(U//FOUO) Bluetooth: Understanding the Technology, Its

U N C L A S S I F I E D / / F O R O F F I C I A L U S E O N L Y


(U) Warning: This document is UNCLASSIFIED//FOR OFFICIAL USE ONLY (U//FOUO). It contains information that may be exempt from public release under the Freedom of Information Act (5 U.S.C. 552). It is to be

controlled, stored, handled, transmitted, distributed, and disposed of in accordance with DHS policy relating to FOUO information and is not to be released to the public, the media, or other personnel who do not have a valid

need to know without prior approval of an authorized DHS official. State and local homeland security officials may share this document with authorized critical infrastructure and key resource personnel and private sector

security officials without further approval from DHS.

(U) This product contains US person information that has been deemed necessary for the intended recipient to understand, assess, or act on the information provided. It has been highlighted in this document with the label USPER and should be handled in accordance with the recipient's intelligence oversight and/or information handling procedures.

19 March 2015

(U//FOUO) Bluetooth: Understanding the Technology, Its Vulnerabilities, and Security Recommendations

(U//FOUO) Prepared by the Wisconsin Statewide Information Center (WSIC) with a contribution from the DHS Office of Intelligence and Analysis (I&A).

(U//FOUO) Scope: This Field Analysis Report explains Bluetooth technology and its increasing use in consumer products; it also outlines Bluetooth vulnerabilities and security recommendations. We are providing this analysis to inform local, state, and federal entities of vulnerabilities malicious cyber actors could exploit in attacks that impact homeland and national security interests.

(U) Key Points

(U//FOUO) Continuous development of Bluetooth technology is rapidly increasing the use ofBluetooth-enabled devices. New uses of Bluetooth, such as mesh networking, will increase theubiquity of this technology.

(U//FOUO) Bluetooth devices are vulnerable to typical wireless networking threats, such asdenial-of-service (DoS), eavesdropping, and man-in-the-middle (MITM) attacks. In addition, thetechnology is vulnerable to specific Bluetooth-related attacks that target known vulnerabilities inBluetooth implementations and specifications.

(U//FOUO) Individuals and organizations should maintain an ongoing awareness of theBluetooth technology they are using to minimize vulnerabilities. National Security Agency(NSA) recommendations for individuals using Bluetooth mitigate many risks.

IA-0130-15



Page 2 of 7

(U) Introduction

(U//FOUO) Bluetooth technology is rapidly becoming ubiquitous. As the world begins to rely more heavily on cellular data and Internet connectivity for communication and information sharing, concerns over connection access and security are becoming more prevalent. Emerging technology seeks to provide essential data services, even if no cellular or Internet connection (Wi-Fi or hard-wired) is available or desired. Mobile applications (apps), such as FireChat, are gaining in popularity because of their ability to send and receive messages without a cellular or Internet connection. Protesters in Hong Kong are reportedly using FireChat to send messages covertly to circumvent the government firewall. Similarly, Iraqi citizens also flocked to the FireChat app after the Iraqi government’s near-total blockage of the Internet and its content. Apps such as FireChat are made possible by Bluetooth technology, a technology that has been around for over a decade, but only recently reemerged as a priority for technology companies.

(U) On 3 December 2014, the Bluetooth Special Interest GroupUSPER announced the new Bluetooth4.2 specification. This update promises enhanced privacy measures and increased speed of datatransfers.

(U) Bluetooth 4.2 will allow Bluetooth smart sensors to directly access the Internet and eventuallysupport IPv6.*

(U//FOUO) From wearable technologies—such as Fitbits and Google Glass—to automobiles, manufacturers are incorporating Bluetooth capability into modern devices at a greater rate. Bluetooth’s emerging pervasiveness presents unique implications for the future.†,‡

(U) Benefits of Bluetooth Technology

(U) Making a device Bluetooth-ready is attractive for many reasons. Bluetooth technology is inexpensive and uses minimal power and limited physical space within the device. Most importantly, Bluetooth presents a wireless solution for connecting devices, which makes the technology more portable and more accessible than its predecessors. Enabling Bluetooth allows for simple sharing of documents, music, contacts, or any other type of data. For example, users can synchronize data from wearable technologies—such as fitness trackers—to their smartphones, which allows automatic and instantaneous updates to their fitness data.

* (U) Every device on the Internet is assigned an Internet Protocol (IP) address for identification and location purposes. As of February 2011, all of the more than 4 billion IP addresses available in IPv4—the current communications protocol—were used. A new protocol, IPv6, was developed to prevent IP address exhaustion. IPv6 uses a 128-bit address and the number of available IPv6 addresses is so large that every person on earth could each own more than one billion IPv6 addresses. † (U) Fitbits are wireless devices that users wear to track health data, to include activity level, time asleep, and other fitness

measures. ‡ (U) Google Glass is a wearable computer that resembles a pair of eyeglasses. Google Glass features a camera and display

that allow users to search the Internet and use applications.

(U) How Bluetooth Technology Works

(U) Bluetooth technology is based on limited-range radio frequency communication. The technology establishes a wireless personal area network to allow data and voice transfers between proximally close devices. These small, personalized networks are easily established through a “pairing” process and can be joined by any Bluetooth- ready device. Bluetooth technology in mobile devices typically has a range between 10 and 30 feet.

(U) Activating Bluetooth on any device makes the

device “discoverable” to other Bluetooth-enabled devices by broadcasting the device’s personal address—the Bluetooth device address (BD-ADDR). The only way to pair with another device is by using the BD-ADDR. Any device within range can see this address. The process of pairing depends on the device; some devices ask for a personal identification number (PIN), while other devices use a number-comparison technique where both devices are shown a number and are asked if they are the same. Once the pairing process is complete, the devices are networked to each other, and data can be transmitted.



Page 3 of 7

(U) Users can also use Bluetooth to facilitate Internet connectivity by “tethering” an Internet-ready device to an Internet-connected device. For example, if a user wants to connect his laptop to the Internet, yet there is no Wi-Fi available in the area, he could tether his laptop to the data connection on his smartphone. Through this process, the smartphone and laptop essentially create a network, which allows the laptop to connect to the Internet using the smartphone’s data connection. As a result, Bluetooth-facilitated Internet connectivity is evolving on a grander scale.

(U) The Future of Leveraging Bluetooth Technology

(U) Users can leverage Bluetooth in many ways to expand a device’s capabilities.

(U) Using Bluetooth technology to facilitate a meshnetwork. A typical Internet connection occurs with acentralized device providing a connection to manydevices. For example, within a home network, the modemand router connect the user’s mobile phone, printer, andlaptop to the Internet. All data transmitted by thesedevices passes through the modem/router. In a meshnetwork, only one device needs an Internet or cellularconnection, and the rest of the devices link to each otherto provide Internet connectivity. For example, if a mobilephone is connected to the Internet, a laptop, printer, andany other devices within proximity to the mobile phone arealso able to connect to the Internet by using Bluetoothcapabilities to link to each other. The laptop and printerare able to continue sharing the connection to any otherdevices in their proximity, and the data transmitted doesnot pass through any centralized server. Mesh networksdo not require a central connection, making them ideal forareas that do not have a robust Internet infrastructure.

(U) Apps can use Bluetooth technology tocommunicate without any cellular or data connection.The FireChat app builds off the mesh network frameworkto allow devices to communicate with each other off thegrid, without any centralized network. The Citizen Labrecently tested the FireChat messaging app and found that the app provided little in terms of encryption for transmitted messages.* Anyone within the range of the person sending the message would be able to retrieve the content that was transmitted. It was also discovered that network operators could see the message content and the IP address of the person transmitting the message, allowing for further identification of the sender. The Citizen Lab also found that there is no user authentication process, which allows for easy impersonation. With FireChat’s popularity gaining, app developers are forecasting that more apps will utilize this framework in the future.

(U) Bluetooth technology supports home automation. There is an ever-growing list of“smart” devices, including mobile phones, televisions, heart rate monitors, light bulbs, and even

* (U) The Citizen Lab is a research lab at of the University of Toronto, Canada, that specializes in electronic communications, security, and human rights studies.

UNCLASSIFIED

Figure 1. (U) A Centralized Networkand a Mesh Network



Page 4 of 7

pool cleaners. By making everyday home objects Internet-ready, users are able to turn off lights, adjust the thermostat, or unlock doors from their smartphones or tablets. For example, imagine a future where a person wearing a heart rate monitor is sprinting on the treadmill, and the heart rate monitor sends a signal to the thermostat to cool down the house, knowing that an increase in heart rate means the person is likely to be sweating. With Bluetooth-facilitated mesh networking, the heartrate monitor is able to communicate with the thermostat.

(U) Beacon technology uses Bluetooth to connect interested consumers to real-timeinformation. Bluetooth beacons are transmitters that retailers, businesses, or even airportscan use to provide visitors with information, coupons, or location guidance. For example,someone walking through an airport may come into proximity of a beacon, and if the user hasthe appropriate app installed, the individual’s boarding pass may appear on his or her phone.The beacon works by sending out a unique code, and if the end user has the specific app ableto read the code, the user’s smartphone will automatically open the application and display theinformation represented by the transmitted code. AppleUSPER is using beacon technology tosupport the mobile-payment functionality of its new Apple Pay app. PayPalUSPER is alsodeveloping similar mobile-payment technology.

o (U) Bluetooth beacons came under scrutiny in October 2014 when a company installednearly 500 beacons in New York. The beacons were installed in phone booths acrossthe city by a marketing company and were discovered when a reporter initialized an appthat scans for beacons on his mobile device. Upon further investigation, it wasdiscovered that a New York City agency approved the installation, but did not tell thepublic about the installation since the beacon installation was for “maintenance purposesonly.” The beacons would only have been able to send information to a person’s phoneif the user had downloaded the related app. Mere hours after the article on the newlydiscovered beacons was published, New York City officials ordered the removal of thebeacons due to public outcry and concerns over location tracking and related privacyissues.

(U) Vulnerabilities

(U//FOUO) Bluetooth technology allows the use of small and more interconnected networks for multiple purposes. Since joining these networks may be open to any device in range, there is a significant vulnerability for an attacker to enter the network and eavesdrop on the communications or disrupt the signal altogether. Depending on the security protocols in place, a device in the network may be able to access information on all of the devices within the network and even control some functionality of another connected device.

(U//FOUO) It is commonly accepted that Bluetooth supplies a level of comfort because devices must be proximally close in order to communicate with each other. Many people rely on the assumed safety of Bluetooth’s limited-range radio frequency communication for chat apps like FireChat. However, attackers are known to use stronger antennae to boost the distance for intercepts. Some Bluetooth devices can already transmit up to 300 feet, and reports suggest that transmissions can be picked up much further away.

(U//FOUO) Once a device is paired through Bluetooth, the permissions afforded to the paired device are determined by the Bluetooth profile that the device supports. With more modern technology, it is usually safe to assume the device supports all profiles. Each Bluetooth profile contains different



Page 5 of 7

features of the device that the paired device can access and control. Profiles include control of microphone and camera capabilities, mouse and selection capabilities, and keyboard input capabilities.

(U//FOUO) In 2007, an individual reportedly using the Carwhisperer software was able to selecta Bluetooth cellular telephone headset, not in use but powered-on, and remotely activate itsmicrophone and record the audio from within the room to the individual’s laptop. The individualwas also able to broadcast audio into the earpiece of the headset.*

(U//FOUO) The most concerning Bluetooth profiles have the ability to provide access to just about any type of data stored on the paired device, from contacts to saved e-mail attachments and other messages. If a malignant device is paired, the attacker can essentially control any of the target device’s capabilities that the Bluetooth profile supports. This could include enabling or shutting off applications, controlling the target device by powering it on or off, reading through messages, or even just simply watching the keystrokes to gain passwords for accounts.

(U) In 2012, the National Institute of Standards and Technology (NIST) released a report on Bluetooth security, which included a list of potential attacks. The bullets below lists some of the threats referenced in the NIST report.

(U) Bluesnarfing. Bluesnarfing enables attackers to gain access to a Bluetooth-enableddevice by exploiting a firmware flaw in older devices. This attack forces a connection to aBluetooth device, allowing access to data stored on the device, including the device’sinternational mobile equipment identity (IMEI). The IMEI is a unique identifier for each devicethat an attacker could potentially use to route all incoming calls from the user’s device to theattacker’s device.

(U) Bluejacking. Bluejacking is an attack conducted on Bluetooth-enabled mobile devices,such as cell phones. An attacker initiates bluejacking by sending unsolicited messages to theuser of a Bluetooth-enabled device. The actual messages do not cause harm to the user’sdevice, but they may entice the user to respond in some fashion or add the new contact to thedevice’s address book. This message-sending attack resembles spam and phishing attacksconducted against e-mail users. Bluejacking can cause harm when a user initiates a responseto a bluejacking message sent with a harmful intent.

(U) Bluebugging. Bluebugging exploits a security flaw in the firmware of some older Bluetoothdevices to gain access to the device and its commands. This attack uses the commands of thedevice without informing the user, allowing the attacker to access data, place phone calls,eavesdrop on phone calls, send messages, and exploit other services or features offered by thedevice.

(U) DoS. Like other wireless technologies, Bluetooth is susceptible to DoS attacks. Impactsinclude making a device’s Bluetooth interface unusable and draining the device’s battery.These types of attacks are not significant, and because of the proximity required for use ofBluetooth, users can easily avert the attack by simply moving out of range.

(U) Fuzzing Attacks. Bluetooth fuzzing attacks consist of sending malformed or otherwisenon-standard data to a device’s Bluetooth radio and observing how the device reacts. If adevice’s operation is slowed or stopped by these attacks, a serious vulnerability potentiallyexists in the protocol stack.

* (U) Carwhisperer is software that can be installed to transmit or receive audio from the car’s audio system. A nefarious device could send unwarranted audio to be played by the car’s speaker system or could listen in through the car’s microphone.



Page 6 of 7

(U) Pairing Eavesdropping. PIN/legacy pairing (Bluetooth 2.0 and earlier) and Low Energy(LE) Pairing (Bluetooth 4.0) are susceptible to eavesdropping attacks. The successfuleavesdropper who collects all pairing frames can determine the secret key(s), given sufficienttime, which allows trusted device impersonation and active/passive data decryption.

(U) Secure Simple Pairing (SSP) Attacks. A number of techniques can force a remote deviceto use Just Works SSP and then exploit its lack of MITM protection (e.g., the attack deviceclaims that it has no input/output capabilities). Further, fixed passkeys could allow an attackerto perform MITM attacks as well.

(U) Security Measures

(U) Recognizing the potential for Bluetooth exploitation, the NSA released a report detailing several steps that an individual can take to avoid being exploited.

(U) Avoid leaving Bluetooth enabled when not in use.

(U) Avoid making the device discoverable unless absolutely necessary.

(U) Never accept connections from unknown devices or devices that you do not recognize.

(U) Enable device firewalls and anti-virus software.

(U) Attempt to keep the devices that you would like to connect as proximally close as possible.

(U) Always keep the paired devices in sight; never connect devices that have been lost orstolen.

(U//FOUO) Individuals and organizations should maintain an ongoing awareness of the Bluetooth technology with which they interact. Proper training and education are essential to understanding and safely utilizing the technology. Users should be mindful of the permissions that they are allowing any paired device when they enable Bluetooth. Organizations should establish a security policy defining which Bluetooth-enabled devices, like commercial headset or car systems, are allowed to be used with organization devices. Individuals should choose strong PIN codes if given the option, and should choose by default that their device be “undiscoverable” to any other devices in the area. Proper encryption and authentication measures are also strongly recommended for any transmissions over Bluetooth.

(U) DHS I&A Perspective

(U//FOUO) DHS I&A assesses that as mobile devices become more ubiquitous and increasingly used for work, malicious cyber actors will attempt to leverage these devices to steal information, perform financial fraud, and conduct disruptive (deny, degrade, manipulate) activities. I&A assesses trends such as multi-peer connectivity using technologies like Bluetooth and Wi-Fi present additional potential threat vectors for malicious actors to exploit.

» (U) In 2013, approximately 10 million unique malware installation packages were detected on mobile devices, including the first active short message service (SMS) Trojan in the United States. The SMS Trojan was designed to steal, delete, or respond to incoming messages.

» (U) Security researchers in January 2014 identified a cross-operating system mobile malware that would first infect a Windows computer and then jump to any connected Android devices. The malware placed a banking Trojan disguised as a legitimate banking application onto a connected mobile device.



Page 7 of 7

(U//FOUO) DHS I&A assess multi-peer connectivity applications such as FireChat may provide additional threat vectors for malicious actors seeking to target and exploit mobile devices. Currently multi-peer connectivity applications like FireChat only support data moving directly from one device to another or from one device to several others, often with a limitation on the physical distance between the devices. Open GardenUSPER, the company behind FireChat, has forthcoming software intended to extend the feature so that data can hop between two devices out of range of one another via intermediary devices. This approach, known as mesh networking, has many useful applications, but is susceptible to many security vulnerabilities.

» (U//FOUO) Mesh networks that provide free public access are susceptible to attacks based on the implication of open authentication (e.g., public access is synonymous with no pre-established trust to the wireless network), including “evil twin” and “man in the middle” attacks, as well as DoS and theft-of-service attacks.

» (U//FOUO) Open Technology Institute provides an explicit warning label for its own mesh network, stating that it cannot hide your identity, does not prevent monitoring of Internet traffic, does not provide strong security against monitoring over the mesh, and can be jammed with radio or data interference.

(U//FOUO) Comments, requests, or shareable intelligence may be directed to the Wisconsin Statewide Information Center at (888) 324-9742 or [email protected].

(U) Source Summary Statement

(U//FOUO) This report was drawn from government and academic reports, law enforcement reporting, and open source information. We have high confidence in the validity of all sources used and our characterization of Bluetooth technology. We have medium confidence in the assessment of Bluetooth

threat vectors.

(U) Tracked by: HSEC-1.1, HSEC-1.3, HSEC-1.4.2.5, HSEC-1.6.2.5, HSEC-1.8.1, HSEC-1.10,

WSIC-SINS-11.1.11

(U) Report Suspicious Activity

(U) To report suspicious activity, law enforcement, Fire-EMS, private security personnel, and emergency managers should follow established protocols; all other personnel should call 911 or contact local law enforcement. Suspicious activity reports (SARs) will be forwarded to the appropriate

fusion center and FBI Joint Terrorism Task Force for further action. For more information on the Nationwide SAR Initiative, visit http://nsi.ncirc.gov/resources.aspx.

Product Title:

1. Please select partner type: and function:

4. Please rate your satisfaction with each of the following:

2. What is the highest level of intelligence information that you receive?

3. Please complete the following sentence: “I focus most of my time on:”

5. How do you plan to use this product in support of your mission? (Check all that apply.)

Very Satisfied

Somewhat Satisfied

Neither Satisfied norDissatisfied

Somewhat Dissatisfied

Very Dissatisfied N/A

Product’s relevance to your mission

Product’s timeliness

Product’s responsiveness to your intelligence needs

Product’s overall usefulness

To help us understand more about your organization so we can better tailor future products, please provide: Name: Organization:Contact Number:

SubmitRequest

Customer Feedback FormOffice of Intelligence and Analysis

Position:State:Email:

Privacy Act Statement

7. What did this product not address that you anticipated it would?

8. To what extent do you agree with the following two statements?

6. To further understand your response to question #5, please provide specific details about situations in which you might use this product.

9. How did you obtain this product?

10. Would you be willing to participate in a follow-up conversation about your feedback?

Drive planning and preparedness efforts, training, and/or emergency response operationsObserve, identify, and/or disrupt threatsShare with partnersAllocate resources (e.g. equipment and personnel)Reprioritize organizational focusAuthor or adjust policies and guidelines

Initiate a law enforcement investigationInitiate your own regional-specific analysis Initiate your own topic-specific analysisDevelop long-term homeland security strategiesDo not plan to useOther:

Strongly Agree

Neither Agree nor Disagree DisagreeAgree

Strongly Disagree N/A

This product provided me with intelligence information I did not find elsewhere.

This product will enable me to make better decisions regarding this topic.

CLASSIFICATION:

CLASSIFICATION:REV: 29 October 2014Product Serial Number:

Documents

(U//FOUO) Bluetooth: Understanding the Technology, Its