Bluetooth in Mobile Telephony: Privacy and Security Issues




Dr. George Kostopoulos


Computer Science and Information Systems

American University of Kuwait






This report presents the Bluetooth wireless technology focusing on the security architecture and the resulting vulnerabilities. It reviews the available protection mechanisms embedded in the Bluetooth technology and points out the associated risks. The paper concludes with the position that the Bluetooth security is good enough for the intended purpose of its specification, which is basically a wireless cable replacement. Through software, the Bluetooth security can be enhanced to a limited extent, but you cannot make a lion out of a mouse.




This paper examines the Bluetooth wireless technology, BT, in the mobile telephony context, presents the BT security features and vulnerabilities, and elaborates on the security concerns that are still pending despite the continuous improvements in the BT related software.




The research had three parts; the first was the review the BT security architecture, the second the review the vulnerabilities posed in the BT wireless technology, as presented in the literature, and the third was the adequacy assessment of the various protection mechanisms.




Bluetooth is the commercial name of a data communications protocol developed by the IEEE (Institute of Electrical and Electronics Engineers) and it is technically known as the IEEE 802.15.1 - 1Mbps WPAN (Wireless Personal Area Network) Protocol.  The protocol’s aim is to provide “. . . standards for low-complexity and low-power consumption wireless connectivity.” [1].


In May 1998, the Bluetooth SIG (Special Interest Group) was formed to support its evolution [2]. The Group was  founded by  industry’s  telecommunications and microchip giants including  3Com, Erickson, IBM, Intel, Lucent, Microsoft, Motorola, Nokia and Toshiba, and it is now a consortium with a present membership of over 4,000 [3].       It is estimated that “… more than 250 million BT devices are in operation worldwide, …” and this number is expected to double every year.   [4].                                                                                   

The BT protocol operates at an unlicensed portion of the ISM (Industrial Scientific Medicine) frequency spectrum and its permitted range is 2.4000 to 2.4835 GHz. The specifications provide for three power classes, allowing maximum power outputs applied to the antenna of 100mW, 2.5mW and 1mW, which translates to a range of up to 330 feet.  The data transmission rate is at about 1Mbps with optional encryption, where the actual data rate is a function of the deployed data security and data integrity options. Data integrity is maintained through Forward Error Correction; a scheme where a significant amount of metadata accompany the data for at-the-destination correction [5].


BT provides two connectivity modes. The point-to-point, which is for exclusive data communication between two devices, and the point-to-multipoint connectivity, which is for limited networking.


Bluetooth Security Architecture


The BT wireless technology provides for devices to operate in two main security modes - namely, the Non-Secure and the Secure Mode.


In the Non-Secure Mode (Security Mode 1), the BT equipped device is in the discoverable mode searching the environment for other BT equipped devices, and it is recognizable by other devices in the same state. In this mode, a device may accept messages from other devices regardless of their trust status. Also in this mode, devices, using the Service Discovery Protocol, search the environment for available BT services. This is a non secure procedure leading to the recognition of available services and not necessarily to access to these services. Depending on the service providing architecture, access may require user authorization and/or device authentication. [6 p8]


The Secure Mode has two sub-modes, namely, the Service Mode (Security Mode 2) and the Link Mode (Security Mode 3). In the Secure modes, inter-device communication creates a passkey, which is common to both devices for the current communication, and is used for device authentication and data encryption and decryption. [7 p10]


In the Service Mode, the accessible services can be open to all devices; open with authentication, or open with authentication and authorization.


In the Link Mode, the accessible linked devices are classified as untrusted devices, having restricted access, or as trusted devices with unrestricted access.


Malware, Why?   One would wonder, who is his right mind would write and distribute malware. Yet, there is underground culture of highly skilled programmers who take it as a challenge to crack information system security architectures. From what has leaked from this underground culture, malware writers are mostly highly experienced programmers treating  cracking  as  their  challenge  in  life [8 par 5-8) ]. Unfortunately, the BT wireless technology has not escaped the malware menace with the Symbian OS mobile phones being hit first [9 last par].

Bluetooth Security Vulnerabilities


Despite the extensive security precautions that have been entered into the BT specifications, it appears that BT operating systems have inadvertedly allowed the presence of vulnerabilities. However, the fact that most BT code is in firmware, makes BT wireless technology resistant to “…malicious code.”[10 p.8].


To be vulnerable to intrusion risks, a BT equipped device – mobile phone - must have its BT feature activated. That is the device must be in the Discoverable Mode. Furthermore, in all BT communications, bona fide or malicious, the devices – victim and attacker – normally must be within a ten meter proximity to each other. However, the availability of highly sensitive receivers makes BT eavesdropping possible from much longer distances.

In BT equipped mobile telephony vulnerabilities can be considered as passive and active. In the passive ones intruders spy, or create inconvenience, while in the active intruders inflict casualties on the victim’s phone databases. Furthermore, intruders, via this BT link, can use the victim phone as their very own.


With time, manufacturers are minimizing such vulnerabilities through the development of upgraded software that may be retro-fitted into older mobile phones. [3 p.2]


Passive Vulnerabilities


Pinging. The presence of the targeted device can be recognized through pinging. Repeated pinging can render the BT features of the victim-device inoperable. [3 p.4]


Denial of Service. While a BT equipped device is communicating, an intruder may determine the device’s address and use it communicate with it, thus disabling it from properly communicating with other devices. Improvements in BT specifications will eliminate the penetration of devices non-discoverable mode. [3 p.4]


Car Whispering. The availability of BT car kits, where a BT equipped mobile phone can wirelessly communicate with an in-car device, has provided hands-free mobile telephony. At the same time, the in-car device exposes the in-car conversations to outside BT eavesdropping, making it possible for someone from the outside, totally uninvited, to enter into the conversation through the in-car device. [3 p.2]


Bluejacking. In this case, the victim-device, if its number is known, is open to reception of unwanted messages. [3 p.1]  [5 p11]


Ambient Noise. As mentioned above, the BT wireless technology operates in an unlicensed band where numerous other applications find it equally convenient to operate. The Wi-Fi, wireless LAN technology is using the very same band, and so do microwave ovens and many cordless phones. Consequently, a BT equipped device found within the radiation terrain of one such product may be unintentionally inoperable. [4 p.5] [10 p.8].


Active Vulnerabilities


Bluebugging. Via BT communication, intruder takes full control of victim-device commands - namely the AT Commands that control the mobile phone - without, in any way, attracting the attention of the victim-device owner. In this vulnerability, intruders can use the victim-device as if it were in their hand. Phone data can be altered, calls and messages can be sent and received, the Internet can be accessed, and even conversations can be listened to via the intruder’s phone. [3 p.2] [11 p5]


Bluesnarfing. With specialized software intruders not only they may access all data in a victim-device; they may even read the phone’s unique hardware identification, the so called IMEI, International Mobile Equipment Identity.[4 p5]


Virus Infections. 


A well known virus that hit BT equipped phone has been the cabir. It appears that whoever developed the cabir was very familiar with the Symbian operating systems, since the cabir has been found to attack only Symbian mobile phones of the Series-60 platform. The cabir is an executable code that intrudes itself via BT entering as a message named caribe.sis.   To infect the device the message has to be activated [3 p.3].  Besides infecting the receiving device it would replicate itself in other devices as well. Recently a firewall has been developed for the above platform that can “guard against mobile malware threats and intrusion attempts.” [11]


Another virus was the commwarrior, which was interfering with BT connections and would send SMS/MMS in a mode that was totally transparent to the victim-phone owner.  [12 p6]


Protection Mechanisms


In the BT protocol specifications a variety of security instruments have been embedded.  These are:


1. At the Link Level:

            Authentication (Device recognition)

            Encryption – decryption


2. At the Application (Service) Level:

            Authorization (User recognition)

            Authentication (Device recognition)        Encryption – decryption


3. At the network level:

            Network management controls

            User access

            Security settings


4. At Security Mode 3:

            Once disconnected, next pairing             requires re-authentication and re-           authorization.


5.  Passkey may be as long as 128 bits. For security maximization, frequent passkey changes are recommended [7 p.12].


6. Device non-volatile memory to be tamper resistant


For maximum security, authorization and authentication at the link, as well as at the application access, is recommended.


In deploying the BT wireless technology, applications developers need to bear in mind that, the BT was never intended to be a secure communication technology, but a low cost and simple cable replacement.


Scanning for BT

In addition to establishing security policies, enterprises may also deploy BT software that scan the environment and monitor the BT band in order to:


1. Identify the various types of active                 Bluetooth devices.

2. Provide all retrievable attributes of     the identified devices (class, name,        and manufacturer)

3.  Provide connection information        (pairing)

4. Identify available services (fax, printer).         [4 p.7]


The BT Risk


In an effort to make the BT wireless technology easy to implement, inadvertent “…security shortcomings…” have resulted, which require certain considerations in the use of BT equipped mobile phones. Namely, during the pairing – the initial handshaking between two BT devices – necessary data is being is exchanged that reveal the identity and encryption specifications of the devices. Such data, specific to the pairing devices, include the unit keys. If the unit key is captured by a potential intruder, it may be used to impersonate a third device as one of the two eavesdropped devices.  The unit key is the identity code of a BT device which embeds itself in the encryption algorithm used in the inter-device communications. A good advice, but difficult to follow, is to avoid pairing in places where other units, or listening devices, may be within a ten meter proximity. Furthermore, in bona fide communications, a modified trusted device may record the data exchange that has taken place during pairing, and have that data analyzed. Such analysis can reveal the unit key of the victim-device. [7 p7]. 








The level of the risk associated with the use of the BT wireless technology is directly related more to the specific application and less to the inherent BT architecture. Taking into account the numerous limitations under which BT technology operates – low RF power, distance, bandwidth – no highly sensitive or critical application will turn to the BT for support. In addition, and at present, “…the cost of attack appears to be higher than …the value of success.” [10 p3].  For what it offers, namely cable replacement, and for as long as basic precautions are adhered to, the BT wireless technology will be as secure as was intended to be for minimal security intra-office applications.



REFERENCES   (All re-confirmed on February 25, 2007)

[1]   802.15 Working Group for Wireless PAN                                   

[2]   Bluetooth Special Interest Group                                   

[3]   Bluetooth Security                               

[4]   Bluetooth Networks: Risks & Defenses         

[5]   Security Overview of Bluetooth                                  www.cosic.esat.kuleuvenbe/publications/article-565.pdf

[6]   Bluetooth Security Architecture  

[7]   Bluetooth Security White Paper                                       

[8]   Who Creates Malware

[9]   Malware Trends                                                  

[10] Bluetooth Security                                             

[11] F-Secure first to offer full protection to smartphone S60 3rd edition                                         

[12]  F-Secure Virus Descriptions: Cabir