Bluetooth Update

Bluetooth is quietly creeping into numerous mainstream consumer products and computing devices. End-user demand will begin to force IT organizations (ITOs) to buy and support Bluetooth devices. Prescient ITOs will attempt to get ahead of the demand by creating policy and purchasing criteria for Bluetooth products.

META Trend: User access diversity will increase as mobile users migrate from dial-up to broadband, wireless LAN hot spots, and ad hoc wired connections (e.g., hotel Ethernet) during 2003/04, as well as 2.5G/3G cellular data services (Europe and Asia 2004, US 2005/06). User authentication and SSL VPN adoption will accelerate, becoming the dominant application-based remote access mechanism by 2005, with IPSec devices securing network interconnections. Best-practice organizations will focus efforts on standardized remote access usage policies, user profiles, and formalized identity management processes.

Short-range wireless Bluetooth technology is being embedded into numerous consumer devices, from laptops and cell phones to cars. Bluetooth now has broad support in operating systems (OSs). In 3Q02, Microsoft announced native Bluetooth support in Windows XP - joining Pocket PC, Windows CE .Net, Apple (Mac OS X), Palm, and most cell phone OSs). A corollary of Metcalf’s law (i.e., the value of a network is a function of the number of nodes on the network) is that early adopters of network technology are usually frustrated by the lack of counterparts with which to communicate. During 2004/05, we expect ITOs to face increasing end-user demand for Bluetooth-enabled office products and support to allow communications with consumer devices owned by end users. ITOs should develop some technical expertise in Bluetooth to create corporate usage policies and advise users about compatibility, security, and usability limitations of these devices. They should also define the benefits and costs of Bluetooth to the business to influence corporate adoption rates. In some organizations, the IT group will even have a role in testing, developing, and supporting industrial applications for Bluetooth.

The primary avenue of Bluetooth infiltration into the enterprise will be via cell phones, laptops, and personal digital assistants (PDAs). The number of Bluetooth devices expected to ship in 2003 is 100 million-125 million, and we expect shipments to increase 75% annually until 2005. The mobile phone market consumes 80% of Bluetooth chips. In 2003, approximately 20% of mobile phones will ship with Bluetooth, and we expect this number to increase to 50% by 2006. Bluetooth for PCs (via USB dongel) and laptops (embedded or via PCMCIA or USB) will be the focus of 2004 as users request wireless synchronization with mobile devices. The utility of Bluetooth will also spark an increased demand for mobile e-mail. Closely following in 2005, users will expect Bluetooth enabled-printers (internal or via flash slots), at least in public spaces. By 2006/07, ultra wideband (UWB) technology may challenge Bluetooth where very high bandwidth is necessary. Despite a bit of infighting on the technical proposals, UWB standards are still on track for late 2004, and the FCC has promised to review its conditional approval in 2003.

Bluetooth vs. Wi-Fi
Bluetooth is a short-range (10 meters) wireless cable replacement designed primarily to enable two devices to communicate with each other at speeds of up to 1Mbps. It is not a replacement for 802.11(a, b, or g). Wi-Fi is a networking technology designed to allow multiple computers to wirelessly connect to the network. 802.11b and 802.11g operate in the same spectrum as Bluetooth and will cause interference. Bluetooth has a more offensive strategy for dealing with interference to accommodate voice traffic. Since late packets in voice traffic are unacceptable, Bluetooth blasts away small packets while frequency hopping across 79 channels, not stopping to resend lost packets. The result is what appears to be noise to the more polite network citizen, 802.11, which uses a request-to-send/clear-to-send scheme. Numerous Bluetooth devices (e.g., in an airline lounge) could crowd out 802.11. However, point applications can use both technologies in the same device without serious interference (i.e., only 15%), due to the limited traffic of each. The next version of Bluetooth (V. 1.2, currently prototyping, with GA due in 4Q03) will employ adaptive channel hopping (i.e., skipping crowded channels), resulting in less contention with Wi-Fi. Moreover, contention will decrease when Wi-Fi migrates to dual band technology.

Bluetooth Profiles
The Bluetooth stack goes well beyond simple link-layer technology by including bits of code, called “profiles,” that application developers incorporate into applications to achieve 23 common tasks (see Figure 1). This does not mean, however, that all applications will support Bluetooth in the same way. There is plenty of opportunity for poor implementation to impede usability/compatibility and security, but profiles do solve numerous implementation issues. The Bluetooth Special interest Group (SIG) has created a program (its “5-Minute Ready” program) that provides best-practice advice to device developers. The goal is to create programs that enable users to understand the functionality of a Bluetooth feature in five minutes or less. This should ease the support burden for ITOs, but there will still be plenty of application-layer issues to contend with.

Security
The Bluetooth SIG spent considerable time developing a comprehensive security model for link-level protection (i.e., 128-bit encryption, device authentication and authorization) from the ground up. Still, for high trust requirements, application developers or ITOs should overlay application security on top of the link-level security to enable end-to-end protection. The limited range of Bluetooth (i.e., 10 meters) and automatic power-level adjustment, which limits the radius of a signal, make remote eavesdropping more difficult. However, Class 3 radios exist to boost the receptive range of Bluetooth to 100 meters.

Bluetooth devices can create ad hoc links with authenticated peers or permanent links (called “pairing”), which eliminates a repeated authentication process for trusted devices (i.e., a headset and a phone). The weakest link in Bluetooth security occurs when pairing devices. Pairing uses the Bluetooth address of the device (a fixed address established by the manufacturer) and a personal ID number (PIN) to establish a link key, which then becomes the shared secret for subsequent communication. During pairing, it is possible for a hacker to guess a short PIN and thus the link key, and then eavesdrop on all future conversations or impersonate devices in the pairing. It is not trivial to guess the link key, and this interaction is only minutes long, but users should be advised to use long PIN numbers and conduct pairing of devices in as private a location as possible.

Security may also be affected by application or end-user settings. Some devices are discoverable by default (i.e., other devices can attempt to communicate with them), and some allow full OS rights to peers by default once connected. Devices should be discoverable only when they are used to communicate with other devices, and rights assigned to peers should be very limited. Users may impede security by allowing unauthenticated access rights to speed file-transfer operations with peers. This practice can create an opportunity for hackers to quietly drop off Trojan horse files or viruses.

Currently, there are no known practical exploits of Bluetooth security vulnerabilities, though at least one program exists (Redfang) to discover devices by testing sequential addresses in a given range. Given sufficient time, it is possible for this exploit to expose the device address and attempt a pairing. A shared PIN is still required to gain rights on the attacked machine. As with any system, vulnerabilities are exposed at a faster rate as the technology gets into the hands of more users and developers. ITOs should investigate Bluetooth security features of devices and advise end users regarding best practices to minimize security risks. In general, it is a good practice to assume that Bluetooth is unsafe for high trust environments until proven trustworthy.

Business Impact: Bluetooth devices can enhance productivity, but the technology is still maturing. Organizations should attempt to actively manage adoption rates to maximize productivity gains, while minimizing security risks and future compatibility issues.

Bottom Line: Broad industry support for Bluetooth is now a reality and the number of products that support it are increasing dramatically. ITOs should develop some technical expertise in Bluetooth to create a corporate usage policy and to advise users about compatibility, security, and usability limitations of these devices. ITOs should also define the benefits and costs of Bluetooth to the business to influence corporate adoption rates.

META Group originally published this article on 15 October 2003.