Bluetooth is a proprietary open wireless protocol for exchanging data over short distances (using short length radio waves) from fixed and mobile devices, creating personal area networks (PANs).
It was originally conceived as a wireless alternative to RS-232 data cables. It can connect several devices, overcoming problems of synchronization.
* Name and Logo
* Bluetooth Profiles
* List of Applications
* Bluetooth vs. Wi-Fi IEEE 802.11 in Networking
* Bluetooth Devices
* Computer Requirements
* Operating System Support
* mobile phone Requirements
* Specifications and Features
* Bluetooth 1.0 and 1.0B
* Bluetooth 1.1
* Bluetooth 1.2
* Bluetooth 2.0 + EDR
* Bluetooth 2.1 + EDR
* Bluetooth 3.0 + HS
* Bluetooth V4.0 (Ble; low energy protocols)
* UWB for AMP
* Technical Information
* Bluetooth Protocol Stack
* Baseband Error Corrections
* Setting up Connections
* Pairing Mechanisms
... to develop a field of trust between personal Bluetooth devices, such as allowing only the owners notebook computer ... is used in the same way in each Bluetooth device that is appropriate for the ad how ... be attached with the help of add-on device. Bluetooth phone usage models include wireless hands-free ... ISM band at 2. 4 GHz. Bluetooth base band protocol is a combination of circuit and packet switching ...
* Security Concerns
* Air Interface
* History of Security Concerns
* Health Concerns
Name and logo
The word Bluetooth is an anglicised version of Danish Blåtand, the epithet of the tenth-century king Harald I of Denmark and parts of Norway who united dissonant Danish tribes into a single kingdom. The implication is that Bluetooth does the same with communications protocols, uniting them into one universal standard. The Bluetooth logo is a bind rune merging the Germanic runes (Hagall) and (Berkanan).
Bluetooth uses a radio technology called frequency-hopping spread spectrum, which chops up the data being sent and transmits chunks of it on up to 79 bands of 1 MHz width in the range 2402-2480 MHz. This is in the globally unlicensed Industrial, Scientific and Medical (ISM) 2.4 GHz short-range radio frequency band.
In its basic rate (BR) mode, the modulation is Gaussian frequency-shift keying (GFSK).
It can achieve a gross data rate of 1 Mbit/s. In extended data rate (EDR) π/4-DQPSK and 8DPSK are used, giving 2, and 3 Mbit/s respectively.
Bluetooth is a packet-based protocol with a master-slave structure. One master may communicate with up to 7 slaves in a piconet; all devices share the master’s clock. Packet exchange is based on the basic clock, defined by the master, which ticks at 312.5 µs intervals. Two clock ticks make up a slot of 625 µs; two slots make up a slot pair of 1250 µs. In the simple case of single-slot packets the master transmits in even slots and receives in odd slots; the slave, conversely, receives in even slots and trasnmits in odd slots. Packets may be 1, 3 or 5 slots long but in all cases the master transmit will begin in even slots and the slave transmit in odd slots.
... operation (a) and (b) the devices should be at sight. The Bluetooth wireless communication is based on a short-range radio ... spam as in regular wireless communication. More dangerous vulnerability that may happen to the Bluetooth devices is bluebugging.The skillful ... applications of the Bluetooth are restricted by the cable replacement in communication only. The use of the Bluetooth devices for the ...
Bluetooth provides a secure way to connect and exchange information between devices such as faxes, mobile phones, telephones, laptops, personal computers, printers, Global Positioning System (GPS) receivers,digital cameras, and video game consoles.
The Bluetooth specifications are developed and licensed by the Bluetooth Special Interest Group (SIG).
The Bluetooth SIG consists of companies in the areas of telecommunication, computing, networking, and consumer electronics.
To be marketed as a bluetooth device, it must be qualified to standards defined by the SIG.
Bluetooth is a standard communications protocol primarily designed for low power consumption, with a short range (power-class-dependent: 100m, 10m and 1m, but ranges vary in practice; see table below) based on low-cost transceiver microchips in each device. Because the devices use a radio (broadcast) communications system, they do not have to be in line of sight of each In most cases the effective range of class 2 devices is extended if they connect to a class 1 transceiver, compared to a pure class 2 network. This is accomplished by the higher sensitivity and transmission power of Class 1 devices.
Version | Data Rate |
Version 1.2 | 1 Mbit/s |
Version 2.0 + EDR | 3 Mbit/s |
In order to use Bluetooth, a device must be compatible with certain Bluetooth profiles. These define the possible applications and uses of the technology.
List of applications
* Wireless control of and communication between a mobile phone and a hands-free headset. This was one of the earliest applications to become popular.
* Wireless networking between PCs in a confined space and where little bandwidth is required.
* Wireless communication with PC input and output devices, the most common being the mouse, keyboard and printer.
* Transfer of files, contact details, calendar appointments, and reminders between devices with OBEX.
* Replacement of traditional wired serial communications in test equipment, GPS receivers, medical equipment, bar code scanners, and traffic control devices.
* For controls where infrared was traditionally used.
... that facilitates software developers to write wireless Local Based applications for resource-limited mobile devices. JSR179 entails Connected Device Configuration or CLDC version 1. 1 ... ; Eric, G 2001, Mobile information device profile for Java 2 micro edition: The ultimate guide to creating applications for wireless devices, John Wiley & Sons ...
* For low bandwidth applications where higher USB bandwidth is not required and cable-free connection desired.
* Sending small advertisements from Bluetooth-enabled advertising hoardings to other, discoverable, Bluetooth devices.
* Wireless bridge between two Industrial Ethernet (e.g., PROFINET) networks.
* Three seventh-generation game consoles, Nintendo’s Wii and Sony’s PlayStation 3 and PSP Go, use Bluetooth for their respective wireless controllers.
* Dial-up internet access on personal computers or PDAs using a data-capable mobile phone as a wireless modem like Novatel mifi.
* Short range transmission of health sensor data from medical devices to mobile phone, set-top box or dedicated telehealth devices.
Bluetooth vs. Wi-Fi IEEE 802.11 in networking
Bluetooth and Wi-Fi have many applications: setting up networks, printing, or transferring files.
Wi-Fi is intended for resident equipment and its applications. The category of applications is outlined as WLAN, the wireless local area networks. Wi-Fi is intended as a replacement for cabling for general local area network access in work areas.
Bluetooth is intended for non resident equipment and its applications. The category of applications is outlined as the wireless personal area network (WPAN).
Bluetooth is a replacement for cabling in a variety of personally carried applications in any ambience.
Wi-Fi is a traditional Ethernet network, and requires configuration to set up shared resources, transmit files, and to set up audio links (for example, headsets and hands-free devices).
Wi-Fi uses the same radio frequencies as Bluetooth, but with higher power, resulting in a stronger connection. Wi-Fi is sometimes called “wireless Ethernet.” This description is accurate, as it also provides an indication of its relative strengths and weaknesses. Wi-Fi requires more setup but is better suited for operating full-scale networks; it enables a faster connection and better range from the base station.
A Bluetooth USB dongle with a 100 m range. The MacBook Pro, shown, has a built in Bluetooth adaptor.
Bluetooth exists in many products, such as telephones, the Wii, PlayStation 3, PSP Go, Lego Mindstorms NXT and in some high definition watches, modems and headsets. The technology is useful when transferring information between two or more devices that are near each other in low-bandwidth situations. Bluetooth is commonly used to transfer sound data with telephones (i.e., with a Bluetooth headset) or byte data with hand-held computers (transferring files).
... networking with a Bluetooth notebook. Digital mobile phones should support some subset of the Bluetooth Specification. Currently, Bluetooth is the ... to another Bluetooth chip (receiver), which will transfer the information to an electronic device The name Bluetooth originally came ... after transmitting or receiving signals. Bluetooth can also support an asynchronous data channel, or up to three ...
Bluetooth protocols simplify the discovery and setup of services between devices. Bluetooth devices can advertise all of the services they provide. This makes using services easier because more of the security, network address and permission configuration can be automated than with many other network types.
A personal computer must have a Bluetooth adapter in order to communicate with other Bluetooth devices (such as mobile phones, mice and keyboards).
While somedesktop computers and most recent laptops come with a built-in Bluetooth adapter, others will require an external one in the form of a dongle.
Unlike its predecessor, IrDA, which requires a separate adapter for each device, Bluetooth allows multiple devices to communicate with a computer over a single adapter.
Operating system support.
Apple has supported Bluetooth since Mac OS X v10.2 which was released in 2002.
For Microsoft platforms, Windows XP Service Pack 2 and later releases have native support for Bluetooth. Previous versions required users to install their Bluetooth adapter’s own drivers, which were not directly supported by Microsoft.
GNU/Linux has two popular Bluetooth stacks, BlueZ and Affix. The BlueZ stack is included with most Linux kernels and was originally developed by Qualcomm. The Affix stack was developed by Nokia. FreeBSD features Bluetooth support since its 5.0 release. NetBSD features Bluetooth support since its 4.0 release. Its Bluetooth stack has been ported to OpenBSD as well.
Mobile phone requirements
A mobile phone that is Bluetooth enabled is able to pair with many devices. To ensure the broadest support of feature functionality together with legacy device support, the Open Mobile Terminal Platform (OMTP) forum has published a recommendations paper, entitled “Bluetooth Local Connectivity”
... 2002 ; technology selection and the specification of the technical elements of DVB-H ... channel provided by DVB-H will feature a total data rate of several Mbitis and may ... the latest development within the This work was supported by Panasonic liurupean Laboratories GmbH. Langcn. Germany ... radio terminals and comparable pocket-sized portable devices. The international DVB (Digital Vidco Broadcasting) ...
Specifications and features
The Bluetooth specification was developed in 1994 by Jaap Haartsen and Sven Mattisson, who were working for Ericsson in Lund, Sweden. The specification is based on frequency-hopping spread spectrum technology.
The specifications were formalized by the Bluetooth Special Interest Group (SIG).
The SIG was formally announced on May 20, 1998. Today it has a membership of over 12,000 companies worldwide. It was established by Ericsson, IBM, Intel, Toshiba, and Nokia, and later joined by many other companies.
Bluetooth 1.0 and 1.0B
Versions 1.0 and 1.0B had many problems, and manufacturers had difficulty making their products interoperable. Versions 1.0 and 1.0B also included mandatory Bluetooth hardware device address (BD_ADDR) transmission in the Connecting process (rendering anonymity impossible at the protocol level), which was a major setback for certain services planned for use in Bluetooth environments.
* Ratified as IEEE Standard 802.15.1-2002
* Many errors found in the 1.0B specifications were fixed.
* Added support for non-encrypted channels.
* Received Signal Strength Indicator (RSSI).
This version is backward compatible with 1.1 and the major enhancements include the following:
* Faster Connection and Discovery
* Adaptive frequency-hopping spread spectrum (AFH), which improves resistance to radio frequency interference by avoiding the use of crowded frequencies in the hopping sequence.
* Higher transmission speeds in practice, up to 721 kbit/s, than in 1.1.
* Extended Synchronous Connections (eSCO), which improve voice quality of audio links by allowing retransmissions of corrupted packets, and may optionally increase audio latency to provide better support for concurrent data transfer.
... support, individual users have considerable difficulty understanding and using public key encryption.A'usability's tudy conducted at Car neige-Mellon University ... bias against deploying new functionality to workstations or other client devices. Compared to other industries, healthcare organizations spend relatively little on ...
Bluetooth 2.0 + EDR
This version of the Bluetooth specification was released on November 10, 2004. It is backward compatible with the previous version 1.2. The main difference is the introduction of an Enhanced Data Rate (EDR) forfaster data transfer. The additional throughput is obtained by using a different radio technology for transmission of the data. Standard, or Basic Rate, transmission uses Gaussian Frequency Shift Keying (GFSK) modulation of the radio signal with a gross air data rate of 1 Mbit/s. EDR uses a combination of GFSK and Phase Shift Keying modulation (PSK) with two variants, π/4-DQPSK and 8DPSK. These have gross air data rates of 2, and 3 Mbit/s respectively.
According to the 2.0 + EDR specification, EDR provides the following benefits:
* Three times the transmission speed (2.1 Mbit/s) in some cases.
* Reduced complexity of multiple simultaneous connections due to additional bandwidth.
* Lower power consumption through a reduced duty cycle.
Bluetooth 2.1 + EDR
Bluetooth Core Specification Version 2.1 + EDR is fully backward compatible with 1.2, and was adopted by the Bluetooth SIG on July 26, 2007. It supports theoretical data transfer speeds of up to 3 Mbit/s. This specification includes the following features:
Extended inquiry response (EIR)
Provides more information during the inquiry procedure to allow better filtering of devices before connection. This information may include the name of the device, a list of services the device supports, the transmission power level used for inquiry responses, and manufacturer defined data.
Reduces the power consumption when devices are in the sniff low-power mode, especially on links with asymmetric data flows. Human interface devices (HID) are expected to benefit the most, with mouse and keyboard devices increasing their battery life by a factor of 3 to 10. It lets devices decide how long they will wait before sending keepalive messages to one another. Previous Bluetooth implementations featured keep alive message frequencies of up to several times per second. In contrast, the 2.1 + EDR specification allows pairs of devices to negotiate this value between them to as infrequently as once every 10 seconds.
Encryption pause/resume (EPR)
Enables an encryption key to be changed with less management required by the Bluetooth host. Changing an encryption key must be done for a role switch of an encrypted ACL link, or every 23.3 hours (one Bluetooth day) encryption is enabled on an ACL link. Before this feature was introduced, when an encryption key is refreshed the Bluetooth host would be notified of a brief gap in encryption while the new key was generated; so the Bluetooth host was required to handle pausing data transfer (however data requiring encryption may already have been sent before the notification that encryption is disabled has been received).
With EPR, the Bluetooth host is not notified of the gap, and the Bluetooth controller ensures that no unencrypted data is transferred while they key is refreshed.
Secure simple pairing (SSP)
Radically improves the pairing experience for Bluetooth devices, while increasing the use and strength of security. See the section on Pairing below for more details. It is expected that this feature will significantly increase the use of Bluetooth.
Near field communication (NFC) cooperation
Automatic creation of secure Bluetooth connections when NFC radio interface is also available. This functionality is part of SSP where NFC is one way of exchanging pairing information. For example, a headset should be paired with a Bluetooth 2.1 + EDR phone including NFC just by bringing the two devices close to each other (a few centimeters).
Another example is automatic uploading of photos from a mobile phone or camera to a digital picture frame just by bringing the phone or camera close to the frame.
Non-Automatically-Flushable Packet Boundary Flag (PBF)
Using this feature L2CAP may support both isochronous (A2DP media Streaming) and asynchronous data flows (AVRCP Commands) over the same logical link by marking packets as automatically-flushable or non-automatically-flushable by setting the appropriate value for the Packet_Boundary_Flag in the HCI ACL Data Packet
Bluetooth 3.0 + HS
The 3.0 + HS specification was adopted by the Bluetooth SIG on April 21, 2009. It supports theoretical data transfer speeds of up to 24 Mbit/s, though not over the bluetooth link itself. Instead, the bluetooth link is used for negotiation and establishment, and the high data rate traffic is carried over a colocated wifi link. Its main new feature is AMP (Alternate MAC/PHY), the addition of 802.11 as a high speed transport. Two technologies had been anticipated for AMP: 802.11 and UWB, but UWB is missing from the specification.
Enables the use of alternative MAC and PHYs for transporting Bluetooth profile data. The Bluetooth Radio is still used for device discovery, initial connection and profile configuration, however when large quantities of data need to be sent, the high speed alternate MAC PHY (802.11, typically associated with Wi-Fi) will be used to transport the data. This means that the proven low power connection models of Bluetooth are used when the system is idle and the low power per bit radios are used when large quantities of data need to be sent.
Enhanced Power Control
Updates the power control feature to remove the open loop power control, and also to clarify ambiguities in power control introduced by the new modulation schemes added for EDR. Enhanced power control removes the ambiguities by specifying the behaviour that is expected. The feature also adds closed loop power control, meaning RSSI filtering can start as the response is received. Additionally, a “go straight to maximum power” request has been introduced; this is expected to deal with the headset link loss issue typically observed when a user puts their phone into a pocket on the opposite side to the headset.
Bluetooth V4.0 (Ble; low energy protocols)
On June 12, 2007, Nokia and Bluetooth SIG had announced that Wibree will be a part of the Bluetooth specification, as an ultra-low power Bluetooth technology. Expected use cases include watches displaying Caller ID information, sports sensors monitoring the wearer’s heart rate during exercise, and medical devices. The Medical Devices Working Group is also creating a medical devices profile and associated protocols to enable this market. Bluetooth low energy technology is designed for devices to have a battery life of up to one year.
Enables Bluetooth information points. This will drive the adoption of Bluetooth into mobile phones, and enable advertising models based around users pulling information from the information points, and not based around the object push model that is used in a limited way today.
Enables the automatic configuration of the piconet topologies especially in scatternet situations that are becoming more common today. This should all be invisible to users of the technology, while also making the technology “just work.”
Enable audio and video data to be transmitted at a higher quality, especially when best effort traffic is being transmitted in the same piconet.
UWB for AMP
The high speed (AMP) feature of Bluetooth 3.0 is based on 802.11, but the AMP mechanism was designed to be usable with other radios as well. It was originally intended for UWB, but the WiMedia Alliance, the body responsible for the flavor of UWB intended for Bluetooth, announced in March 2009 that it was disbanding.
Bluetooth protocol stack
“Bluetooth is defined as a layer protocol architecture consisting of core protocols, cable replacement protocols, telephony control protocols, and adopted protocols.” Mandatory protocols for all Bluetooth stacks are: LMP, L2CAP and SDP. Additionally, these protocols are almost universally supported: HCI and RFCOMM.
Baseband Error Correction
Three types of error correction are implemented in Bluetooth systems,
* 1/3 rate forward error correction (FEC)
* 2/3 rate FEC
* Automatic repeat-request (ARQ)
Setting up connections
Any Bluetooth device in discoverable mode will transmit the following information on demand:
* Device name
* Device class
* List of services
* Technical information (for example: device features, manufacturer, Bluetooth specification used, clock offset)
Many of the services offered over Bluetooth can expose private data or allow the connecting party to control the Bluetooth device. To resolve this conflict, Bluetooth uses a process called pairing. Two devices need to be paired once to communicate with each other; the pairing process is typically triggered automatically the first time a device receives a connection request from a device it is not yet paired with.
During the pairing process, the two devices involved establish a relationship by creating a shared secret known as a link key. If a link key is stored by both devices they are said to be bonded. A device that wants to communicate only with a bonded device can cryptographically authenticate the identity of the other device, and so be sure that it is the same device it previously paired with.Link keys can be deleted at any time by either device. Some services, such as the Object Push Profile, elect not to explicitly require authentication or encryption so that pairing does not interfere with the user experience associated with the service use-cases.
* Pairing mechanisms have changed significantly with the introduction of Secure Simple Pairing in Bluetooth 2.1. The following summarizes the pairing mechanisms:
* Legacy pairing
* Limited input devices
* Numeric input devices
* Alpha-numeric input devices
* Secure Simple Pairing (SSP): This is required by Bluetooth 2.1. A Bluetooth 2.1 device may only use legacy pairing to interoperate with a 2.0 or earlier device. Secure Simple Pairing uses a form of public key cryptography, and has the following modes of operation:
* Just works
* Numeric comparison
* Passkey Entry
* Out of band (OOB)
SSP is considered simple for the following reasons:
* In most cases, it does not require a user to generate a passkey.
* For use-cases not requiring MITM protection, user interaction has been eliminated.
* For numeric comparison, MITM protection can be achieved with a simple equality comparison by the user.
* Using OOB with NFC will enable pairing when devices simply get close, rather than requiring a lengthy discovery process.
Prior to Bluetooth 2.1, encryption is not required and can be turned off at any time. Moreover, the encryption key is only good for approximately 23.5 hours; using a single encryption key longer than this time allows simple XOR attacks to retrieve the encryption key.Turning off encryption is required for several normal operations, so it is problematic to detect if encryption is disabled for a valid reason or for a security attack.
* Bluetooth 2.1 addresses this in the following ways:
* Encryption is required for all non SDP (Service Discovery Protocol) connections
* A new Encryption Pause and Resume feature is used for all normal operations requiring encryption to be disabled. This enables easy identification of normal operation from security attacks.
* The encryption key is required to be refreshed before it expires.
Link keys may be stored on the device file system, not on the Bluetooth chip itself. Many Bluetooth chip manufacturers allow link keys to be stored on the device; however, if the device is removable this means that the link key will move with the device.
The protocol operates in the license-free ISM band at 2.402-2.480 GHz. To avoid interfering with other protocols that use the 2.45 GHz band, the Bluetooth protocol divides the band into 79 channels (each 1 MHz wide) and changes channels up to 1600 times per second. Implementations with versions 1.1 and 1.2 reach speeds of 723.1 kbit/s. Version 2.0 implementations feature Bluetooth Enhanced Data Rate (EDR) and reach 2.1 Mbit/s. Technically, version 2.0 devices have a higher power consumption, but the three times faster rate reduces the transmission times, effectively reducing power consumption to half that of 1.x devices (assuming equal traffic load).
Bluetooth implements confidentiality, authentication and key derivation with custom algorithms based on the SAFER+ block cipher. In Bluetooth, key generation is generally based on a Bluetooth PIN, which must be entered into both devices. This procedure might be modified if one of the devices has a fixed PIN (e.g., for headsets or similar devices with a restricted user interface).
During pairing, an initialization key or master key is generated, using the E22 algorithm. The E0 stream cipher is used for encrypting packets, granting confidentiality and is based on a shared cryptographic secret, namely a previously generated link key or master key. Those keys, used for subsequent encryption of data sent via the air interface, rely on the Bluetooth PIN, which has been entered into one or both devices.
An overview of Bluetooth vulnerabilities exploits has been published by Andreas Becker.
In September 2008, the National Institute of Standards and Technology (NIST) published a Guide to Bluetooth Security that will serve as reference to organization on the security capabilities of Bluetooth and steps for securing Bluetooth technologies effectively. While Bluetooth has its benefits, it is susceptible to denial of service attacks, eavesdropping, man-in-the-middle attacks, message modification, and resource misappropriation. Users/organizations must evaluate their acceptable level of risk and incorporate security into the lifecycle of Bluetooth devices. To help mitigate risks, included in the NIST document are security checklists with guidelines and recommendations for creating and maintaining secure Bluetooth piconets, headsets, and smart card readers.
Bluejacking is the sending of either a picture or a message from one user to an unsuspecting user through Bluetooth wireless technology. Common applications include short messages (e.g., “You’ve just been bluejacked!”). Bluejacking does not involve the removal or alteration of any data from the device.
History of security concerns
In 2001, Jakobsson and Wetzel from Bell Laboratories discovered flaws in the pairing protocol of Bluetooth, and also pointed to vulnerabilities in the encryption scheme. In 2003, Ben and Adam Laurie from A.L. Digital Ltd. discovered that serious flaws in some poor implementations of Bluetooth security may lead to disclosure of personal data. A new attack called BlueBug was used for this experiment. In 2004 the first purported virus using Bluetooth to spread itself among mobile phones appeared on the Symbian OS. The virus was first described by Kaspersky Lab and requires users to confirm the installation of unknown software before it can propagate. The virus was written as a proof-of-concept by a group of virus writers known as “29A” and sent to anti-virus groups. Thus, it should be regarded as a potential (but not real) security threat to Bluetooth or Symbian OS since the virus has never spread outside of this system. This poses a potential security threat because it enables attackers to access vulnerable Bluetooth-devices from a distance beyond expectation. The attacker must also be able to receive information from the victim to set up a connection. No attack can be made against a Bluetooth device unless the attacker knows its Bluetooth address and which channels to transmit on.
In January 2005, a mobile malware worm known as Lasco.A began targeting mobile phones using Symbian OS (Series 60 platform) using Bluetooth-enabled devices to replicate itself and spread to other devices. The worm is self-installing and begins once the mobile user approves the transfer of the file (velasco.sis ) from another device. Once installed, the worm begins looking for other Bluetooth-enabled devices to infect. Additionally, the worm infects other .SIS files on the device, allowing replication to another device through use of removable media (Secure Digital, Compact Flash, etc.).
The worm can render the mobile device unstable.
In April 2005, Cambridge University security researchers published results of their actual implementation of passive attacks against the PIN-based pairing between commercial Bluetooth devices, confirming the attacks to be practicably fast and the Bluetooth symmetric key establishment method to be vulnerable. To rectify this vulnerability, they carried out an implementation which showed that stronger, asymmetric key establishment is feasible for certain classes of devices, such as mobile phones.
In June 2005, Yaniv Shaked and Avishai Wool published a paper describing both passive and active methods for obtaining the PIN for a Bluetooth link. The passive attack allows a suitably equipped attacker to eavesdrop on communications and spoof, if the attacker was present at the time of initial pairing. The active method makes use of a specially constructed message that must be inserted at a specific point in the protocol, to make the master and slave repeat the pairing process. After that, the first method can be used to crack the PIN. This attack’s major weakness is that it requires the user of the devices under attack to re-enter the PIN during the attack when the device prompts them to. Also, this active attack probably requires custom hardware, since most commercially available Bluetooth devices are not capable of the timing necessary.
In August 2005, police in Cambridgeshire, England, issued warnings about thieves using Bluetooth-enabled phones to track other devices left in cars. Police are advising users to ensure that any mobile networking connections are de-activated if laptops and other devices are left in this way.
In April 2006, researchers from Secure Network and F-Secure published a report that warns of the large number of devices left in a visible state, and issued statistics on the spread of various Bluetooth services and the ease of spread of an eventual Bluetooth worm.
In October 2007, at the Luxemburgish Hack.lu Security Conference, Kevin Finistere and Thierry Zoller demonstrated and released a remote root shell via Bluetooth on Mac OS X v10.3.9 and v10.4. They also demonstrated the first Bluetooth PIN and Linkkeys cracker, which is based on the research of Wool and Shaked.
Bluetooth uses the microwave radio frequency spectrum in the 2.402 GHz to 2.480 GHz range. Maximum power output from a Bluetooth radio is 100 mW, 2.5 mW, and 1 mW for Class 1, Class 2, and Class 3 devices respectively, which puts Class 1 at roughly the same level as mobile phones, and the other two classes much lower. Accordingly, Class 2 and Class 3 Bluetooth devices are considered less of a potential hazard than mobile phones, and Class 1 may be comparable to that of mobile phones : the maximum for a Class 1 is 100 mW for Bluetooth but 250 mW for UMTS W-CDMA, 1W for GSM1800/1900 and 2W for GSM850/900 for instance.