The Security Of Bluetooth Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Bluetooth is an open standard wireless communication protocol developed to transfer data over short range of distances. This technology is becoming increasingly popular and has proved to be one of the means of sending information between personal communication objects and devices. Named after a relatively obscure Scandinavian king, Bluetooth was developed in the mid-90s at a time when Ericsson was looking for a way to connect a keyboard to a computer without using the PS2 cable and connector. This solution developed overtime and was adapted to being used for many other purposes.

Some of the features of Bluetooth include being an adhoc technology, 2.4GHz frequency range operation, area coverage limited to PAN (Personal Area Networks). It is also a point to point link and can also serve as a point to multipoint, while supporting synchronous and asynchronous transmission of data. It's a single hop communication network and utilises FHSS (Frequency Hoping Spread Spectrum) and GFSK for modulation. It's low powered and TCO (Total cost of ownership) helped to be adopted as a standard - IEEE 802.15.1 that span across PHY (physical) and MAC (media access control) layers of the OSI Model of Communications.


There is no way one can write about Bluetooth without mentioning the piconet phenomenon. As shown in the figure below, each one has a master attached up to seven active slaves. A Piconet is actually a communication network with no more than eight devices including the central hub. The central hub is a centralised point through which all communications or data transfers go through.

FIGURE 1.1: Bluetooth Networks

In a standard piconet, slaves must always "talk" through the master. So, if a slave want to communicate with another slave, that communication process must go through the master, because slaves can only speak to the master, whereas a master can speak or communicate with up to seven slaves. This setup is analogous to a hub and spoke network topology where the master in this case serves as the hub or centre of communications. Also, we can compare piconets with the infrastructure mode of a traditional wireless networks such as 802.11a/b/g etc. The piconet is similar to a basic service set and the master being the access point and the slaves being the station in the network.

A device could also take part in more than one piconet at the same time. This device could be a slave in one piconet and at the same time be a master for other piconet(s). This device could also be used to transfer data from one uniquely distinct piconet to another. Whenever this happen, we say a scatternet is formed, a scatternet is essentially a network of piconets as shown in Fig 1.2

FIGURE 1.2: ScatterNets


As we know, Bluetooth span across two layers of the OSI model. Specifically the physical and data link layer. It also uses diverse range of encryption and authentication processes. Bluetooth transmits over 2.4Ghz segment of the frequency band using Fast-FHSS (Frequency Hoping Spread Spectrum) which allows only intended or synchronised end users or devices to access transmitted information. This therefore makes Bluetooth inherently secure, at least from its form of data transmission. It hops through seventy nine different radio channels and uses distinct frequencies from house hold equipments such as oven and microwaves.

Bluetooth authorises and authenticate devices or users, and stipulates what rights and permissions they should get, once they connect to the piconet or the scatternet. AAA is a security framework used for controlling access to network and computing resources, usage auditing and policy enforcement. AAA stands for Authentication, Authorisation and Accounting. The Authentication aspect refers to a process of ensuring that users/devices are actually who they claim they are, the authorisation aspect refers to the process of quantifying privilege and service or access rights each user or device has.

Bluetooth uses link layer security while operating in the link layer segment of the OSI model. Each communication link is given sets of dedicated keys for authentication and encryption. Encryption refers to hiding information in a form that can only be accessed by only the sender and the intended receivers of the information.

FIGURE 1.3 Security Architecture (based on *)

Another benefit of FHSS is in prevention of eavesdropping attacks. Eavesdropping attack is a kind of attack where a malicious user or devices tries to listen in on unauthorised communication. From figure 1.3, you can see how the security manager links up to every other components of the infrastructure. The security manager spring into action whenever a user is asked to input PIN code before setting up connections, and also setup trusted connections once this form of authentication is complete. In essence, the security manager manages levels of security related processes between users, devices and services they intend to access.


Devices or users are assigned various security levels or status during and after connections. These security levels revolve round the concept of authorisation and authentication which have been discussed above. Authentication is achieved through the PIN code challenge service.

* Thomas, M., 1999, Bluetooth WHITE PAPER: Bluetooth Security Architecture, Version 1.0, 15July 1999, pg 13

When a device joins up to a piconet, it assumes an unknown status before authentication and will not be trusted. After authentication, if there is a failure, the device assume the untrusted status, allowed to establish connectivity but with limited access to services and resources. If the authentication process succeeds, then the device assumes a trusted status with unlimited access to services and intended resources.


There are three main different security modes in Bluetooth Technology:

Security Mode 1: A device in this mode is generally considered as insecure, the more general term used is non-secure and the device does not initiate any form of security procedures.

Security Mode 2: In this mode, devices do not initiate security procedures before link establishment. Security is performed and enforced at channel (L2CAP) or connection establishment level. This mode is often referred to as service level enforced security mode.

Security Mode 3: In this mode, a Bluetooth device can initiate security procedures before link establishment. This mode is referred to as a link level enforced security mode.


The link layer is the second layer of the OSI model of internetworking. This layer, as far as Bluetooth is concerned, is responsible for authentication and encryption of end devices. In other to achieve this, we will need two keys: the authentication key and the encryption key; a random number generator and a unique address. In TCP/IP model of communications, the network layer has what we call IP Address; it uniquely identifies devices on the network. In the Bluetooth world, a unique address is also required to uniquely identify users or devices. This unique address is known as BD_ADDR - Bluetooth Address. This address is used in authentication process. When a device receives a security or an authentication challenge, it responds with its own challenge, its BD_ADDR and shared keys within respective two devices.

Random number generation is part of the Bluetooth architecture also, and it's used in several security functions. The devices use them to contact each other, for authentication and for encryption.


Secure communications between Bluetooth devices is handled by a 128bit random number called the link key. Although there are numerous kind of keys, but the most important of them all is the link key. It also serves to generate or derive a separate key for encryption process. This provides security and regenerates at every new link establishments.

2.3.1 LINK KEY

This is a shared secret key known to tow pairing devices. Bluetooth uses four link keys for its applications. These keys are 128 bit random generated numbers and are sometimes temporary, sometimes semipermanent. One of these is known as the Unit key, which is generated during the initial setup phase or installation phase of a device by itself. This key is then used to pair with another device during communication. The unit key is a legacy key and is mostly not used these days.

The other link key type is the combination key, which is generated between two pairing units. Both have to agree to generate this key for communication and the key requires more memory, since each pairing unit has to store the combination key for each communication session it has with other units.

There is also what is called the master key, this is used when a master unit in a piconet/scatternet wants to transmit or send to many units at the same time. The final link key type is the initialisation key, this is used during the initialisation process and safeguard initialisation factors when they are transmitted. This key is formed from a random number, an L octet PIN code, and the BD_ADDR of the claimant unit.


The link key gives birth to the encryption key, this change each time encryption is performed. Also, it is separated away from the authentication key because of overhead and thus, used as a shorter key without weakening the strength of the authentication process.

2.3.3 PIN CODE

The PIN Code is a set of numbers, either fixed or chosen by user. Usually 4 digits in length, it can be nothing more than 16 octets. Users can change this at anytime as necessary and this provides an added level of security to the Bluetooth infrastructure. Some Bluetooth device have a default PIN code - 0000 (4 digit Zeros), users are always advised not to use this default PIN code and should change it when trying to establish connection with other Bluetooth devices. The PIN code can be entered on both units during communication.

FIGURE 1.4 Encryption and Key Control (based on [1])


During the initialisation phase, end devices exchange keys. This phase must be accomplished separately for devices who want to authenticate and encrypt communication. The phase consists of the five Sub-phases: Initialisation Key Generation Sub-Phase, Authentication Sub-Phase, Link Key Generation Sub-Phase and Encryption Key Generation Sub-Phase. The connection is then built and the link established or aborted depending on the success of the above sub-phases.


Before encryption can be performed, authentication takes place between any pairing units. Ofcourse we know that this procedure helps a verifying unit or device to correctly identify the identity of the unproven unit. One of the coupling units initiate the challenge and the other unit respond with its Bluetooth address (known as BD_ADDR) and the link key between them. When this is activated, each unit must know and input the personal identification number (PIN) of the other unit. For subsequent communication, users don't have to remember the PIN for authentication as there is an option to save this set of codes on the device itself which automatically work out which PIN it used to connect with which device.


The Bluetooth 1.0 regulation states that the link encryption algorithm is a stream cipher using 4 bits shift registers known as LFSR (linear feedback shift registers). In LFSR, the input bit is a linear function of the previous state of the register. The sum of the width of the LFSRs used according to 1.0 specification is 128 bits, and the specification says that the effective key length is selectable between 8 and 128 bits.

There are some countries which limits encryption standards by putting bar on the level of encryption that can be performed. The Bluetooth regulation helps or allows it to be used in such countries, also providing a roadmap for security without the huge expense that comes with design of complex hardware and encryption algorithms.

In Bluetooth, key authentication and generation uses the 8 round safer+ encryption algorithm. While Bluetooth security as we have today should be ideal for most users; however, some users with higher security demands will have to adopt tougher algorithms to meet the security requirements of their information.


Just like any other communication technology, Bluetooth has its own limitations. It also face the problems of privacy and identity theft. Most Bluetooth users don't apply the same security mindset as they do to other technologies to Bluetooth. For instance, people are well aware of the need to protect their email passwords, their credit card numbers and debit card pins, however, they don't apply the same level of caution to their Bluetooth devices.

Some Bluetooth devices of high profile celebrities, politicians and government security agents have been hacked into. Most of these devices don't even have any type of security at all, and when they do, they have just the default PIN which is mostly 4 zeros i.e. 0000. In order to hack into a Bluetooth unit, one must first force any two paired device to terminate their current connection. Secondly, one must then steal packets that will be used to re-establish the connection and resending the pin. Thirdly and finally, one must then decode the pin code. Ofcourse one also has to be within the range of devices and use an expensive developer type of equipment. In other to safeguard against these limitations, we are advised to use much longer pin codes in the region of nothing less than 8 digits.


Bluetooth technology is a brilliant ad-hoc wireless technology that meets the need of most ad-hoc applications. However, its vulnerabilities must be analysed and weighed against the benefit it provides before adopted as means of communication in all situations. Its security seems not complete and a lot of research work is being carried out to step up the level of security in terms of authentication, authorisation, encryption and auditing associated with the technology. This short paper has attempted to shed introductory light into the overview of the technology, architecture and security features, also touching on the limitations and how best to guard against malicious attacks.