Setting the Record Straight on Bluetooth Security
As a follower and fan of technology news, you may have seen the occasional headline regarding Bluetooth security. More likely than not, a sensational “Major Bluetooth security flaw leaves millions of devices at risk,” or “Bluetooth bug leaves you open to attack.” The headlines catch your attention, making a vulnerability sound akin to a plague of locusts or the great flood coming straight for your Bluetooth enabled device or network. But, here, I’m setting the record straight on Bluetooth security.
Collaboration Between Security Research and Bluetooth Special Interest
What is often overlooked is the fact that there is a planned and purposeful collaborative relationship between the security research community and the Bluetooth Special Interest Group (SIG) — the not-for-profit trade association that oversees Bluetooth technology.
The Bluetooth SIG encourages the community to actively review the specifications, which are all open to review.
Finding and exposing these bugs is a painstaking process performed under specialized conditions in a lab environment.
With any technology we depend on, a concern around security is more than warranted and the Bluetooth SIG — along with its members — is vigilant in protecting against bad actors.
Our belief that security is critical to a world without wires is precisely the reason why we work so hard to improve the security features of Bluetooth technology.
We view our collaboration with the security research community as fundamental to the continued advancement and improvement of Bluetooth technology as a whole. Let’s take a deeper dive into how the Bluetooth SIG approaches security.
An Evolution in Bluetooth Technology
Throughout our 20-year history, the Bluetooth SIG has worked with its member companies to make Bluetooth technology the de facto low power, wireless standard. According to the 2020 Bluetooth Market Update, 4.6 billion devices will ship this year using Bluetooth technology.
We’ve ensured that Bluetooth technology could evolve from a simple, yet brilliant pairing solution for wireless audio to the underpinning of intelligent automation in the IoT across emerging markets like smart buildings, smart industry, and smart cities.
To provide excellence in Bluetooth connectivity, we work with nearly 36,000 companies in our member community, each of who uses Bluetooth technology as the connective tissue across a wide variety of applications.
The growth of legacy and new industries and the explosion of connected devices required to sustain them means that security must remain top of mind for technology professionals. However, security implementation is neither turnkey nor one-size-fits-all. For Bluetooth technology to be truly ubiquitous — it can’t be.
Because Bluetooth is everywhere — yet can’t actually be everywhere.
The omnipresence of Bluetooth is why the Bluetooth SIG has developed a three-pronged approach to prioritize security and protect Bluetooth technology.
The approach addresses security within Bluetooth specifications and interfaces, providing Bluetooth SIG members with ongoing security education. The education portion involves a Bluetooth Security Response Program. It is also specifically designed to leave room for continued innovation and iteration of Bluetooth technology.
No technology is flawless. By explaining the extent and intent of the Bluetooth SIG’s security process, we hope to provide an educational lens to the narrative around Bluetooth security and move it from one dominated by fearmongering headlines to one that is transparent about our security process — which continues to strengthen existing protections and introduce new security measures to meet the evolving requirements of the connectivity landscape.
Specifications: The Building Blocks of All Bluetooth Devices
To understand security, it’s important to understand the building blocks of Bluetooth technology — Bluetooth specifications.
In essence, specifications are the requirements that developers use to create connections and interoperability between Bluetooth devices. More use cases for Bluetooth have emerged beyond audio streaming and simple data transfer to include device networks and location services across all applications. The applications for Bluetooth include industrial asset tracking to commercial lighting.
As Bluetooth specifications expand, the security measures they include have had to expand as well.
The most prominent Bluetooth specification is the core specification, which defines the fundamental building blocks that developers use to create the interoperable devices that make up the thriving Bluetooth ecosystem.
But there are also over 100 additional profile and protocol specifications that define how to build everything from an interoperable Bluetooth headphone to creating large-scale Bluetooth mesh device networks for lighting control.
Developers follow guidelines within each specification to purpose-fit their implementation as needed for their product design.
Each specification has its own techniques and tools that allow developers to address security precautions for their products and secure communications between Bluetooth devices.
You can think of it as a tool chest that developers can select from to implement the appropriate security level for their products. Some of the security features available to developers of Bluetooth Low Energy products include:
- Protection against passive eavesdropping
- Protection against man-in-the-middle (MITM) attacks
- Encrypted communication between two Bluetooth Low Energy devices using AES-CCM cryptography
- Privacy and protection from identity tracking
- The full list is available in the Bluetooth best practices guide, available to all members here.
While specifications go through security reviews during the development process, it’s up to each of the SIG’s 36,000 members to choose the best security option necessary for their implementation.
For example, a Bluetooth enabled condition monitoring system in a factory would require significantly different security features than a wireless mouse. It is up to the developer to choose the necessary security features to implement in their Bluetooth product.
Having Bluetooth specifications provide these options and flexibility is the magic of what makes Bluetooth technology unique among the wide variety of low power wireless technologies available.
These options give members the freedom to choose the best security features for their products, but that can also mean that members might choose security or privacy features that aren’t sufficient for their application. This leads us to part two — education.
Education: The Tools to Design, Develop, and Deploy Secure Bluetooth Devices
To help members choose the appropriate security options for their applications, the Bluetooth SIG regularly publishes study guides, training videos, and a wide variety of other educational material.
These educational materials explain why certain security options work better than others in specific applications. They also explain the common security risks in each specification and how best to avoid them.
Common implementation best practices include:
- Following the latest version of the Bluetooth specifications to ensure developers have the most current guidance
- Documenting the security requirements of product design so that appropriate security is used in the implementation
- Testing and auditing the security features of implementations
- Ensuring that UX interfaces provide appropriate notification to users of any security or privacy issues
- Enforcing secure coding practices in the development of any interface facing external data sources, especially wireless ones
While these education materials point members in the right direction, Bluetooth technology is an open, global standard. The Bluetooth SIG and its members share the responsibility of producing secure Bluetooth devices and applications with the security research community’s help.
Community: Sharing the Responsibility of Bluetooth Security
The Bluetooth SIG has enjoyed a working relationship with the security research community for a long time. Part of this working relationship process is encouraging ongoing review of the technology and reporting of vulnerabilities within specifications through the Bluetooth Security Response Program.
The response program ensures that reported vulnerabilities are investigated, resolved, and communicated across our member organization.
For example, last year, researchers at the École Polytechnique Fédérale de Lausanne (EPFL) helped to expose a flaw related to pairing in Bluetooth BR/EDR connections.
What occurs after a report on a flaw is filed?
Once reported, the Bluetooth SIG works quickly to remedy the vulnerability — providing a recommendation for members to integrate any necessary patches while the Core Specification can be thoroughly — and quickly updated.
The collaboration between EPFL, the Bluetooth SIG, and its members ensured continuous improvement and technology security.
Relationships like these enable us to quickly address any security issues that result from new development in Bluetooth technology.
With Great Prevalence Comes Great Responsibility
The potential and power of Bluetooth technology continues to grow. With billions of new Bluetooth enabled devices shipping every year, Bluetooth wireless technology is embedded in the fabric of our lives.
Bluetooth is what connects us to each other — and to the world around us.
As the community continues to expand the capabilities of Bluetooth technology — it’s key focus is to ensure our Bluetooth communications remain secure.
Image Credit: Andrea Piacquadio; Pexels