Enhancing Security In Bluetooth Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

This paper talks about the security aspect of Bluetooth and how the protocol is prone to attacks by hackers and eavesdroppers who can, with not much difficulty, can intercept the packets that are being transmitted between two Bluetooth enabled devices. As Bluetooth operates in the unlicensed ISM band of 2.4 GHz, it can very easily be subjected to interceptions and transmissions being compromised. Bluetooth has, in recent years, become a very important method of communication between cellular devices, PCs and PDAs who use this protocol to transmit and receive important information .The paper talks about attacks of such kind and ways and means to overcome them to provide a secure transmission between devices.


Bluetooth (802.15.1) is a Wireless Personal Area Network(WPAN) used to transmit and receive data between devices like cell phones, PCs, PDAs, etc. within a short distance from each other with medium transmission speed. The 2.4 GHz Industrial Scientific Medicine band is used for operation of Bluetooth technology. Bluetooth operates in what is known as ad-hoc networking because at any instant two devices can communicate with each other and start exchange of data. Since Bluetooth operates in the unlicensed spectrum that can be used by other devices such as cordless phones, microwaves, etc. it uses short packets, quick acknowledgement and fast hopping techniques to avoid interference with them. It has a hopping speed of 1600 hops/second and over 79 RF channels.[1],[2] The Bluetooth protocol stack can be shown as:

Bluetooth Protocol Stack [1]


Security in Bluetooth supports authentication and encryption which is based on a secret link key that is shared by the communicating devices. This key is generated by a pairing procedure when the devices communicate for the first time.

There are three security modes to a device:

Non-secure. Any security procedure is not initiated by the device.

Service level enforced security. A device does not initiate security procedures before there is channel establishment at the L2CAP level. This mode allows different and flexible access policies for applications, especially running applications with different security requirements in parallel.

Link level enforced security. A device initiates security procedures before the link set-up at the LMP is completed.[1],[2]

Bluetooth security architecture can be shown as[1] :


This part of the paper talks about the attacks and threats that the Bluetooth protocol can be subjected to by attackers and eavesdroppers.

In the passive PIN attack, the algorithm for pin-cracking uses a brute-force algorithm where it generates a different random PIN and goes through a series of steps for pairing and authentication to generate a hypothetical Signed Response Authentication Result (SRES), which it compares with SRES of the two legitimate communicating devices to retrieve the correct PIN. [3]

For some Bluetooth devices which do not have a user interface associated with them, such as headphones, manufactures embed fixed PINs with them. It is not possible for two devices with fixed PINs to communicate with each other. Atleast one of the two devices must necessarily have a variable PIN associated with it. The active PIN attack is specifically devised targeting the fixed PIN devices. To employ this mode of attack, the hacker- who will be the master, will start a conversation via pairing and authentication with the victim, i.e. the device with the fixed PIN. After one round of pairing is completed with the challenge and response pair for authentication, the attacker would have accumulated sufficient information to enforce a brute-attack. Thus, the attacker has to obtain the PIN no sooner than the challenge from the slave, or the victim in this case, expires. If such a thing happens, then the master will have to initiate another round of authentication and pairing in order to try and retrieve the pin. In order to discourage attackers, the protocol has a wait period before it allows the device to engage in pairing with another device that has failed authentication previously and this wait period increases exponentially with each failed attempt. Thus, the MAC address of the attacker will be stored in the "Black List" maintained by the victim. However, the attacker can overcome this protection by changing his MAC address before each successive attack. [3]

In the Denial of Service attack, the attacker aims to limit access to the Master device or the access point by flooding it with false authentications which will prevent other genuine users to access it. Here too, the Master device will store the MAC address of the device which failed authentication and will have a wait time before it restarts the pairing process with it.[3]

In the Message-replay attack, the eavesdropper forwards the messages it has captured while listening to a message between the legitimate communicating devices to the Master without actually having to decrypt the captured messages, thus the encryption key is not required to be possessed by the attacker in order to proceed with this attack.[3]


The Simple Secure Pairing (SSP) employed by Bluetooth uses Elliptic Curve Diffie-Hellman (ECDH) for key exchange. However, as the latest Bluetooth Low Energy (BLE) specification does not use ECDH, it becomes susceptible to passive attacks. The Merkle's puzzle (MP) was one of the initial protocols which allowed two communicating devices to securely exchange a key. It had the property of shifting the workload from a less capable device to a more-abled device, i.e. between devices having asymmetric capabilities. This is the condition of communication between a full functional device (FFD) and a reduced function device (RFD). As the RFD doesn't have the capability to implement ECDH, it uses MP which allows it to shift the workload to the FFD. The FFD creates and broadcasts 'm' puzzles each having a unique identifier for it and an encryption key 'k'. The RFD chooses one of these 'm' puzzles randomly, which it decrypts to obtain the identifier and the key. It will be difficult for an eavesdropper to figure which one of the transmitted puzzles is intercepted by the RFD which will increase the difficulty level it will take to find the key and decrypt the message. [4]

We discuss the proposals for enhancement of Bluetooth security at the protocol level. One of the methods is Password-based Encrypted Key Exchange (PW-EKE) which aims to exchange a common key between two communicating devices over an interface using a shared PIN number. It is based on the Diffie-Hellman key exchange protocol . " A master (M) and a slave (S) try to derive gAB mod p as their common session key by exchanging gA mod p and gB mod p in plaintext. Doing so will not weaken the protocol because (gA mod p) (gB mod p) does not equal (gAB mod p). To recover the key using those two random numbers, the attack will have to solve the discrete log problem. But the Diffie-Hellman key exchange does not provide authentication. Thus, it is prone to the Man-in-the-Middle (MiM) attack." [3] PW-EKE attempts to overcome this issue by hashing the two random numbers with a common pin which can be implemented by a XOR operation because the uncertainty associated with two random numbers can protect the weak PIN number. As the Diffie-Hellman key exchange protocol doesn't provide authentication, it is susceptible to the Man in the Middle (MiM) attack. Thus, a pin is used to provide authentication between the master and the slave and the attacker or eaves-dropper will have only one shot to guess the PIN. [3]

In the original DH protocol, the Brute-Force PIN attack can also be implemented by the attacker to capture and verify the correctness of the PIN. However, under the new protocol PW-EKE, the attacker has no way to identify the correctness of the candidate PIN. Thus, with regards to the PW-EKE protocol, a weak pin doesn't result in a weakened protocol nor does it require any change in the device interface requirements. To further enhance the security aspect, it requires both, the master as well as the slave devices, to enter PINs during the pairing process. They successfully prevent Active and Passive pin attcks. [3]


In this paper, we have discussed the various threats that the Bluetooth protocol is subjected to by hackers who aim to tamper with the data being transmitted. The paper talks about how these threats are carried out by the hackers. It then goes on to discuss the ways in which security can further be increased in Bluetooth transmissions to provide for a secure exchange of data between devices.