S 3.79 Introduction to basic terms and functional principles of Bluetooth

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Head of IT, Administrator, IT Security Officer

Bluetooth is a wireless technology mainly used for short-range communication. This safeguard provides an overview of the basic technical principles of data transmission and explains the terms and functions required for the use of Bluetooth.

Basic technical principles of data transmission

Bluetooth uses the 2.4 GHz ISM frequency band on 79 channels in the frequency range of 2400 to 2483.5 MHz. The channel spacing is 1 MHz; 2 and/or 3.5 MHz were left free at the band edges to avoid interference with neighbouring systems.

The transmission of the data packages is controlled with time slots (TDD, Time Division Duplex) and a frequency hopping method (FHSS, Frequency Hopping Spread Spectrum). This reduces the sensitivity to interferences. Frequency hopping is generally performed after every package sent. The hopping sequence encompasses all 79 channels to the same extent in short intervals and is only repeated after several hours. Devices with Bluetooth specification 1.2 or higher use an adaptive frequency hopping method (AFH, Adaptive Frequency Hopping) that limits the channels in the hopping sequence to free, i.e. undisturbed, frequencies. This serves to achieve interference-free operation with other wireless services that operate in the same frequency range, such as WLAN.

The modulation process used is a frequency or phase modulation. Usually, frequency hopping takes place once per microsecond, this is a symbol rate of 1 megasymbol per second. The resulting data rate is is determined by the modulation process used, which determines the number of bits transmitted per symbol. Bluetooth uses three different methods:

• The first is a binary frequency modulation called "Basic Rate" which transmits one bit per symbol. This results in a data rate of 1 Mbit/s. This method has been part of the Bluetooth specification since version 1.1. All Bluetooth solutions have to support this method.
• The second method is a quadrature phase modulation which transmits two bits per symbol. This method achieves a data rate of 2 Mbit/s called "Enhanced Data Rate" (EDR). This method is defined in Bluetooth version 2.0 + EDR.
• The third method is an eight-phase modulation which transmits three bits per symbol. Here, the data rate is 3 Mbit/s and also called "Enhanced Data Rate". This method is also defined in Bluetooth version 2.0 + EDR.

Compatibility of devices with different Bluetooth specifications is achieved by always sending the protocol information at the beginning of each package with the "Basic Rate". An EDR version is only used for the transmission of user data if the corresponding station supports this. End devices that support the "Enhanced Data Rate" feature the abbreviation "EDR" at the end of the version number of the supported Bluetooth specification.

Bluetooth usually employs two different modes for data transmission:

• Asynchronous connectionless transmission (ACL, Asynchronous Connectionless Link)
• Synchronous connection-oriented transmission (SCO)

Asynchronous connectionless transmission is mainly used for data transmission and synchronous connection-oriented transmission is used for voice communication. Asynchronous transmission corresponds to transmission via WLANs, synchronous transmission corresponds to circuit-switched transmission in a telephone network. Asynchronous transmission achieves maximum data rates of 723 kbit/s or 58 kbit/s (asymmetric) or 434 kbit/s (symmetric). These values can be tripled using EDR and eight-phase modulation.

Bluetooth classification according to the transmitting power

Bluetooth stations are classed according to their transmitting power. The transmitting power is directly related to the range of the Bluetooth radio waves. There are the following three classes:

Bluetooth class	Maximum transmitting power	Maximum range
Class 1	100 milliwatts	c. 100 m
Class 2	2.5 milliwatts	c. 100 m
Class 3	1 milliwatts	c. 1 m

Table: Bluetooth classes according to the transmitting power

The range depends on many environmental factors. The stated values are ideal values. The range may be reduced by external interferences, for example buildings or other wireless technologies, such as WLAN. To reduce the power consumption, several saving modes (sniff, park and hold mode) and Power Control to regulate the transmission power were specified.

Application profiles

To ensure interoperability of different devices without all protocols being implemented in all devices, Bluetooth SIG defined application profiles. Below, some of the frequently used profiles are listed:

• Generic Access Profile (GAP): GAP is the basic profile for manufacturer-independent communication between Bluetooth devices. GAP describes the procedures required to detect Bluetooth devices and to establish connections with respect to the application. The application profiles require the procedures described in GAP.
• Serial Port Profile: Serial connections of cables (RS-232) between two devices are often replaced by Bluetooth. In this case, the RFCOMM (Radio Frequency Communication) protocol is used for communication. The Serial Port Profile provides a virtual serial interface for application programs. Replacing serial connections with Bluetooth is more cost-effective than using other wireless technologies. This is particularly important in manufacturing, for example, as there the connections are often subjected to high stress (continuous movement, dirt etc.).
• Headset Profile and Handsfree Profile: These profiles specify the functions a mobile phone requires for the use of hands-free equipment. In addition to transmitting voice messages in both directions, the Handsfree Profile also plays a role in the remote control of the mobile phone.
• Advanced Audio Distribution Profile (A2DP): This profile describes functions for the transmission of high quality digital audio data. It is used to connect high-quality stereo headphones to players, for example.
• Human Interface Device Profile (HID Profile): This profile describes the protocols and functions for the wireless connection of keyboards, mouses and other pointing devices to a computer. The HID Profile requires the respective functions of the cable-based Universal System Bus (USB).
• Dialup Network Profile (DUN Profile) and Fax Profile: These profiles describe protocols and functions for the wireless connection of modems or mobile phones to computers with the purpose of establishing dial-up connections for data or fax transmission.
• File Transfer, Object Push and Synchronization Profiles: These profiles are used to exchange files via Bluetooth. Their most important purpose is synchronizing contacts, appointments, tasks and e-mails between portable devices (Personal Information Manager, PIM) and servers. The profiles are based on the OBEX (OBject EXchange) protocol.
• Audio/Video Remote Control Profile (AVRCP): This profile describes protocols and functions that connect remote controls to players.
• SIM Access Profile (SAP): This profile supports SIM card access. Using this profile, Bluetooth devices can access data stored on the SIM card of another device such as a mobile phone. A typical application is a car phone integrated into a vehicle that has no SIM card of its own. It therefore contacts the driver's mobile phone and accesses the mobile communication network using the driver's data and at the driver's expense.

Connection establishment and network topologies

In order to clearly identify all Bluetooth devices as communication partners, the devices have a 48 bit device address called the Bluetooth Device Address that is public and globally unique.

The two procedures Inquiry and Paging are the basis for connection establishment. Using Inquiry, a Bluetooth device detects any other devices in range if those devices are configured as discoverable. With Bluetooth specification 2.1 + EDR or higher, the devices support an extended Inquiry that determines the device name and the supported application profiles in addition to the device address. Paging then establishes a connection between two Bluetooth devices. The device establishing the connection is called the master, the other device is the slave. Following Paging, other steps are usually required to establish communication. For example, many application profiles exchange a link key to establish a connection between two devices. This is called Bonding in the Generic Access Profile (GAP).

In addition to the point-to-point connection between two Bluetooth devices, the Bluetooth specification also provides a point-to-multipoint connection. Up to 255 Bluetooth devices can be connected as slaves to one master in a piconet. In a piconet, up to 7 slaves can actively communicate with the master at the same time. All devices in a piconet have the same channel hopping sequence and the time interval of the master. In Bluetooth, one device may even belong to several piconets. This way a scatternet is formed. However, to form a scatternet and to then exchange data in such a net, additional protocols are required that are only ideas at this time and not implemented yet.

Bluetooth security mechanisms

Below, some of the most important Bluetooth security mechanisms are described.

Cryptographic security mechanisms

As Bluetooth is a wireless technology, there is generally the danger that unauthorised Bluetooth devices listen in on the Bluetooth communication or actively access the communication connection. The cryptographic security mechanisms provided in the Bluetooth specifications are designed to eliminate these two threats. These functions are implemented on the chip level and are consistently provided on the link level.

The basis for all cryptographic methods are the link keys that two Bluetooth devices define during pairing.

Pairing and link keys

During the pairing of two Bluetooth devices, a 128 bits combination key is generated to connect the two devices, which is stored in both devices for future use as the link key (LK).

The device addresses of both devices and a random number are used to generate the combination key. An initialisation key is used to safely transmit these random numbers. The initialisation key is calculated from another (public) random number, one device address and a PIN that usually can be set. For this purpose, the same PIN has to be entered into both devices. The PIN can either be configured by the user or it is pre-set. If one of the devices has a PIN that cannot be changed, this PIN has to be entered into the other device. Two devices with a pre-set PIN cannot be paired. Typically, only the PINs of headsets and other simple devices are pre-set.

If users have to enter a long PIN in two devices, errors may occur and time limits during pairing may be violated. To solve this problem, Bluetooth specification 2.0 + EDR suggests an alternative automatic exchange between two Bluetooth devices, e.g. based on the Diffie-Hellmann method. Specification 2.1 + EDR introduces such a method: Secure Simple Pairing.

In addition to combination keys, this standard provides other possibilities for link keys:

• Unit keys may be used as link keys. The unit key is generated when a Bluetooth device is used for the first time. It is usually not changed. The use of unit keys is no longer recommended in the Bluetooth specification as it poses a security risk.
• Master keys can be agreed temporarily between several devices for the duration of a Bluetooth session if a master wants to contact several devices using the same encryption key. Master keys are only used in point-to-multipoint connections and safely transmitted by the master to the slaves via the current link keys.

The Bluetooth specification distinguishes between temporary and semi-permanent link keys. Temporary link keys are single-use keys, i.e. a new connection key is generated for each new connection (one pairing process per connection). Semi-permanent link keys are stored in the non-volatile memory by the participating Bluetooth devices following pairing and authentication. If semi-permanent link keys are used, two devices can be connected again without repeating authentication. The user does not then need to enter a PIN again when establishing the connection. This reduces the risk of the connection establishment being listened in on and a "weak" PIN being guessed.

Secure Simple Pairing (SSP)

The Secure Simple Pairing (SSP) method was introduced with Bluetooth specification 2.1 + EDR. SSP forms a secure channel during connection establishment that is used to exchange the link key between the devices. For this purpose, the keys are exchanged according to the Diffie-Hellmann method using elliptic curves. This methods requires only little computing power.

To avoid the threat of a man-in-the-middle attack with the Diffie-Hellmann key exchange, the Bluetooth devices authenticate each other. SSP provides four different association methods for authentication:

• "Numeric Comparison"
  
  To use this model, both devices need to have a display unit that can display at least a 6 digit number and allows the user to enter "yes" or "no". An example for this is a connection between a mobile phone and a laptop. For authentication both devices display the same 6 digit number. The user confirms that the numbers match by entering "yes" on both devices.
• "Just Works"
  
  This model is designed for devices that can neither display numbers nor have an input unit, e.g. simple headphones. "Just Works" offers no protection against man-in-the-middle attacks during authentication but it protects the connection establishment just as well against eavesdropping as all other SSP models.
• "Out of Band (OOB)"
  
  This model is based on the fact that a channel is established between the devices to be connected before the Bluetooth connection is established. Using this "Out of Band channel" the devices can recognize each other without Bluetooth Inquiry. In any case this channel is used to exchange the information required for authentication. From the user perspective ,"Out of Band" is similar to "Just Works" as no user interaction is required. However, using the second Bluetooth-independent channel, man-in-the-middle attacks on the key exchange can be detected. As a prerequisite, the method used for the channel has to be invulnerable against such attacks. Near Field Communication (NFC) can be used as an "Out of Band channel", for example. In order to connect two devices successfully using NFC, the devices may only be a few centimetres apart from each other.
• "Passkey Entry"
  
  Here, a device only has a display unit, the other device has an input unit to enter numbers or characters in addition. This model is suitable to connect a Bluetooth keyboard to a computer, for example. For authentication, the device with the display unit is used to read a 6 digit number which is entered into the other device. A 6 digit passkey could also be entered into both devices.

If there is no "Out Of Band channel" during connection establishment, Inquiry and Paging are carried out as usual. Authentication may then only be carried out using the methods "Numeric Comparison", "Just Works" or "Passkey Entry". If there is an "Out Of Band channel", it is used to detect the communication partner. This replaces Inquiry. Then authentication may be done with any of the four association models.

Secure Simple Pairing comprises the following five phases:

• Phase 1: Exchange of public keys
  
  Each Bluetooth device generates a private and a public key. Both devices transmit their public keys to the communication partner. For this, they usually use the Bluetooth channel established during pairing. This has to be done only once for every device. The Bluetooth specification allows the manufacturer to have a new pair of keys generated at any time.
• Phase 2: Authentication, 1st level
  
  In phase 2, the method checks that the devices received authentic public keys from their communication partner. Man-in-the-middle attacks are detected in this phase. For this purpose, different protocols are used for "Numeric Comparison", "Passkey Entry" and "Out of Band". "Just Works" uses the same protocol as "Numeric Comparison".
• Phase 3: Authentication, 2nd level
  
  This level confirms that authentication and pairing were successful. This phase is very important for the "Out of Band" association model. If one of the devices has only a passive chip for NFC (Near Field Communication), it can send but not receive data in the "Out of Band channel". If authentication fails, such a device cannot be notified. In this case, the check if authentication and pairing were successful has to be repeated on a Bluetooth channel.
• Phase 4: Calculation of the link key
  
  From the data exchanged between the two devices and the symmetric key from the Diffie-Hellman method, the link key is calculated using a cryptographic function. Another pair of random numbers is generated for the function. This creates a new link key without generating new Diffie-Hellman keys for every connection establishment. Additionally, the device addresses and a constant character string are used to calculate the link key.
• Phase 5: Establishing the encryption
  
  Finally, both devices use the symmetric link key to generate an encryption key that is the basis for the encryption of the data flow.

Phase 2 varies for each of the four possible association models. The other phases are independent of the model.

Secure modes of operation

There are four secure modes of device operation in the Bluetooth Generic Access Profile (GAP). Security mode 4 is only supported by devices with Bluetooth specification 2.1 + EDR introducing Secure Simple Pairing or higher.

• Security mode 1 (non-secure): The Bluetooth device does not initiate any security mechanisms but it responds to authentication requests of other devices.
• Security mode 2 (service level enforced security): The security mechanisms are selected and used according to the Bluetooth device (trusted or non-trusted) and the service at the application level, i.e. depending on the Bluetooth profile. The device only initiates security procedures when it receives a connection request.
• Security mode 3 (link level enforced security): Authentication during connection establishment is required as a rule. Encryption of the data to be transmitted is optional.
• Security mode 4 (service level enforced security): Basically, this mode corresponds to security mode 2. The service on the application level determines how the link key is to be exchanged using Secure Simple Pairing. Security mode 4 distinguishes three attributes:
  • "Authenticated" means that active user input is required while coupling two devices. As an alternative option the end devices can communicate on a second channel which is not used for normal data exchange ("numeric comparison", "out-of-band" or "passkey entry").
  • "Unauthenticated" performs a coupling between two end devices without user interaction ("just works").
  • "No Security required" does not require any security mechanisms.

Bluetooth specification 2.1 + EDR requires the use of security mode 4. For reasons of backward compatibility with older Bluetooth devices, security mode 2 may also be used.

The security mode used is selected by the application. Example: The specification of the SIM Access Profile, i.e. the Bluetooth profile with the highest security requirements, requires authentication and encryption as a rule. Therefore, devices have to use security mode 2 or 3 if they correspond to Bluetooth specification 2.0 + EDR or 1.x. Devices with specification 2.1 + EDR and 3.0 + HS have to use security mode 4.

In addition to these security modes, GAP describes how the behaviour of Bluetooth devices can be controlled during connection establishment:

• Discoverability: This mode controls if the device responds to Inquiry. In addition to the "non-discoverable mode" (device does not respond to Inquiry) and the "general discoverable mode" (device always responds to Inquiry), there also is the "limited discoverable mode". In this mode, the device is only detectable for a certain time or due to certain device states.
• Possibility to establish a connection: This mode controls the ability of Bluetooth devices to respond to connection requests using paging. A device is either in "connectable mode" or in "non-connectable mode".
• Possibility to connect devices using pairing: This is the ability of devices to carry out authentication and to exchange a link key for pairing ("bondable mode"). If a device is in "non-bondable mode" pairing cannot be used to establish encrypted communication. In older Bluetooth specifications these modes are called "pairable".

Authentication

For authentication, a challenge-response method based on a symmetric encryption method is used. Basically, one-sided authentication is used, i.e. a device (claimant) authenticates towards another device (verifier). If both devices are to authenticate each other, authentication is repeated with reversed roles.

Encryption

Encryption can be optional if at least one of the two communicating devices has been authenticated towards the other. Encryption can be requested by both the master and the slave. However, encryption is always started by the master after it negotiates the required parameters with the slave. First, both devices define the length of the key to be used. Then, the master starts encryption by sending a random number to the slave.

There are two operation modes for encryption: Point-to-point encryption and point-to-multipoint encryption. With point-to-point encryption, the authenticated cipher offset of the authentication protocol is used as cipher offset. With point-to-multipoint encryption, the device address of the master is used as cipher offset. Furthermore, the connection key has to be replaced by a master key before encryption is started. A point-to-multipoint encryption is required in a piconet, for example, if the master sends a message to several slaves (multicast).

Bluetooth via IEEE 802.11 WLAN

The specification Bluetooth 3.0 + HS describes an alternative wireless technology called "Alternate MAC/PHY" (AMP). Bluetooth provides higher data rates using the physical interface of a WLAN according to IEEE 802.11. For this purpose, the "Logical Link Control and Adaptation Layer Protocol" (L2CAP) was extended by functions for the selection of the wireless technology and the respective controller. There are even functions that enable changing of the wireless technology when a connection is established.

The technology-independent term AMP implies that there may be other wireless systems for Bluetooth in the future.

At the heart of the specification is the "802.11 Protocol Adaptation Layer" (802.11 PAL). It is the link between the Bluetooth host controller interface (HCI) and the WLAN MAC interface. 802.11 PAL provides the following among other things:

• Establishment of physical connections following a HCI request.
• Data transmission using WLAN packages.
• Avoidance of interferences between WLAN and Bluetooth in the 2.4 GHz band. PAL makes sure that connection-oriented data traffic (SCO) that is always carried out via the Bluetooth controller is not sent at the same time as connectionless data packages (ACL) on the WLAN controller.

For further background information and technical descriptions of the Bluetooth specifications, see the BSI booklet "Drahtlose Kommunikationssysteme und ihre Sicherheitsaspekte" (Wireless communication systems and their security aspects), which can be downloaded from the BSI website.