S 2.462 Selection criteria for the procurement of Bluetooth devices

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: IT Security Officer, Head of IT

Bluetooth devices differ in the Bluetooth specifications used, in the available application profiles and in the way Bluetooth was implemented by the manufacturers. Therefore, individual criteria for the selection of Bluetooth devices need to be defined.

All devices that are vulnerable due to known Bluetooth vulnerabilities have to be excluded. Vulnerability lists containing the respective devices are available on the Internet.

In addition, the required application profiles for the respective purposes of the Bluetooth devices as well as the application profiles to be excluded or deactivated need to be specified. The Bluetooth devices contain the application profiles they require for their respective functions. For example, a Bluetooth mouse or keyboard always features the HID profile required for pointing devices (see S 3.79 Introduction to basic terms and functional principles of Bluetooth). It may be advantageous, however, if a mobile phone is not provided with a SIM Access Profile because this provides access to the SIM card of the mobile phone and is therefore a potential point of attack.

In any case, the selected end devices have to comply with Bluetooth specification 2.1 or higher as it contains important security functions, such as Secure Simple Pairing. Devices that are based on a Bluetooth specification that is older than version 2.1 must not be used as they feature weaker security mechanisms (see S 4.362 Secure configuration of Bluetooth).

The most important security criteria for the selection of Bluetooth devices are listed below:

• The Bluetooth Special Interest Group (SIG) not only develops Bluetooth specifications further, it also checks and certifies the interoperability of Bluetooth devices. However, many Bluetooth devices are available on the market that are not certified according to the Bluetooth SIG quality requirements. These products may not be compatible. Therefore you should only buy products with the official Bluetooth label.
• With some Bluetooth devices the Bluetooth interface cannot be disabled; this has to be taken into account when selecting the devices.
• The Bluetooth specification contains three performance categories where the respective maximum transmitting power determines the range of the devices. When selecting devices of category 1 to 3, bear in mind that an increased range also means more potential attackers.
• With Bluetooth peripheral devices, e.g. a headset, the Bluetooth PIN is usually pre-set and sometimes may not be changed. As this is a massive limitation in terms of security, only buy devices with a freely selectable PIN, if possible.
• The specifications of version 2.1 + EDR have to be implemented on the Bluetooth device. This guarantees that security mode 4 together with Secure Simple Pairing is available.

Before buying Bluetooth components, you must make sure that they support all required profiles. If they do not support a profile such as Advanced Audio Distribution Profile (A2DP), it is not possible to transmit high quality audio data via Bluetooth, for example.