Enhancements to Bluetooth Baseband Security

Bluetooth system has been developed by Bluetooth Special Interest Group (Bluetooth SIG) as a cable replacement for short-range connectivity. In Bluetooth, special effort has been taken to develop and standardise adequate security mechanisms and procedures for protecting the wireless radio link. This set of mechanisms is defined in the Bluetooth Baseband specification [5] and is referred to as Bluetooth Baseband security. It is based on strong cryptographic algorithms and well-established security principles. Still, more work is required to integrate Bluetooth Baseband security into various applications that may have very different link layer security requirements. Bluetooth Baseband security is implemented in the Bluetooth module and is common to all Bluetooth units. Also the application specific security functionality may need to be standardised for interoperability. Recently, Jakobsson and Wetzel identified some potential trap holes in Bluetooth security in [11]. Their main concerns were certain weak options included in the Bluetooth security standard. They also criticised the way Bluetooth units make themselves discoverable by other units just by broadcasting messages that include their unique identities in clear. The purpose of this paper is to introduce some recent work in the area of Bluetooth Baseband security. Specifically, we address the problems discovered by Jakobsson and Wetzel, and develop possible counter measures. First, a brief introduction to Bluetooth Baseband security is given. Then major security shortcomings are identified. These include usage of the unit key and the short Bluetooth PIN value in the initialisation procedure, on the one hand, and the privacy problem created by location tracking, on the other hand. In section 4, we discuss passkey-based methods of exchanging the Bluetooth link key. Using public key cryptography adequate security can be provided while keeping the passkey short for the user's convenience. Furthermore, in section 5, an application to LAN access is developed enabling access point roaming. Finally, in section 6, we describe a technique that offers reasonable protection against location tracking. Identities of Bluetooth units can be efficiently hidden from unauthorised units using temporary Bluetooth device addresses.