on the part of the message known. Among the most easily manipulated data are IP headers.
  • Compatibility with previous specification of Bluetooth technology implies the use of insecure services and protocols among levels already obsolete.
  • Devices that used Bluetooth technology usually have hidden services executing with maximum privileges, in addition to back doors.

Measure and Mitigation of Risk

The use of Bluetooth in the industrial sector is not particularly extensive. However, any industry that implements a Bluetooth solution in its communications must apply security measures that ensure safe use and prevent possible attacks. In order to do this, the following recommendations may be taken into account:

  1. Implement a security policy that covers Bluetooth communications, detailing and documenting best practice for the use of this technology. Inform users of precaution and obligations when using devices.
  2. Review Bluetooth devices used in order to ensure that the security features are correctly configured and they are not set to default.
  3. Select the operation mode with the lowest possible consumption while compatible with the requirements of the infrastructure.
  4. Conceal the presence of devices except when required for pairing.
  5. Minimize the pairing processes to prevent the interception of the PIN.
  6. PIN requests should not be responded to without prior request.
  7. Always force the encryption of communications where possible, using link level security operation mode.
  8. Use the longest possible encryption keys (128 bits).
  9. Ensure the requirement for mutual authentication to establish communications.
  10. Disable Bluetooth capacities on those devices that do that do not needed.
  11. Block the profile and/or configuration of devices to prevent manipulation.