Authentication and Pairing
Due to the dynamic nature of Bluetooth networks, you can often find devices owned by total strangers joining your network in a crowded room. To ensure security and privacy, Bluetooth devices are typically required to authenticate with each other before they can exchange data. The simplest form of authentication is to ask for the user's explicit approval. For instance, if you send a business card or photo from one smartphone to another, the recipient device would prompt its owner to "accept the incoming data item" by explicitly acknowledging a pop-up alert box on the screen.
For long-running data exchanges, such as PIM synchronization, hands-free operation, and dial-up networking, we cannot require manual approval for each data item exchanged. Those operations also typically transfer sensitive data that need more protection than simple recipient acknowledgment. In those cases, we need to establish a trusted relationship between two Bluetooth devices by pairing them. You can initiate pairing from any device by selecting the "pair/set up new device" menu in the Bluetooth utility software. The initiating device searches for all Bluetooth devices nearby and ask you to select a recipient device from the search results. You will be promoted enter a random security code (i.e., a PIN) on the initiating device. The recipient device would then receive a pairing quest and prompt you for the security code you just entered on the initiating device. Once the security code is confirmed, the two devices are paired.
Security is an important issue in Bluetooth networks, given the ad hoc nature of network membership. The Bluetooth specification is designed with security in mind. You are required to authenticate or even pair devices for certain tasks. And communication data between paired devices can be encrypted. However, individual devices might still have weaknesses in their Bluetooth implementation, which would allow Bluetooth attacks ranging from harmless pranks to serious data theft or device-crippling viruses. Here are some typical Bluetooth attack scenarios:
Bluejacking: When you send a business card to a smartphone via Bluetooth, the recipient phone screen typically displays the card sender's name in an alert box. If a prankster creates an empty business card with a fake message in the "name" field (e.g., a prank message like "Your phone is hacked!"), he or she can make your phone appear as if it is malfunctioning.
Bluesnarling: Some Bluetooth devices have implementation bugs that allow other devices to establish trusted relationships (i.e., pairing) without user approval. Those attacks are serious, since the attacker can steal or overwrite your personal data on the device, make phone calls using your service account, or even spread virus programs.
Bluetooth viruses: Some mobile phone viruses spread via Bluetooth networks. They detect vulnerable devices nearby and install unauthorized virus programs on them for further spreading. Those viruses can cause damage to your device and your data.
To prevent Bluetooth attacks, you could turn off your Bluetooth radio or make your device invisible by turning off the discovery mode. You can also install anti-virus software or even use a Bluetooth firewall to filter out unwanted traffic.
Bluetooth evolved from a cable replacement technology for existing applications. It is now a ubiquitous personal area network technology enabling applications never possible in the cable world (e.g., social networking and remote control). The Bluetooth SIG is working with other standards bodies, including Ultra Wide Band (UWB) specification committees, to develop the next-generation Bluetooth technology. It could cover areas up to 100 meters, and have a data rate exceeding 100Mbps, making it suitable for streaming high-quality video contents in your home. The best of Bluetooth is still ahead of us.
Michael Juntao Yuan specializes in lightweight enterprise / web application, and end-to-end mobile application development.
Return to the Mac DevCenter