7.5 Bluetooth Security
As Bluetooth radio waves do not stop at the doorstep, the Bluetooth standard specifies a number of security functions. All methods are optional and do not have to be used during connection establishment or for an established connection. The standard has been defined thus: some services do not require security functionality. Which services are implemented without security is left to the discretion of the device manufacturer. A mobile phone manufacturer, for example, can decide to allow incoming file transfers without a prior authentication of the remote device. The incoming file can be held in a temporary location and the user can then decide to either save the file in a permanent location or discard it. For services like dial-up data, such an approach is not advisable. Here, authentication should occur during every connection establishment attempt to prevent unknown devices from establishing an Internet connection without the user's knowledge.
Bluetooth uses the SAFER + (Secure and Fast Encryption Routine) security algorithms, which have been developed by ETH Zurich and are publicly available. So far, no methods have been found that compromise the encryption itself. However, there have been reports on device-specific Bluetooth security problems as, for example, discussed in [4] and general weaknesses have been found concerning the initial key negotiation. If an attacker is able to record the initial pairing process that is described below, he can calculate ...
Get From GSM to LTE: An Introduction to Mobile Networks and Mobile Broadband now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.