NIST issues guide to fixing the holes in Bluetooth
- By William Jackson
- Jun 13, 2012
The National Institute of Standards and Technology has released updated recommendations for securing Bluetooth-enabled devices, addressing vulnerabilities and capabilities in the latest versions of the wireless personal area network technology.
Guide to Bluetooth Security, Special Publication 800-121 Rev. 1, updates the original guidelines published in 2008.
“Bluetooth technology and associated devices are susceptible to general wireless networking threats, such as denial-of-service attacks, eavesdropping, man-in-the-middle attacks, message modification, and resource misappropriation,” the document says. “They are also threatened by more specific Bluetooth-related attacks that target known vulnerabilities in Bluetooth implementations and specifications.”
Flame's unique trick: Using Bluetooth to spy on victims
A high-profile exploit of Bluetooth occurred with the recently identified W32.Flamer malware, which apparently is the first malware to use Bluetooth to spy on victims, researchers have said. The NIST guidance does not address Flamer specifically, but does recommend that antivirus software be used to block known malware from Bluetooth enabled devices.
The new NIST guidance addresses the latest vulnerability mitigation information for Secure Simple Pairing, introduced in Bluetooth v2.1 + Enhanced Data Rate (EDR), as well as an introduction to Bluetooth v3.0 + High Speed and Bluetooth v4.0 security features and recommendations. Version 3.0 provides a higher data rate than previous versions of Bluetooth, and v4.0 is optimized for smaller, resource-constrained devices such as heart-rate monitors and other wearable medical sensors.
Bluetooth is an open standards protocol for short-range, personal area wireless networking commonly used to connect peripherals with desktop or handheld computing devices. It allows users to form ad hoc voice and data networks between a wide variety of devices and operates in the same band as some 802.11 WiFi versions.
It uses frequency-hopping spread spectrum technology and plus power controls to limit the effective range of a device and provide limited security from eavesdropping. But hopping sequences can be easily determined with free open-source software.
The growing use of personal mobile devices and the introduction of new applications, such as links in on-board automobile systems, have resulted in a growing use of Bluetooth with a number of new versions and features.
At the time of the current version of the guidance, Bluetooth versions 1.2, adopted in 2003, and 2.0 + Enhanced Data Rate, adopted in 2004, were the most prevalent versions in use. Version 2.1 + EDR was adopted in 2007 and is becoming the standard. NIST says it provides significant security improvements for establishing cryptographic keys by using Secure Simple Pairing.
The Bluetooth standard also specifies three basic security services:
- Authentication: Verifying the identity of communicating devices based on their Bluetooth device address. Bluetooth does not provide native user authentication.
- Confidentiality: Protecting information from eavesdropping by ensuring that only authorized devices can access and view transmitted data.
- Authorization: Allowing the control of resources by ensuring that a device is authorized to use a service before permitting it to do so.
To improve Bluetooth security, NIST recommends:
Use the strongest Bluetooth security mode available. The available modes vary based on the Bluetooth specification version supported by the device. For Bluetooth Basic Rate, EDR, and HS, Security Mode 3 is the strongest mode because it requires establishment of authentication and encryption before the Bluetooth physical link is completely established.
Include Bluetooth technology in security policies and change default settings of Bluetooth devices to reflect the policies. The policy should include a list of approved uses for Bluetooth, a list of the types of information that may be transferred over Bluetooth networks, and requirements for selecting and using Bluetooth personal identification numbers where applicable.
Make Bluetooth users aware of their security responsibilities in using Bluetooth. In addition to precautions against device theft, users should also ensure that Bluetooth devices are turned off when they are not needed to minimize exposure to malicious activities, and should pair with other Bluetooth devices as seldom as possible and ideally in a physically secure area where attackers cannot observe passkey entry and eavesdrop on Bluetooth pairing-related communications.
A draft version of the revised SP 800-121 was released for public comment last fall. Changes in the final version consist primarily of minor technical corrections and rewordings of text.
William Jackson is freelance writer and the author of the CyberEye blog.