World-Class Alcohol and Drug Testing Solutions 1300 789 908

Security in Bluetooth and Wi-Fi within Portable Electronic Devices

ABSTRACT:

A comparison of wireless communications technologies focusing on practical security aspects.

2.0 Executive Summary

Bluetooth is used extensively in Military, Police, Fire & Rescue, Medical applications as well as a variety of commercial, industrial, and personal-use devices and has become the technology of choice for secure, short range communications.

Wi-Fi and Bluetooth are similar technologies, and both are considered secure networking technologies, both filling a clear function in networked environments with often complementary, and sometimes overlapping, applications.

As with any network technology, they have security vulnerabilities which need to be understood and managed. The best defense against any threats is ensuring that devices are configured correctly, operating with the latest firmware or version, and are operated by trained users.

Broadcast range is one of the major differences between the two technologies which creates a specific security consideration, the greater the broadcast range the greater the risk of eavesdroppers attempting to breach in-built security mechanisms.

3.0 Background

Wi-Fi and Bluetooth are seen as similar and often competing technologies and while both Bluetooth and Wi-Fi transmit data via wireless radio waves, they were developed for quite different uses and consequently, the security threats and associated defensive features relevant to each technology are very different.

Depending on the use and environment it may sometimes be preferable to use one technology over the other but in doing so, users should understand the relative merits in each scenario.

Bluetooth excels at transmitting small amounts of data over short distances between two devices. While Wi-Fi has been designed to network many devices together, over a much greater range, and facilitate a high volume of network traffic.

This application environment often causes confusion over the application of each technology and over which technology is more, or less, secure.

The focus of the ‘White Paper’ is on current Bluetooth and Wi-Fi standards, with reference to past versions for relevant application context, and discusses the various merits of both technologies from an information security perspective.

4.0 Purpose ofthis Document

The intent of this document is to facilitate informed discussion on the topic of information security and the use of Bluetooth and Wi-Fi wireless technologies. This paper compares the security features of Bluetooth and Wi-Fi and the relevant threats to these technologies but specifically focusses on Bluetooth and its application in critical communication infrastructure due to its prevalence in short range secure communications within industrial, commercial, military and emergency responder equipment.

5.0 Similar but differenttechnologies

Wi-Fi and Bluetooth are similar technologies but different in many ways. Both technologies were developed at the end of the 20th Century, and both use similar parts of the radio spectrum.

Bluetooth range is limited to approximately 10 meters while Wi-Fi extends to 100m; this also correlates to power consumption with Wi-Fi enabled devices more power hungry than their Bluetooth equivalents, this can be of concern with portable hand-held devices where battery life is critical.

Like most networking technologies both have had security issues in the past, but both have taken steps to significantly improve security and are now both acknowledged as secure networking techniques when correctly configured.

6.0 Technology Overview

4.1 Bluetooth

Bluetooth provides an energy efficient, low-cost solution for short-range transmissions [1]. Bluetooth has become the prevailing technology for connecting IoT devices and peripherals [1]. It can be found in a host of industrial and commercial devices such as cell phones, Industrial Automation Devices, headsets, speakers, printers, and keyboards.

4.2 Wi-Fi

Wi-Fi technology is the primary technology used in wireless LANs in the home and office. Based on the IEEE 802.11 set of standards, Wi-Fi is typically used to implement large wireless area networks and provide internet access and networking to connected devices.

7.0 Bluetooth Security

5.1 Bluetooth Security Overview

This section details the Security Modes of the Bluetooth protocol. These modes are used to establish secure connections between Bluetooth devices. Bluetooth offers both usage security and information confidentiality.

It uses a 128 bit long random number, 48-bit MAC address of the device and two keys – Authentication (128 bits) and Encryption (8 to 128 bits).

Bluetooth 2.1 introduced Security Mode 4 which is the most secure of the 4 available security modes and offers backwards compatibility with Security Modes 1, 2 and 3. If two Bluetooth devices try to connect and each device supports different Security Modes, the device with the highest Security Mode (Device A) will offer backwards compatibility to the other device (Device B) and only support the highest Security Mode available on the other device (Device B). [2]

Bluetooth 4.1 improves security by introducing upgraded authentication and encryption algorithms.

5.2 Bluetooth Security Modes

There are four security modes in which a Bluetooth device can operate in. [1]

1. Non-secure

2. Service-level

3. Link-level

4. Service-Level

Security Mode 1: Security Mode 1 devices can pair with any other Bluetooth device, regardless of the version or Security Mode, without the need of the user’s verification. These devices pose the greatest security threat. [3] [2]

Security Mode 2: Security Mode 2 devices require pin verification for pairing. The risk here is not as great as with Security Mode 1 devices, there are still vulnerabilities attackers can leverage to compromise the device. [3] [2]

Security Mode 3: Security Mode 3 devices exchange security codes to pair, leaving no gap for a security breach. Coding errors can occur which would leave devices vulnerable. [3]

All 2.0 and earlier devices can support Security Mode 3, but 2.1 and later devices can only support it for backward compatibility purposes. [2]

Security Mode 4: Security Mode 4 devices have stronger and more complex authentication protocols than the other Security Modes. [3]

Similar to Security Mode 2, Security Mode 4 is a service-level-enforced security mode in which security procedures are initiated after physical and logical link setup [2]. Security requirements for services protected by Security Mode 4 must be classified as one of the following:

  • Level 4: Authenticated link key using Secure Connections required [2]
  • Level 3: Authenticated link key required [2]
  • Level 2: Unauthenticated link key required [2]
  • Level 1: No security required [2]
  • Level 0: No security required. (Only allowed for SDP) [2]

Security Mode 4 requires encryption for all services (apart from Service Discovery) and is mandatory for communication between Bluetooth 2.1 and later devices.

To support backwards compatibility, Security Mode 4 devices can fall back to any of the other three Security Modes when communicating with older Bluetooth devices that do not support Security Mode 4. [2]

Security Mode 4 – Level 4 presents the highest security and is only capable between Bluetooth 2.1 devices and higher. [2]

5.3 Bluetooth Threats

This section describes the threats to Bluetooth devices.

BlueSmacking – BlueSmacking is a DoS attack for Bluetooth devices. [2] [4] See DoS Attacks for more information.

BlueJacking – Bluejacking is an attack aimed at Bluetooth-enabled mobile devices, such as mobile phones. Bluejacking is initiated by sending unsolicited messages to the device. [2] While the messages themselves do not directly cause harm to the user’s device, they may tempt the user to interact in some way or add the new contact to their address book. Bluejacking resembles the spam and phishing attacks seen with email. Bluejacking can be harmful when a user initiates a response to a Bluejacking message sent with malicious intent. [4]

BlueSnarfing – BlueSnarfing enables an attacker to gain access to a Bluetooth device by exploiting a firmware vulnerability in older devices. [2] This attack forces a connection to a device, allowing the attacker access to data stored locally on the device including the device’s IMEI. This is a unique identifier that could potentially be used to route incoming traffic from the user’s device to the attacker’s device. [4]

BlueBugging – Bluebugging exploits a vulnerability in the firmware of some older Bluetooth devices to gain access to the device and its commands. [2] This attack

8.0 Wi-Fi Security

6.1 Wi-Fi Security Overview

For a Wi-Fi client to be able to transmit data over a network, it must first go through the following three-stage process:

1. Find a suitable wireless network—For a typical enterprise deployment, the search for a suitable network involves sending a probe request, while specifying the SSID, bit rate requirements, and required security configuration. [5]

2. Authentication—Wi-Fi standards support two authentication mechanisms: open and shared key. [5]

  1. Open authentication is essentially a NULL authentication in which the client requests to be authenticated and the AP grants it. Open authentication is the only mechanism used in wireless enterprise deployments. The real authentication occurs after association through more secure mechanisms. [5]
  2. The Shared Key Authentication process starts when a client sends an authentication request to the AP. The AP then responds by sending the client an encrypted file. The client must then decrypt the file using a passphrase entered by the user. The client must return the file to the AP for comparison. If the received file is identical to the one the AP sent the client, then the AP knows the client is using the correct passphrase and can be granted access to the network. [6]

3. Association—This stage finalises the security and bit rate options, and establishes the data link between the Wi-Fi client and the AP. A secure enterprise AP blocks all the wireless client traffic at the access point until a successful authentication is made. [5]

  1. Reassociation occurs when a client that has joined a network and roams from one AP to another. The main difference between an association and a reassociation is that a reassociation sends the basic MAC address (BSSID) of the previous AP in the reassociation request to provide roaming information to the new AP. [5]

6.2 Wi-Fi Threats

This section describes the threats to Wi-Fi devices and networks.

Hidden or Rogue Access Points – A rogue AP is a foreign AP that has been connected to the network. They are used by attackers to trick wireless clients to associate with the rogue AP instead of the legitimate one. [7] The rogue AP allows the attacker to capture data and acts as an entry point into the network. [8]

For an attack of this nature to be effective the attacker would need physical access to the network to connect the rogue AP. [7] Otherwise users associating with the rogue AP would not be able to access any business systems, leading to an ineffective attack. [8]

Rogue Clients – A rogue client is a device that is not authorised to operate on the network but is doing so anyway. [7] Any device connected to rogue AP is automatically considered a rogue client. [8] [9]

Misconfigured APs – APs that are individually managed pose a significant security threat when configured incorrectly. Most enterprise wireless networks are centrally managed, which facilitates regular updates, audits, and improved reliability. [7] Modern Wi-Fi standards such as 802.11n/ac add a multitude of settings, not every client supports all these settings, introducing vulnerabilities. [8]

Ad hoc Connections, Internet Connection Sharing and Bridging Clients – When a device shares its Internet connection or allows access to multiple networks simultaneously, it can be used to bypass network and security systems which may result in data loss or provide an attacker with entry into the network. [10]

Honeypot/Evil Twin APs – An Evil Twin AP presents the same SSID as a genuine hotspot or Wi-Fi network, causing nearby wireless clients to connect to them. [7] Certain tools listen to network traffic and discover which SSIDs wireless clients are willing to connect to, and automatically start broadcasting those SSIDs. [8] After a client connects, DHCP and DNS are used to route the client traffic through the Evil Twin, where local malicious Web, mail, and file servers execute man-in-the-middle attacks. [10]

DoS Attacks – DoS attacks seek to overwhelm a system causing failure or degrade usability. Wireless networks are particularly vulnerable to DoS, due to everyone sharing the same unlicensed frequencies [7]. In DoS attacks malicious messages are sent to disconnect users, consume AP resources, and occupy communication channels. [8] [10]

9.0 Transmission range is a security issue

The transmission range is a security consideration. Bluetooth transmits about 10 meters while Wi-Fi hits 100m.

As Bluetooth has a shorter range not only does it lead to improved battery life in secure transfer secure mode, but it also makes it easier to maintain correct physical security around the transmission with any intruder having to be physically close to the transmitter to attempt interception of transmissions.

By maintaining physical security around the transmitting devices, attackers would not be able to intercept the transmissions as they would be out of range. The same is true for both Bluetooth and Wi-Fi, but the transmission range is much greater in the latter.

The typical security zone for Bluetooth is 10 meters in each direction, or just over 300 square meters, which is within the line-of-sight of any operator.

The typical security zone for Wi-Fi is 100 meters in each direction, or over 31,000 square meters, which is well outside of the ability of a single (or even multiple) operators to patrol securely.

10.0 Best Practice Security in Bluetooth

To improve the security of Bluetooth implementations, organizations should implement the following recommendations:

  • Use the strongest Bluetooth security mode that is available for their Bluetooth devices.
  • Address Bluetooth wireless technology in their security policies and change default settings of Bluetooth devices to reflect the policies.
  • Ensure that their Bluetooth users are made aware of their security related responsibilities regarding Bluetooth use.

11.0 Secure Bluetooth application environments

8.1 Military Applications

The reliable transfer of information in the military is vital to the survival of the soldier and Bluetooth has become the technology of choice for secure, short range communications. Bluetooth is extremely popular in the Military with the widespread use of Personal Radios, Headsets and Personal Data Assistants, the wires connecting these devices become cumbersome. Using Bluetooth wireless technology, the burdensome cables have been eliminated, giving the soldier greater mobility without sacrificing data reliability or security.

8.2 Emergency Services

Emergency services including Fire & Rescue and Paramedics use Bluetooth enabled devices for both secure voice and data transfer. Similar to the Military application integration with Portable Radio devices allows the first responders to simultaneously communicate over 2 radio channels as well as integrate with Bluetooth enabled mobile phones when necessary.

12.0 Conclusion

In conclusion, both Wi-Fi and Bluetooth are considered secure networking technologies.

Wi-Fi has been designed for connecting numerous devices together for the purposes of networking, file sharing and internet connectivity, and the technology offers more security mechanisms than Bluetooth. However, Wi-Fi is far more complex to correctly configure, manage and maintain which presents an underlying operational security risk which users must mitigate.

Bluetooth security on the other hand has been developed for short range decentralised communications and the transferring of small amounts of data. The security configurations for Bluetooth devices are less complex and do not require ongoing management. This greatly simplifies use in dynamic operational environments and reduces risk.

Broadcast range is a security consideration. Bluetooth has a shorter range and can be used to transfer secure files while needing only correct physical security around the transmission within the line-of-sight of the user.

So, by maintaining physical security around the devices using Bluetooth, any potential attacker would not be able to intercept the transmissions without being in plain sight of the user.

With Wi-Fi the broadcast range is much greater meaning the risk area is harder to secure and potential eavesdroppers can be concealed, out of sight, from the users.

Though the underlying vulnerabilities of the two technologies are different, they are both susceptible to similar threats. The best defence against these threats is ensuring that the devices are configured correctly, operating with the latest firmware or version, and are operated by trained users.

 

AP Access Point
BSSID Basic Service Set Idenfier
DHCP Dynamic Host Configur aon Protocol
DNS Domain Name Server
DoS Denial of Service
IoT Internet of Things
IMEI Internaonal Mobile Equipment Identy
LAN Local Area Network
MAC Media Access Control
SSID Service Set Idenfier (Wi-Fi Network Name)
WEP Wired Equivalent Privacy
Wi-Fi Wireless Network Protocol based on IEEE 802.11 standards
WLAN Wireless LAN

 


 

Works Cited

[1] A. Lonzetta, “Security Vulnerabilities in Bluetooth Technology as Used in IoT, ” Journal of Sensor and Actuator Networks, vol. 7, no. 3, p. 28, 2018.

[2] J. Padgette, J. Bahr, M. Batra, M. Holtmann, R. Smithbey, K. Scarfone and L. Chen, “Guide to BluetoothSecurity,” NIST, 2017.

[3] A. Bicknell, “The Top 5 Bluetooth Security Vulnerabilities,” 20 April 2020. [Online]. Available: https://www.globalsign.com/en/blog/top-5-bluetooth-securityvulnerabilities. [Accessed 26 June 2021].

[4] K. Crawley, “Bluetooth security risks explained,” [Online]. Available: https://cybersecurity.att.com/blogs/security-essentials/bluetooth-security-risks-explained. [Accessed 26 June 2021].

[5] Cisco, “802.11 Network Security Fundamentals,” [Online]. Available: https://www.cisco.com/en/US/docs/wireless/wlan_adapter/secure_client/5.1.0/administration/guide/C1_Network_Security.html#wp1050709. [Accessed 20 June 2021].

[6] A. Walton, “WEP Shared Key Authentication,” [Online]. Available: https://smallbusiness.chron.com/wep-shared-key-authentication-69537.html. [Accessed 27 June 2021].

[7] L. Phifer, “Top Ten Wi-Fi Security Threats,” 2010 March 8. [Online]. Available: https://www.esecurityplanet.com/trends/wi-fi-security-threats/. [Accessed 26 June 2021].

[8] S. Wilkins, “Wireless LAN Security Threats,” 2 November 2011. [Online]. Available: https://www.pluralsight.com/blog/it-ops/wireless-lan-security-threats. [Accessed 26 June 2021].

[9] Juniper Networks, “Understanding Rogue Clients,” 16 12 2016. [Online]. Available: https://www.juniper.net/documentation/en_US/junos-space-apps/network-director3.1/topics/concept/wireless-rogue-client.html. [Accessed 26 June 2021].

[10] United States Department of Homeland Security, “A Guide to Securing Networks for Wi-Fi,” 15 March 2017. [Online]. Available: https://us-cert.cisa.gov/sites/default/files/publications/A_Guide_to_Securing_Networks_for_Wi-Fi.pdf. [Accessed 26 June 2021].

[11] S. S. Hassan, S. D. Bibon, M. S. Hossain and M. Atiquzzaman, “Security threats in Bluetooth technology, ” Computers & Security, pp. 308-322, 2018