You are on page 1of 65


In the current scenario the world is plagued by accidents which are primarily due to human errors
in judgment and hence thousands of lives are lost. These accidents can be avoided if only there
was a mechanism to alert the driver of approaching danger. This can be done by monitoring the
distance between nearby cars and alerting the driver whenever the distance becomes too short.
This is precisely the aim of this paper. In this paper we propose the use of Bluetooth Technology
by which we can check the speed of the car whenever it comes dangerously close to any other
vehicle up front, thereby saving very many lives.


Since Bluetooth devices are capable of communicating with eight other devices simultaneously
we can monitor and check the speeds of up to eight cars simultaneously, thus preventing
accidents. Thus if we have two Bluetooth enabled devices in two cars the devices automatically
communicate with each other when they come in the range of up to 100 meters of each other.
The range is dependant on the power class of the product. Power transmission rates vary in many
Bluetooth devices depending upon the power saving features available in a particular unit,
bandwidth requirements, transmission distance. The statistics of road accidents is tremendous
and highlights the need for such a system. The following is a statistic on the number of road
accidents occurring each year.


Because of traveling at high speeds there is a possibility of having accident. The figure 2 shows
that when two cars or more come within the distance of 10 km at high speeds there is a
possibility of having accidents. The Bluetooth radio is a short distance, low power radio
operating in the unlicensed spectrum of 2.4 GHz and using a nominal antenna power of 20 dB
At the 20 dB the range is 100 meters, meaning equipment must be Within 100 meters to each
other (about 328 feet) to communicate using the Bluetooth standard. With the help of this
technology we can send data to the eight devices. The group of eight devices is known as
piconet. Here we have a piconet and a scatternet, in the piconet M is the master and S1 to S7 are
the slaves
Radio communication is subjected to noise and interference, as the 2.4 GHz frequencies is shared
between the all device in piconet. So the Bluetooth specification has solved this problem by
employing what is called as spectrum spreading, in which the Bluetooth radio hops among
different frequencies very quickly. There are 79 hops starting at 2.402 GHz and stopping at 2.480
GHz, each of which is displaced by 1 MHz. The Bluetooth avoids interference by hoping around
these 79 frequencies 1600 times per second. So in order to avoid it we use bluetooth equipped

car, in which each car have bluetooth transmitter and receiver. And the every car should have
mini computer to monitor the relative position of the car with the other car.
When any car comes close together Bluetooth device sends warning signal to the car. Based on
the type of warning signal received the computer sends signal to the brake control system to slow
down the speed of the car. There are various types of control signals. one type of signal control
the speed of the car and the another type of signal is to overtake the car which is moving


The automatic brake system is the next generation braking system for controlling the speed of
the car. On receiving the control signal from the traveling car the computer inside the car
manipulates the signal and gives control signal to the braking system. There are four main
components to an automatic braking system:
The computer constantly monitors the distance between each of these cars and when it senses
that the car is getting too close it moves the hydraulic valves to increase the pressure on the
braking circuit, effectively increasing the braking force on the wheels. if the distance between
two vehicle is within the 100m the Bluetooth devices get enabled and if the distance come closer
within 10m the automatic braking system takes the control. After the speed of the car is reduced
and distance increased the hydraulic valves decreases the pressure on the braking circuit, thus
effectively decrease the braking force on the wheels. The following steps show the various
functions of the hydraulic valves:
in position one, the valve is open; pressure from the master cylinder is passed right through to the
brake. in position two, the valve blocks the line, isolating that brake from the master cylinder.
This prevents the pressure from rising further should the driver push the brake pedal harder. in
position three, the valve releases some of the pressure from the brake.


when car A and car B come within the range of 100m both the Bluetooth devices get enabled and
if any one of the car comes too fast then the bluetooth device sends a warning signal to the other
car and it processes the signal and gives it to the automatic braking system.
Sends warning signal
Receives signal and control the speed of car Within 10m


The Bluetooth technology is being widely adopted by the Industry leaders. The possibility for
new applications is very exciting with this versatile technology. It provides a simple, logical
answer to all the Problems which is built a single common radio into every mobile computer
,then neither do companies have to worry about WAN, nor do communication companies need to
worry about building external cables. The Bluetooth communication device will thus be a small,
low powered radio in a chip that will talk to other Bluetooth enabled products. Bluetooth has
been designed to solve a number of connectivity problems experienced by the mobile workers &
consumers. Thus, this technology helps make the electronic devices more user friendly and helps
address various other problems like accidents.





Upload a Document
Top of Form

Search Documents

Bottom of Form

• Books - Fiction
• Books - Non-fiction
• Health & Medicine
• Brochures/Catalogs
• Government Docs
• How-To Guides/Manuals

• Magazines/Newspapers • Recipes/Menus • School Work • + all categories • • Featured • Recent People • Authors • Students • Researchers • Publishers • Government & Nonprofits • Businesses • Musicians • Artists & Designers • Teachers • + all categories • • Most Followed • Popular • Sign Up • | • Log In 1 First Page Previous Page Next Page / 51 Sections not available Zoom Out Zoom In Fullscreen .

Select the sites below and start sharing. Readcast this Document Top of Form 43410f96d63cc3 Login to Add a Comment .Exit Fullscreen Select View Mode View Mode BookSlideshowScroll Top of Form Search w it Bottom of Form Readcast Add a Comment Embed & Share Reading should be social! Post a message on your social networks to let others know what you're reading.

4gen Bottom of Form Share & Embed Add to Collections Download Auto-hide: off A SEMINAR REPORT ON “BLUETOOTH” SUBMITTED IN PARTIAL FULFILLMENT .



ECN-3 .

Uses 2. A Bluetooth connection is wireless and automatic. INTRODUCTION When you usecomputers. It is well suited for handheld applications and support both voice and data. and an even greater variety of connectors.4 GHZ unlicensed ISM band. Frequency . calledBluetooth. cables. There are lots of different ways that electronic devices can connect to one another. we will look at a method of connecting devices. entertainment systems orte lephones. In this article. For example: • Component cables • Electrical wires • Ethernet cables • WiFi • Infrared signals The art of connecting things is becoming more and more complex every day. A unique new wireless technology specifically designed for short range (10-100) meters with modest performance of 780Kbps dynamically configurable and hoc networking with low power. the various pieces and parts of the systems make up a community of electronic devices. plugs and protocols. KURUKSHETRA (2005-2009) 1. and it has a number of interesting features that can simplify our daily lives. These devices communicate with each other using a variety of signals and infrared light beams. that can streamline the process.HARYANA ENGINEERING COLLEGE JAGADHRI KURUKSHETRA UNIVERSITY .

and wireless operations such as file exchange. robust.1 standard for WPAN™s will be modeled after the Bluetooth specification from the Bluetooth SIG. high capacity voice and data networking. low- power. Uses a combination of circuit and packet switching.15 working group to define standards for wireless PANs. or power drain to the associated host is an enormous engineering challenge. and printing. enabling discovery of services and subsequent implementation of many varied usage models including wireless headsets. the Bluetooth specification has a robust key management scheme built in. data synchronization. However. low- “Bluetooth wireless technology is an open specification for a low-cost. keyboards. seamless. Designed to provide low cost. The waters of Bluetooth security have yet to be tested. 2. 2. efficient.15. Bluetooth products work over shorter distances and are designed to solve different problems. The 802. Bluetooth wireless technology is finally here. and user-friendly fashion. The Bluetooth SIG publishes the Bluetooth specification. its perceived potential has evolved into far more sophisticated usage models. Bluetooth uses the national standard AES algorithm for encryption and the general consensus is that the options for Bluetooth security are strong and robust. Originally conceived as a low-power short range radio technology designed to replace cables for interconnecting devices such as printers.BLUTOOTH BLUTOOTH “Bluetooth wireless technology is an open specification for a low-cost. The IEEE has formed the 802. Bluetooth devices can form piconets of up to seven slaves and one master. The requirement to do this in a totally automated. short-range radio technology for ad-hoc wireless communication of voice . as well as upper layers of security. and mice. Internet bridges.hopping spread spectrum radio for higher interference immunity. weight. Despite talk of Bluetooth competing with wireless LANs. Microsoft® has announced support for Bluetooth in the next release of Windows® XP. Supports point to point and point to multipoint connection with single radio link. short-range radio technology for ad-hoc wireless communication of voice power. without adding appreciable cost.

1998. 5 companies joined to form the Bluetooth Special Interest Group (SIG) in 5 companies joined to form the Bluetooth Special Interest Group (SIG) in 1998.” What is Bluetooth? What is Bluetooth? Bluetooth is a short-range wireless communications technology. First specification released in July 19 First specification released in July 1999. unified Denmark and Norway. . When does it appear? When does it appear? 1994 – Ericsson study on a wireless technology to link mobile phones & 1994 – Ericsson study on a wireless technology to link mobile phones & accessories. Why this name? Why this name? It was taken from the 10th century Danish King It was taken from the 10th century Danish KingHarald HaraldBla tand Blatandwho who unified Denmark and Norway. accessories. Bluetooth is a short-range wireless communications technology.” and data anywhere in the world.and data anywhere in the world.



. .Fig Fig1 ( 1 ( a ) a) One of the first modules (Ericsson) (b) A recent module One of the first modules (Ericsson) (b) A recent module a a.

1 TIMELINE  1994 : Ericsson study complete / vision .1 TIMELINE 2. .b b.bluetoo th bluetoothconnecting connectingexam pl examplE E 2.

Nokia & Toshiba 1998 : Bluetooth SIG formed: Ericsson. 2000+ adopters 2000 : Bluetooth Specification 1. Intel.0A 1999 : Bluetooth Specification 1. 2000+ adopters  2001 : First retail products released.1994 : Ericsson study complete / vision  1995 : Engineering work begins 1995 : Engineering work begins  1997 : Intel agrees to collaborate 1997 : Intel agrees to collaborate  1998 : Bluetooth SIG formed: Ericsson.0B. Specification 1. Specification 1. IBM. Nokia & Toshiba  1999 : Bluetooth Specification 1.0 (?) . Microsoft & Motorola  2000 : Bluetooth Specification 1. Intel.0B.1  2003 : Bluetooth Specification 1.2 2003 : Bluetooth Specification 1. Lucent.1 2001 : First retail products released. Lucent.0A SIG promoter group expanded: SIG promoter group expanded: 3Com. Microsoft & Motorola 3Com. IBM.2 2005 : 2005 : Bluetooth Specification 2.

2 BLEUTOOTH GOALS & VISION  Originally conceived as a cable replacement technology Originally conceived as a cable replacement technology  Short-Range Wireless Solutions Short-Range Wireless Solutions  Open Specification Open Specification  Voice and Data Capability Voice and Data Capability  Worldwide Usability Worldwide Usability  Other usage models began to develop: Other usage models began to develop:  Personal Area Network (PAN) Personal Area Network (PAN)  Ad-hoc networks Ad-hoc networks Data/voice access .0 (?) 2.Bluetooth Specification 2.2 BLEUTOOTH GOALS & VISION 2.

3 CORE BLUETOOTH PRODUCTS 2.3 CORE BLUETOOTH PRODUCTS • •Notebook PCs & Desktop computers Notebook PCs & Desktop computers • •Printers Printers • •PDAs PDAs • •Other handheld devices Other handheld devices • •Cell phones Cell phones • •Wireless peripherals: Wireless peripherals: • •Headsets .Data/voice accesspointS pointS Wireless Wirelesste le matics telematics 2.

Headsets •Came Cameras ras • •CD Player CD Player • •TV/VCR/DVD TV/VCR/DVD • •Access Points Access Points • •Telephone Answering Devices Telephone Answering Devices • •Cordless Phones Cordless Phones • •Cars Cars Example : Example : The Networked Home The Networked Home .

2.4 . ADVANTAGES ➢ S i m p l e t o i n s t a l l a n d e x p a n d ➢ N e e d n o t b e i n l i n e o f s i g h t .

Data synchronization for Address book and calendars. 6. 3. 5. PC and Peripheral networking. Personal Area Networking (PAN). Enabling a collection of YOUR personal devices to cooperatively work together . Hidden Computing. Cell phone acting as a modem for PDA or Laptop.5 APPLICATIONS OF BLUETOOTH 1. 2.➢ L o w C o s t ➢ P e r f e c t f o r F i l e t r a n s f e r a n d p r i n t i n g a p p l i c a t i o n ➢ S i m u l t a n e o u s h a n d l i n g o f d a t a a n d v o i c e o n t h e s a m e c h a n n e l ➢ E a s y t o h a n d l e 2. 4.


6 TECHNICAL FEATURES Connection Type Spread Spectrum (Frequency Hopping) & Time Division Duplex (1600 hops/sec) Spectrum 2.4 GHz ISM Open Band (79 MHz of spectrum = 79 channels) Modulation Gaussian Frequency Shift Keying .2.

in fact.Transmission Power 1 mw – 100 mw Data Rate 1 Mbps Range 30 ft Supported Stations 8 devices Data Security –Authentication Key 128 bit key Data Security –Encryption Key 8-128 bits (configurable) Module size 9 x 9 mm 2. You may wonder. the name Bluetooth may seem odd. or .7 A Comparison` 3. and even for those who are more than a little acquainted with it. ABOUT THE NAME For those who know little about the technology. how it relates to wireless technology.

1 HOWBLUETOOTH CREATE A CONNECTION BLUETOOTH CREATE A CONNECTION Bluetooth takes small-area networking to the next level by removing the need for user intervention and keeping transmission power extremely low to savebatter y power. Blâtand. Harald was at the height of his powers. it’s more likely that the Bluetooth name is the English derivative of the original Viking word. was the son of King Gorm the Old. The Bluetooth name was chosen for the wireless technology because its developers and promoters hope it will unite the mobile world.D. who ruled Jutland. who was called Bluetooth. Although it’s popularly believed that King Harald had a blue tooth.speculate that perhaps it’s derived somehow from the founding members of the SIG. he was a skilled Viking warrior. You tell the person on the other end of the line to call you back in five minutes so you can get in the house and put your stuff away. just as King Harald united his world 4. The name is a romantic gesture that in some sense indicates the excitement the technology generates as well as the belief in its value as a revolutionary concept. when his sister asked for help to secure control in Norway after her husband died. and ruled both Denmark and Norway. standing outside the door to your house.1 HOW 4. Harald Blatand. Picture this: You're on your Bluetooth-enabled cell phone. So. the main peninsula of Denmark. As soon as you walk in the . To combine these qualities in a name required ingenuity and delving into the past. Neither of these ideas is correct. 4. By the time Harald became king. Harald quickly seized the opportunity to unite the countries and expand his kingdom. The name Bluetooth comes from Danish history. By 960 A.BLUETOOTH CONNECTION & OPERATION BLUETOOTH CONNECTION & OPERATION 4. and various stories explain how this came about. according to the story. He was later credited with bringing Christianity to his Viking realm.

And each transmission signal to and from your cell phone consumes just 1 milliwatt of power. Bluetooth is essentially a networking standard that works at two levels: • It provides agreement at thephy sical level -. so your cell phone charge is virtually unaffected by all of this activity. your Bluetooth-enabled home phone rings instead of your cell phone. but your home phone picked up the Bluetooth signal from your cell phone and automatically re-routed the call because it realized you were home. where products have to agree on when bits are sent.frequenc y standard. and how the parties in a conversation can be sure that the message received is the same as the message sent. The person called the same number. how many will be sent at a time. Five minutes later. when your friend calls you back. because your cell phone picked up a Bluetooth signal from yourPC and automatically sent the data you designated for transfer. • It provides agreement at theprotocol level.Bluetooth is the map you received on your cell phone from your car's Bluetooth-enabledGPS system is automatically sent to your Bluetooth-enabled computer. .



Because infrared transmitters and receivers have to be lined up with each other. Infrared communications are fairly reliable and don't cost very much to build into a device.Infrared (IR) refers to light waves of a lower frequency than human eyes can receive and interpret. First. You can send data between your desktop computer and your laptop computer. you have to point Fig Photo courtesy Bluetooth SIG Bluetooth wireless PC card the remote control at thete levision or DVD player to make things happen. interference between devices is uncommon.The big draws of Bluetooth are that it is wireless. including infrared communication. (See How Remote Controls Work to learn more about qualities of infrared are actually advantageous in some regards. infrared is a "line of sight" technology. The second drawback is that infrared is almost always a "one to one" technology. but not your laptop computer and yourPDA at the same time. There are other ways to get around using wires. The one-to-one nature of infrared communications is useful in that . inexpensive and automatic. For example. Infrared is used in most television remote control systems. but there are a couple of drawbacks.

The older Bluetooth 1.0 standard has a maximum transfer speed of 1 megabit per second . Bluetooth is intended to get around the problems that come with infrared systems. even in a room full of infrared can make sure a message goes only to the intended recipient.


It communicates on a frequency of 2.(Mbps).45 gigahertz (actually between 2.480 GHz.0 devices. Bluetooth 2. scientific and medical devices (ISM). 4.2 HOW BLUETOOTH OPERATES 4.0 is backward- compatible with 1.402 GHz and 2.2 HOW BLUETOOTH OPERATES Bluetooth networking transmits data via low-power radio waves.0 can manage up to 3 Mbps. to be exact). A number of devices that you may already use take advantage of this sameradio- . This frequency band has been set aside by international agreement for the use of industrial. while Bluetooth 2.

frequency band. One of the ways Bluetooth devices avoid interfering with other systems is by sending out very weak signals of about 1 milliwatt. . cutting the chances of interference between your computer system and your portable telephone or television. Bluetooth doesn't require line of sight between communicating devices. the most powerful cell phones can transmit a signal of 3 watts. By comparison. The walls in your house won't stop a Bluetooth signal. garage-door openers and the newest generation of cordless phones all make use of frequencies in the ISM band. Making sure that Bluetooth and these other devices don't interfere with one another has been a crucial part of the design process. Even with the low power. making the standard useful for controlling several devices in different rooms. The low power limits the range of a Bluetooth device to about 10 meters (32 feet). Baby monitors.

you might think they'd interfere with one another. but the same 10-meter (32-foot) radius. you might think they'd interfere with one another. With all of those devices in simultaneously.Bluetooth can connect up to Bluetooth can connect up to eight devices eight devices simultaneously. With all of those devices in the same 10-meter (32-foot) radius. but .

. randomly chosen frequencies within a designated range. it’s Since every Bluetooth transmitter uses spread-spectrum transmitting automatically. changing from one to another on a regular basis. In this technique. In the case of Bluetooth. Bluetooth uses a technique called spread-spectrum frequency hopping spread-spectrum frequency hoppingtha t that makes it rare for more than one device to be transmitting on the same frequency at the makes it rare for more than one device to be transmitting on the same frequency at the same time. changing from one to another on a regular basis. a device will use 79 individual. it’s unlikely that two transmitters will be on the same frequency at the same time. a device will use 79 individual. In the case of Bluetooth. the transmitters change frequencies 1. meaning that more devices can make full use of a limited slice of the meaning that more devices can make full use of a limited slice of the radio spectrum radio s pectrum. since any interference on a particular frequency will last only a tiny fraction of a .600 times every second. This same technique minimizes the risk that portable phones or baby monitors will disrupt Bluetooth technique minimizes the risk that portable phones or baby monitors will disrupt Bluetooth devices. frequencies within a designated range. Bluetooth uses a technique called it's unlikely.600 times every second. In this technique. the transmitters change frequencies 1. This same unlikely that two transmitters will be on the same frequency at the same time. Since every Bluetooth transmitter uses spread-spectrum transmitting automatically. randomly chosen same's unlikely.

While the functionality of a WLAN device stands alone as a network component. 5. the devices -. its perceived potential has evolved into much more. and mice. Originally conceived as a low-power short-range radio technology designed to replace cables for interconnecting devices such as printers. If Bluetooth lives up to its potential.devices. the members randomly hop frequencies in unison so they stay in touch with one another and avoid other piconets that may be operating in the same room 5. that may fill a room or may encompass no more distance than that between the cell phone on a belt-clip and the headset on your head. It has given rise to the concept of the Personal Area Network (PAN). keyboards. an electronic conversation takes place to determine whether they have data to share or whether one needs to control the other. THE PROMISE OF BLUETOOTH – WHAT IT CAN DO The promise of Bluetooth is extremely ambitious. PDAs. since any interference on a particular frequency will last only a tiny fraction of a second second When Bluetooth-capable devices come within range of one another. keyboards.2 USAGE MODEL EXAMPLES. Bluetooth systems create a personal-area network (PAN). headsets. . but Bluetooth products work over shorter distances and are designed to solve different problems. 5. Once the conversation has occurred. The user doesn't have to press a button or give a command -. a technology of convenience where everything within the Personal Operating Space (POS) of an individual that is related to communicating information (both voice and data) is automatically tied into a seamless peer-to-peer network that self-configures to make information easily accessible. it will revolutionize the way people interact with information technology.whether they're part of a computer system or a stereo -.form a network. and bar code readers. Scenarios for its usage are many and diverse and are only limited by the imaginations of the companies that create the products. vending machines. The host can be any number of Bluetooth enabled devices such as cell phones.the electronic conversation happens automatically.1 COMPARED WITH WIRELESS LANS There is even talk of Bluetooth competing with WLANs. orpiconet. Once a piconet is established. the functionality of a Bluetooth component requires a host. cameras.

enabling the transfer (with the receiver’s permission) of all selected files. 5.2. which might be in a briefcase or coat pocket. The driver for this adoption is the ability to use a wireless headset with the phone.Following are examples of some usage models for Bluetooth devices. This enables a laptop to automatically utilize the user’s nearby cell phone to dial and connect to a dial-up service. but all parties involved would have to configure their clients to use compatible network settings. This is not required for Bluetooth.2 Internet Bridge Bluetooth wireless technology can be used to allow a mobile phone or cordless modem to provide Dial- Up Networking (DUN) capabilities for a PC. For example. Several Bluetooth. to a user’s phone.5 Printing . 5.) 5. For example. especially since the phone is usually held near the head. calendar. a desktop computer that is Bluetooth enabled can wirelessly synchronize its contact list.2.2. (This could also be done with a wireless LAN.1 Wireless Headset The leading adoption of Bluetooth will initially be in the arena of mobile phones. The impact of mobile phone radiation on health has been under scrutiny for some time. 5. allowing it to connect to the Internet without a physical phone line. The user doesn’t need to touch the phone.2. or notebook. Additionally. the convenience of being cordless means the phone can be used even if it is in a briefcase or the trunk. 5. Nearly every major mobile phone manufacturer has already released Bluetooth. task information.. a salesperson may choose to share the contents of an electronic slide presentation (as well as datasheets.enabled models of their popular phones. etc. The radio frequency energy emitted by a Bluetooth wireless headset is a fraction of that emitted by a mobile phone. and other electronic collateral) with the audience.based synchronization models already exist for both Pocket PC and Palm-based PDAs. Bluetooth enables the automatic detection of any Bluetooth devices in the room.3 File Exchange The ability to perform peer-to-peer file exchange without the presence of a network infrastructure has many advantages.2. business cards.4 Synchronization Bluetooth allows for data synchronization between devices. PDA.

3 AN ENGINEERING CHALLENGE  T h e d e m a n d s o f c r e a t i n g B l u e t o o t h - e n a b l e d p r o d u c t s a r e v e r y c h a l l e n g i n g . Consider the following:  B l u e t o o t h m u s t h a v e a v e r y f l e x i b l e a p p l i c a t i o n t o p o l o g y .  B l u e t o o t h m u s t h a v e q u a l i t y o f s e r v i c e ( Q o S ) f e a t u r e s t o s u p p o r t v o i c e . y o u m i g h t want your PDA to be able to communicate with any nearby printer. Bluetooth-enabled devices can automatically detect Bluetooth-enabled printers in their area and wirelessly send documents to the printer without going through lengthy network and printing setup processes. s o t h e p o w e r r e q u i r e d t o support Bluetooth capability must be very low. 5. I f a B l u e t o o t h p r o d u c t c a n ’ t f i g u r e out whom it should and shouldn’t talk to and how. but do you want your cell phone to send its audio to any nearby hands-free headset?  B l u e t oo t h m u s t b e a u t o m a t i c a l l y c o n f i g u r a b l e . the marketplace will consider it too complicated to use.  N o o n e w a n t s c e l l p h o n e s w i h t s h o r t e r b a t t e r y l i f e . Mobile users who frequently visit remote offices will find Bluetooth printing a significant improvement in convenience to their current experience. F o r e x a m p l e . HP is making printers and notebooks with embedded Bluetooth technology. s o .  N o o n e w a n t s P D A s t h a t a r e l a r g e r .

Bluetooth presents some of the most demanding engineering challenges in the telecommunications arena. 6. So in order for multiple Bluetooth devices to communicate. Bluetooth networks are far more diverse and dynamic. 5. B l u e t o o t h c a n n o t c o s t m o r e t h a n c a b l e s . A product that has passed certain testing criteria can be stamped with the Bluetooth logo. The master sets the hopping sequence. it must time-share and synchronize to the master of the piconet with which it is currently communicating. T h i s m e a n s that Bluetooth technology cannot add more than $5 to the cost of the host device. depending on the application scenario. The slaves in a piconet only communicate with the master.500 pages of engineering specifications that define Bluetooth. While the topology and hierarchical structure of WLAN networks are relatively simple. means easy for the user.  I n o r d e r t o r p l a c e e c a b l e s . Bluetooth employs frequency hopping spread spectrum (FHSS) to communicate. and the slaves synchronize to the Master. and products are only just now beginning to appear on the market.a d d i n g B l u e t o o t h c a p a b i l i t y t o a d e v i c e should not noticeably increase its size. assuring a certain level of interoperability. For the reasons outlined above. When a device is present in more than one piconet. they must all synchronize to the same hopping sequence. The phrase “Wireless connections made easy.4 BLUETOOTH PRODUCT CERTIFICATION The Bluetooth Special Interest Group1 (SIG) is a group of companies that cooperate to define Bluetooth standards and qualify Bluetooth products. .1 NETWORK TOPOLOGY Any Bluetooth device can be a master or a slave. A piconet is formed by a master and up to seven active slaves.” which is printed on the cover page of the more than 1. but hard for the engineers designing the products. They are constantly being formed. A scatter net can be formed by linking two or more piconets. BLUETOOTH BASICS – HOW IT WORKS 6.

An SCO link provides a Quos feature by reserving time slots for transmission of time- critical Information such as voice. and thus applications determine the topologies of networks and their internal hierarchies. Some of the most basic are: 6. and dissolved. there are any different ways in which Bluetooth devices can interact. Some profiles are dependent upon others.switched communication and is the most common link used to handle data traffic.1 General Access Profile (Gap) .modified. A piconet can have up to three full-duplex voice links. the Service Discovery Protocol (SDP) is utilized to determine what services are supported and what kinds of connections should be made. And because different Bluetooth devices can represent many different usage profiles. 6. Once other Bluetooth devices are found and communication is established. they can scan for other Bluetooth devices. this collection of protocols and functions must be standardized. In order for the above to happen. The number and variety of different Bluetooth usage models mean that Bluetooth devices must call from a large collection of different protocols and functions to implement a specific usage model. but will not respond if they are likewise queried.1 contains 13 profiles. A master has the option to change an ACL link to a Synchronous Connection Oriented (SCO) link.4.2 SERVICE DISCOVERY The concept of service discovery is utilized to determine what kind of Bluetooth devices are present and what services they desire or offer. An ACL link provides packet. Some devices may be set up so that they are invisible. Applications determine whether a device is connectable or discoverable. In order to ensure that all usage models will work among devices from many different manufacturers.4 STANDARD PROFILES TO ENABLE USAGE MODELS.3 ACL AND SCO LINKS Once a connection has been established between two devices an Asynchronous Connection-Less (ACL) link is formed between them. as Bluetooth devices move in and out of range of one another. When a Bluetooth device requires a service. devices willing to connect must be located. Bluetooth profiles are standardized definitions of protocols and functions required for specific kinds of tasks. One or more of these profiles are utilized when implementing various usage models. it begins a discovery process by sending out a query for other Bluetooth devices and the information needed to establish a connection with them. 6. 6. with more being continually added. In this case. The current Bluetooth Standard 1.

6.6 FILE TRANSFER This profile is used to transfer files between two Bluetooth devices. 6. by other profiles to perform such functions as Object Push.4.5 OBJECT PUSH This profile is used for the exchange of small objects.4. 6. in turn. 6. This capability is then used. a Hands Free Profile to enable a mobile phone to be used with a hands-free device in a car.2 SERVICE DISCOVERY APPLICATION PROFILE (SDAP) The SDAP uses parts of the GAP to define the discovery of services for Bluetooth devices.5 POWER LEVELS AND RANGE .4 GENERIC OBJECT EXCHANGE PROFILE (GOEP) GOEP is dependent on the Serial Port Profile and is used by applications to handle object exchanges. 6. and a Hardcopy Cable Replacement Profile. This profile is required by all usage models and defines how Bluetooth devices discover and connect to one another. and Synchronization (see below).4. used by devices such as laptops and desktop computers that utilize printer drivers. such as electronic calling cards. and formatted documents. a Basic Imaging Profile enabling Bluetooth devices to negotiate the size and encoding of exchanged images.3 SERIAL PORT PROFILE This profile defines how to set up and connect virtual serial ports between two devices.4.7 SYNCHRONIZATION This profile is used to synchronize calendars and address information between devices. File Transfer.4. 6. This serial cable emulation can then be used for tasks such as data transfer and printing. as well as defines security protocols. 6. All Bluetooth devices must conform to at least the GAP to ensure basic interoperability between devices. New profiles not yet part of the standard include the following: a Basic Printing Profile to facilitate printing of text emails. short messages.4.

are designated as class 3 devices and are designed to operate at a power level of 0 dBm (1 mW). thus saving power and reducing the potential for interfering with other nearby networks. which provides a range of up to 10 m. more than 2000 additional companies have signed on as associate members. Required for class 1 devices.5 mW) output power. Bluetooth class 2 and 3 devices can optionally implement adaptive power control. Class 2 devices can utilize as much as 4 dBm (2. 3. able to participate in development of future standards and extensions by contributing efforts to various working groups. Class 1 devices can have a range up to 100 m. dependent on batteries for power. this mechanism allows a Bluetooth radio to reduce power to the minimum level required to maintain its link. THE CURRENT SPECIFICATION . THE EVOLVING BLUETOOTH STANDARD THE BLUETOOTH SIG Since the original Bluetooth specification was published in 1999. and class 1 devices can utilize up to 20 dBm (100 mW) of output power.Most Bluetooth devices.

ENHANCING THE SPECIFICATION The Bluetooth SIG is currently working on a new specification. and Medical (ISM) band as follows: 2. as well as authentication and encryption. 1. cell phones.12. to allow email to be spoken audibly over the car radio. such as seat and mirror positions and radio tuning.11 and . creating and tearing down piconets.The current specification. The link manager layer is responsible for searching for other Bluetooth devices. Higher layer definitions include the Bluetooth profiles.4 GHz. due for publication sometime in 2002. based on personal preferences stored in a Bluetooth device. Ver. most of this work is confined to describing new profiles. Included in these layers are hardware tasks such as frequency hopping control and clock synchronization. the radio layer and the baseband layer. and text-to-speech software on a laptop. One of the most intriguing is a car profile that describes the use of personal devices like pagers. as well as packet assembly with associated FEC (Forward Error Correction) and ARQ (Automatic Repeat Request). In addition to developing new profiles. The radio working group is developing optional extensions to the current Bluetooth standard that include higher data rates and handoff capability to support roaming. Envisioned usages include the automatic adjustment of various settings in an automobile. In the interest of maintaining backwards compatibility. car radio. defines a radio which operates in the unregulated Industrial. Scientific. Another profile would link a cell phone. and laptops in an automotive environment. FHSS w/1600 hops/s over 79 channels: 1 Mbps The fundamental elements of a Bluetooth product are defined in the two lowest protocol layers. and the coexistence working group is collaborating with the IEEE 802. other working groups are developing extensions to enhance Bluetooth operations.

anonymously. three vulnerabilities have been found: Firstly. realtime clock. Secondly. confidential data can be obtained. Thirdly.15 working groups to address interference concerns and ensure that Bluetooth can coexist in the same environment with WLANs. and they have since started working together on finding additional possible exploits resulting from this vulnerability. such as data. Further details will not . the entire device can be "backed up" to an attacker's own system. on some makes of device. Specifically. This third vulnerability was identified by Martin Herfurt. the entire phonebook and calendar. but there are tools available on the Internet that allow even this safety net to be bypassed[4]. and is used in illegal phone 'cloning'). business card. SECURITY ISSUES AND ATTACKS In November 2003. In essence. the current trend for "Bluejacking" is promoting an environment which puts consumer devices at greater risk from the above attacks.802. and without the owner's knowledge or consent. Vulnerabilities 8. it has been found that the complete memory contents of some mobile phones can be accessed by a previously trusted ("paired") device that has since been removed from the trusted list. calendar. giving full access to the higher level commands and channels. access can be gained to the AT command set of the device. at least. it was. and the phone's IMEI.1 The SNARF attack: It is possible. This data includes not only the phonebook and calendar. change log. 4. from some bluetooth enabled mobile phones. Finally. to connect to the device without alerting the owner of the target device of the request. which uniquely identifies the phone to the mobile network. properties. This data includes. voice and messaging. but media files such as pictures and text messages. This is normally only possible if the device is in "discoverable" or "visible" mode. IMEI (International Mobile Equipment Identity [6]. discovered that there are serious flaws in the authentication and/or data transfer mechanisms on some bluetooth enabled devices. and gain access to restricted portions of the stored data therein. including the entire phonebook (and any images or other data associated with the entries).

With this facility. unless the owner is actually observing their device at the precise moment a connection is established. and without the restrictions of a plain SNARF attack. such as PPP for networking and gnokii for messaging. In this released at this time (see below for more on this). Bluetooth access is only required for a few seconds in order to set up the call. Call forwarding diverts can be set up. or for identity theft by impersonation of the victim. 8. such as modems or Internet.3 The BLUEBUG attack: The bluebug attack creates a serial profile connection to the device. but other services. connect to data services such as the Internet. 8. the above SNARF attack will function on devices that previously denied access.2 The BACKDOOR attack: The backdoor attack involves establishing a trust relationship through the "pairing" mechanism. and the attacker may be free to continue to use any resource that a trusted relationship with that device grants access to (but note that so far we have only tested file transfers). they are unlikely to notice anything untoward. This latter is done via a voice call over the GSM network.4 Bluejacking . allowing the owner's incoming calls to be intercepted. This means that not only can data be retrieved from the phone. and even monitor conversations in the vicinity of the phone. read sms messages. send sms messages. but ensuring that it no longer appears in the target's register of paired devices. thereby giving full access to the AT command set. but the attack can and will be demonstrated to manufacturers and press if required. contact management. 8. so we strongly suspect that the other services will prove to be available also. it is possible to use the phone to initiate calls to premium rate numbers. which can then be exploited using standard off the shelf tools. Indications are that once the backdoor is installed. so the listening post can be anywhere in the world. either to provide a channel for calls to more expensive destinations. diverts and initiating calls. WAP and GPRS gateways may be accessed without the owner's knowledge or consent.

and the more the practice grows and is accepted by the user community. Given the furore that errupted when a second-hand Blackberry PDA was sold without the previous owner's data having been wiped[3]. and is becoming a popular mechanism for exchanging anonymous messages in public places. the average consumer is under a constant barrage of unsolicted messages in one form or another. but. corporates are not the only potential targets . fairly harmless. as the protocal allows a large user defined name field . the worse it will get.Although known to the technical community and early adopters for some time. the system by which bluetooth devices authenticate each other. As the current wave of PDA and telephony integration progresses. is the raison d'être of bluetooth. say. and leveraged as a marketing tool by the vendors. pictures and text messages. could provide some interesting. or The US Senate. in today's society of instant messaging. and is therefore open to further abuse if the handshake completes and the "bluejacker" successfully pairs with the target device.the field itself can be used to pass the message. calendars. unfortunately. or "You have won!" style SMS text messages. The House of Commons. Of course. The bluejacking technique is using the first part of a process that allows that exchange to take place. the volume and quality of such data will increase with the devices' capabilities. including such things as phone books. whether it be by SPAM email. Another message popping up on their 'phone saying something along the lines of "You have won 10. then all data on the target device bacomes available to the initiator. it is alarming to think of the consequences of a single bluejacker gathering an entire corporate staff's contact details by simply attending a conference or camping outside their building or in their foyer with a bluetooth capable device and evil intent. This is all well and good. so the risk is small. There is a potential security problem with this. there is a down side. and. and do not tend to treat them with much suspicion (although they may well be sceptical about the veracity of the offers). valuable and.000 pounds! Enter this 4 digit PIN number and . However. and the general reaction would probably be that most users would not be duped into allowing the connection to complete. If such an event occurs. This is possible because the "name" of the initiating bluetooth device is displayed on the target device as part of the handshake exchange. The technique involves abusing the bluetooth "pairing"[2] protocol. leading to far more serious potential compromise. update and synchronise data. and. on the face of it. potentially damaging or compromising data.up to 248 characters . who's to say. the process now known as "Bluejacking"[1] has recently come to the fore in the consumer arena. The problem lies in the fact that the protocol being abused is designed for information exchange. The above may sound alarmist and far fetched.a bluejacking expedition to. The ability to interface with other devices and exchange. to pass a message during the initial "handshake" phase.

BLUESMACK. Blueprinting can be used for generating statistics about manufacturers and models and to find out whether there are devices in range that have issues with Bluetooth security BLOOVER--Since Adam Laurie's BlueSnarf experiment and the subsequent BlueBug experiment it is proven that some Bluetooth-enabled phones have security issues.5 VARIOUS OTHER ATTACKS BLUEBUG is the name of a bluetooth security loophole on some bluetooth-enabled cell phones. This Denial of Service attack can be conducted using standard tools that ship with the official Linux Bluez utils package . Since these protocols utilize ports (as they are named in the popular TCP/IP UDP/IP architecture). people would see that there is somebody with a laptop trying to do strange things. Blooover is a proof-of-concept tool that is intended to run on BT AUDIT--The Bluetooth architecture consists out of two main protocols. LONG DISTANCE SNARF.enabled devices immediately. attackers need laptops for the snarfing of other people's information. It makes sense to have the ability to scan these in order to find so called open ports and possible vulnerable applications bound to them. This direction of signals enhances the range of bluetooth radios BLUEPRINTING--Blueprinting is a method to remotely find out details about bluetooth. and is more than likely to succeed in many cases. Until now. the sending and reading of SMS messages from the attacked phone and many more things. This Bluetooth tuning makes it possible to concentrate the emission of bluetooth signals to one direction instead of any direction. The Long-Distance-Snarf Experiment that took place in the early morning of proofs this assumption wrong BLUETONE--The information on this page is intended to help people that want to modify their bluetooth equipment in order to connect an external (directional) antenna to their Bluetooth dongle.An eye-opener to those who believe that the range of the wireless technology Bluetooth is 100 meter maximum. Exploiting this loophole allows the unauthorized downloading phone books and call lists.BlueSmack is a Bluetooth attack that knocks out some Bluetooth.SUCKER to collect your prize!" is unlikely to cause much alarm. Unless attackers do a long-distance-snarf. 8.enabled devices.then dial 0900. L2CAP and RFCOMM which is layered on top of L2CAP.

9. and is based around the SAFER+ encryption algorithm. since the Bluetooth spec includes all levels. the 128-bit version as used in Bluetooth is considered very strong. Although some versions were found to have very minor weaknesses. SAFER+ was thoroughly analyzed and tested during the NIST’s search for a national encryption standard. These methods utilize a number of keys generated by a process that begins with three basic device entities: a public 48-bit device address. higher-level security features are already built into the devices when appropriate. With WLANs it is up to the network administrator to add security at higher levels. Bluetooth security includes both authentication and confidentiality. It is simpler in the sense that. One of these keys. With Bluetooth. referred to as the link key or authentication key. a series of additional keys is generated. when compared with WLAN security. but in this application is implemented as a stream cipher. for the most part. This is referred to as the unit key. a random number generator. The device class has a total length of 24 bits and is separated in three parts 9.BT CLASS-Each Bluetooth device has a device class (type of device and services it provides) which is part of the responds to an inquiry. A typical PIN may consist of just four decimal digits. SAFER+ is a block cipher. The first of many keys is created the first time the Bluetooth device is installed on the host and is typically never changed. However.1 Authentication When a Bluetooth session (defined as the time interval for which the device is part of a piconet) is initiated. 9.1. is both more complex and simpler. is a . It is more complex in the sense that there are many different options for security based on different application scenarios. and a secret PIN which is either built into the unit by the manufacturer or programmed by the user. BLUETOOTH SECURITY Bluetooth security. they are transparent to the user. for applications requiring more security a PIN code up to 128-bits long can be entered.1 LINK LAYER SECURITY – KEYS AND MORE KEYS The Bluetooth Baseband (link layer) specification defines methods for both authentication and encryption that are subsequently utilized by higher layers.

one-time 128-bit secret key that is used only during that session. The process of authentication employs the

encryption of a random number by each device to verify that each is sharing the same secret link key.
9.1.2 Encryption

If encryption is required by the application, an encryption key is further derived

from the

link key, a ciphering offset number, and a random number. While the authentication key is always 128-bits, the

encryption key may be shorter to accommodate government restrictions on encryption, which vary from

country to country. A new encryption key is generated each time the device enters encryption mode. The

authentication key, however, is used during the entire session.

The Bluetooth General Access Profile defines three security modes:

Mode 1 is non-secure. Authentication is optional.

Mode 2 gives service-level enforced security. The service provided by the

application decides whether or not authentication or encryption is required. The

Bluetooth SIG has published the Bluetooth Security Architecture white paper5 that defines a suitable

architecture for implementing service-level enforced security on Bluetooth devices. The white paper splits

devices into different categories and trust levels, as well as suggesting three security levels for services. The

utilization of a database is suggested for enabling the user to authorize devices to utilize only particular

services. Because the implementation of security at this level does not affect interoperability, this white paper

is advisory only, and is not part of the Bluetooth specification.
Mode 3 is link-level enforced security. Both devices must implement security

procedures in order for a connection to be established. In addition to the above modes, a device can be

configured to not respond to paging, so that other devices cannot connect to it. Or it can be configured so that

only devices that already know its address can connect to it. Such numerous and complex levels of security are

necessary to accommodate the large variety of different usage scenarios. It falls on the designers of Bluetooth

products to ensure that the complexity of Bluetooth is hidden from the user, while still providing the user with

necessary security options.

We are not aware of any workarounds for the SNARF or BLUEBUG attacks at this time,

other than to switch off Bluetooth.

To permanently remove a pairing, and protect against future BACKDOOR attacks, it seems you must perform

a factory reset, but this will, of course, erase all your personal data. To avoid Blue jacking, "just say no”. The

above methods work to the best of our knowledge, but, as the devices affected are running closed-source

proprietory software, it not possible to verify that without the collaboration of the manufacturers. We therefore

make no claims as to the level of protection they provide, and you must continue to use Bluetooth at your own

11. Device Authentication In Bluetooth Technology

Bluetooth technology provides a method for authenticating devices. Device authentication is provided using a

shared secret between the two devices. The common shared secret is called a link key. This link key is

established in a special communications session called pairing. All paired devices (devices that have had a

previous connection to establish security procedures) share a common link key. There are two types of link

keys defined in the unit keys and combination keys.

A device using a unit key uses the same secret for all of its connections. Unit keys are appropriate for devices

with limited memory or a limited user interface. During the pairing procedure the unit key is transferred

(encrypted) to the other unit. Note that only one of the two paired units is allowed to use a unit key.

Combination keys are link keys that are unique to a particular pair of devices.

The combination key is only used to protect the communication between these two devices. Clearly a device

that uses a unit key is not as secure as a device that uses a combination key. Since the unit key is common to

all devices with which the device has been paired, all such devices have knowledge of the unit key.

Consequently they are able to eavesdrop on any traffic based on this key. In addition, they could, in theory, be

modified to impersonate other devices using the key. Thus, when using a unit key there is no protection against

attacks from other devices with which the device has been paired.

As a result, the Bluetooth SIG discourages the use of unit keys in secure applications. Authentication is

performed with a challenge response scheme utilizing the E1 algorithm. E1 is a modification of the block

cipher SAFER+. The scheme operates as follows: The verifier issues a 128 bit long challenge. The claimant

then applies E1 using the challenge, its 48-bit Bluetooth address, and the current link key. He then returns the

32 most significant bits of the128 bit result2.

The verifier confirms the response, in which case the authentication has succeeded. In this case, the roles are

switched and the same procedure is applied again, thereby accomplishing mutual authentication.
The Bluetooth challenge response algorithm differs from that used in 802.11b in very

important ways. In 802.11b the challenge and response

form a plaintext/cipher text pair. This fact, combined with the simplicity of the encryption method (XOR),

allow an intruder to easily determine the authentication key string by listening to one authentication procedure.

In contrast, the Bluetooth authentication method never transmits the complete challenge response pair. In

addition, the E1 algorithm is not easily invertible. Thus even if an attacker has recorded an authentication

challenge response session, he cannot (directly) use this data to compute the authentication key.

Pairing is the procedure where a relationship (link key) is established between two previously unknown

devices. The link key is derived when the devices are initially paired (i.e. the link key does not exist before the

pairing procedure). Pairing is facilitated with yet another key, the initialization key. This key is computed by a

pair of devices using the Bluetooth addresses of each device, a random number, and a shared secret (PIN).

Since it

is only used in the initial pairing, the initialization key is only used once. The initial pairing is the most

profitable area of attack on a Bluetooth device. If the attacker can guess or steal the PIN during the initial

pairing, then he can perform a much more efficient search to derive the link key. This search is further

simplified if the communications occurring while the devices are paired is recorded. For this reason the

Bluetooth SIG strongly encourages the use of long, random PINs and suggests that pairing be performed only

in a private place. Assuming that both devices have a man- machine interface (such as a keypad) it is also

suggested that the PIN be manually entered into both devices or in any case communicated out-of-band (not

transmitted over the Bluetooth wireless link). Thus, long PINs provide improved security since the PIN cannot

be received over-the-air. To steal the PIN an attacker must guess or record it by some other means such as

direct observation of the user, a more difficult procedure if the PIN is long and the pairing is performed in

As a communication standard, Bluetooth security focuses on the link level. It provides

but according to statements of the manufacturers some of the commands are not permitted by means of this disallowed connection. Since these functions are focused at the lower network layers. Accordingly. 13. BLUESNARFING SNARF and bluesnarfing are words that have been spooking through the Internet during the last months. It is also possible to retrieve and send SMS messages from the affected phone or to initiate phone calls to any existing number (this feature is of special interest if you are the running a premium service number yourself. But there would be no reason of preventing commands from a connection that the firmware discloses by accident. However. In addition.2 The Environment Setup The hardware used for this trial was a COMPAQ Evo N600c with two low-cost MSI Bluetooth USB-dongles. simple devices that use unit keys should not be relied upon to communicate highly secure data.4 and bluez-sdp-1. many applications. for example read out the affected devices’ phone books. such as e- mail and browser transactions require end-to-end security. 13. This report is about a field- trial that has evaluated this security loophole at the CeBIT 2004 in Hannover. session and application layer security. These phone books contain numbers and associated names of persons that are either stored in the device phone-book.both entity authentication and link privacy. To snarf something means “to grab a large document or file and use it without the author’s permission”. message authentication and secure end-to.enabled devices. received or dialed contacts. As described in.5. the Bluetooth SIG encourages the reuse of existing transport. SNARF is a word coming from computer-hacker jargon. bluez-utils-2. on the SIM card or in the lists of missed. The actual application was .end links are not provided. In theory. The software used with this hardware was linux-2. Accordingly the Bluetooth SIG strongly encourages pairing in a private place and the use of robust PINs. So it is possible to.5). all supported AT-commands could be issued to the respective device.22together with Qualcomm’s Bluetooth stack implementation Bluez (bluez-libs-2-. These words relate to a recently discovered security flaw in Bluetooth. this function is expected to be provided at higher network layers by specific application providers. As with other communication standards. 13.1 The BlueSnarf Field Trial The environment was build up by open-source software ran on a laptop computer.6. the SNARF attack enables access to restricted portions of the device.

Due to the limited range of about ten meters.5 Vendor Address-Bytes Percentage . Also a value expressing the distribution among the vendors is provided in this table. many companies use the Nokia 6310i as a company phone. But still. Similar to the hardware-address (MAC address) of Ethernet network interface cards. Interestingly. The 70 percent of discovered Nokia handsets clearly represent Nokia’s market-leadership in Europe. 1269 different devices have been discovered in the period from March 18th to 21st March 2004 at the place described above.implemented in PERL and C.3 Collected Data Samples and Results In total. 13. Table 1 shows the vendor and the three first bytes of the Bluetooth addresses that are associated with the respective vendor. not all of the Bluetooth-enabled devices at this place could have been detected.4 Discovered Device Vendors The determination of the vendor is done by means of the Bluetooth address. 13. 13. the number of discovered devices is very high. For better data-mining capabilities. also the Bluetooth address refers to the manufacturer of the Bluetooth chip-set. One possible reason for this could be the compatibility to the Nokiacar-kits that have been installed over years in many company cars. an enterprise-level SQLDBMS (postgresql- 7.4.1) has been used in order to store and access the collected device-information.

1 13. 00:60:57. Therefore.6 Discovered Models It cannot be determined from the device’s Bluetooth address which model of the respective vendor this is.35 Siemens 00:01:E3 8.1 : Device Vendors Nokia 00:02: EE. 00:E0:03 70 SonyEricsson 00:0A:D9 11.5.1 Other miscellaneous 2.Table 13.2 Unknown miscellaneous 8. the Bluetooth name that on many devices defaults to the model number has been used to identify the model of the discovered device. The Bluetooth name of the devices can be set by the user and is therefore .

At the moment.2 Nokia 6600 48 5. 3 and 4 show the numbers of models that could have been uniquely determined by their names.4 Nokia 3650 28 3. Unrecognized S55/SL55.8 Device Number Percentage Table 13.8 SonyEricsson P800 1 0. but gives a coarse idea on the vendor/model distribution.1: Recognized SonyEricsson Models Unrecognized 106 72. So. The tables 2.1: Recognized Nokia Models Unrecognized 669 75.1 Nokia 6310/6310i 135 15. It is worth mentioning that many people use their full name as identification for their device.not itself a reliable information to determine the model number.6 of Siemens phones. The graph displayed in table 2 supports the assumption that has been made before. that obviously many companies are using the Nokia 6310i phone for their employees. SX1 .2 Characteristic for the German/European market was the relatively high presence Unrecognized T610 P900 P800 13.1 SonyEricsson T610 33 22. only the phones belonging to the 55 series and the new SX1 are supporting Bluetooth.8.7.1 Nokia 7650 11 1. this graph is not totally correct. 13.7 Device Number Percentage Table 13.5 SonyEricsson P900 7 4.

As displayed in figures 2 and 3. there are a number of devices that are vulnerable to the SNARF attack. Nokia 6310/6310i as mentioned above. In the CeBIT 2004 field trail only 6 percent of all discovered T610 devices could be read out. Siemens Phones As far as it has been observed in the CeBIT field trial. newer versions of the T610 firmware do allow SNARF attacks. Since the snarf-process takes an average Time of 30 seconds (from the discovery to the end of the attack). About 33 percent of all discovered devices of this type were disclosing personal phone book entries without requiring user-interaction. Siemens S55/SL55 30 28.10 Discovered Vulnerable Devices As written in. the vulnerability of some of the listed devices cannot be confirmed by this study. 13. Bluetooth-enabled Siemens phones like the S55 merely seem to be rather paranoid. this study only confirms the vulnerability of visible devices. whether the respective devices are attackable in invisible or visible mode.8 13. Due to limited market take-up and the resulting low penetration- rate of some devices. this study confirms that the Nokia 6310 and the more enhanced Nokia 6310i are very vulnerable to the SNARF attack.9. According to this document there is the Ericsson phone T68/T68i. Siemens phones are not vulnerable to the SNARF attack. Siemens SX1 5 4. SonyEricsson T610 In future when the newer firmware is running on an increased number of T610-devices the success rate of the SNARF attack will also increase. T610 and Z1010 and the Nokia phones 6310/6310i. this behavior is quite annoying.9 Device Number Percentage Unrecognized 69 66. Every time a usual scan-request is received by these phones they cowardly ask for the user’s confirmation. 8910/8910i and 7650. Since the setup used for this field trial did not use a brute-force approach (as presented by @stake) for detecting also invisible devices. Adam Laurie also provides information. Actually.3. During an earlier presentation of the SNARF attacking February it happened that T610 phones with recent versions of the T610 firmware were disclosing personal information. the two top-selling Bluetooth-enabled models of SonyEricsson and Nokia are vulnerable to the SNARF attack. Experiments with the SonyEricsson T610 showed that this model is generally not vulnerable to the SNARF attack. it is very likely that a lot more devices could have been read out.13. Too many people were just passing the location so that they left the Bluetooth-covered area too early to be snarfed.11 Other Experiences . only. the SonyEricsson phones R520m. Obviously.

SonyEricsson T61033 to the SNARF attack but switches into the hidden mode automatically (three minutes after activation of the Bluetooth interface). It would also be possible to get the device’s phone number by initiating a phone call to the number of a phone that is able to display the caller’s number.PDUs there is a tool called PDUSpy in the download section of Nokia phones allow to issue text-mode and PDU-mode messages to the device. 13. By sending PDU encoded messages.13. For the creation of SMS. this method would disclose the number of the dialed . Depending on the manufacturer of the phone. That is why it has not been done in the CeBIT field-trial. the issued SMS is not stored in the sent-box of the snarfed phone. SMS messages can either be provided in 7bit encoded ASCII-text and/or have to be provided as a SMS-PDU which is rather tricky to generate. the SMS settings of the snarfed phone are set to require a report that is generated at the receiving phone. while SonyEricsson phones (and also Siemens phones) only accept PDU-encoded SMS messages. It can be confirmed. In hidden mode this phone is not vulnerable. That is why only the first 10 entries of each phone book were read out. The sending of an SMS is not visible to the user. the Ericsson T68i (which is also on the list of vulnerable devices) has been checked.In preparation for the trial-setup. However. Usually. that this phone is vulnerable. it can be controlled by setting a flag whether a reception report is generated or not. But it works for sure (at least on Nokia devices). This method to get the victim’s phone number is causing costs to the holder of the phone. In this case the sender that was not aware of having sent a message would receive a reception-report from the attacker’s phone (which includes a phone number).1 Sending a SMS The only good way to get to know the number of the snarfed phone is to send an SMS from the attacked phone to another device.12 What Has Been Done? The SNARF attack used at the CeBIT was intended to finish as fast as possible. The following paragraphs give some ideas on the things this security flaw would also allow the attacker to do. 13. 13. In rare cases. Total Snarfed 50. About 50 numbers from each snarfed phone have been retrieved.13 What Could Have Been Done? As mentioned in the introduction there could have been done a variety of different things with an unauthorized Bluetooth connection to the phone.

the respective phones would have to have the MIDP 2. In the CeBIT-trial no phone book entries have been done. dialed numbers are usually stored in the phone’s calling lists and are also stored at the provider-site for billing purposes. the device model and the firmware version of the respective device. It would also be very easy to find out and sue the person being responsible for this premium service. The complexity of the introduced method is intentionally simple so that this procedure can be executed on constrained devices that are not capable of calculating common hashes such as MD5: the J2ME Connected Limited Device Configuration (CLDC) .0 API Implemented together with the optionally provided Bluetooth-API. this kind of obfuscation would only delay the process of finding the responsible to the owner of the attacked phone. every phone call is writing an entry into the “dialed contacts” or DC phone book of the respective device. Just imagine an entry that has ’Darling’ as a name and the number of a person you dislike.2 Initiating a Phone Call It is possible to initiate phone calls to virtually any other number. 13. As a Requirement for this.3 Writing a Phone Book Entry As mentioned before. By writing a phone book entry into the DC phone book. As mentioned before. This owner of the phone could then get into some trouble with his/her spouse. The only phone that has these features at the moment is the Nokia 6600. 13. Such entries would most likely overwrite existing ones. With Blueprinting it is possible to determine the manufacturer. 13.13.4 Future Work Ongoing experiments include a SNARF application on Java/J2ME phones.13. The idea is similar to IP fingerprinting techniques as used in tools like an map where it is possible to determine a hosts operating system by specific behavior of the IP stack.5 Blueprinting Blueprinting aims to set a standard for Bluetooth fingerprinting devices. It would be very lucrative to initiate calls to a premium service number that is ran by the attacker. Since the operator also stores dialed numbers for billing purposes. 13. this kind of abuse is rather unlikely. Of course it is also possible to do some nasty phone book entries. Therefore. the traces on the device that evidence that a call has been made can be replaced by any number. because every call initiation is writing an entry into the dialed contacts list (DC phone book).

Unfortunately.6 Device Statistics One of the purposes that Blueprinting could be used for is statistical examination of different environments. so that the application that is pushed to the device might be a version that supports e. One of the most popular platforms is Symbian but there is a number of other platforms Mobile device manufacturers are developing applications for many different purposes. There are many different reasons that justify a method that allows the identification of Bluetooth-enabled devices by the characteristics of their radio interface. This way.13. the bigger display of a certain device. the Bluebug attack or the Blue Smack attack. In order to deliver the application for the right platform. there are also malicious applications like the proof-of-concept virus CIBER that could profit from an identification method like Blueprinting.g. Attacks like the BlueSnarf attack. The method . Blueprinting contributes to the efforts done in order to make Bluetooth devices more secure.13. There are more scenarios where the determination of Bluetooth device properties is making sense. In order to communicate eventual security issues to the respective manufacturers it is important to know about the properties of the concerned device. Blueprinting mainly focuses on these devices. 13. the model information and the firmware version.13. it is possible to create statistics over manufacturer and device models in special places as it was done in the CeBIT field trial report. the application distributor needs to know about the requesting device model. 13.0 (as used in many mobile handsets) can perform it.13.7 Automated Application Distribution There are many different mobile handsets that all have different operating system platforms running. which enable the extraction of sensitive information. 13.8 Security Audits Early implementations of the Bluetooth standard in devices of various device manufacturers are subject to more or less severe security issues. 13. the abuse of telecommunications services or the denial of service are subject to the firmware and the model of some phones. Since mobile phones and PDAs make up the biggest group of Bluetooth enabled devices.Version 1.9 Device Information Blueprinting encapsulates the necessary information in order to determine device specific properties such as the manufacturer.

into account. An actual list of all these codes that refer to different manufacturers can be found in the OUI database hosted by IEEE. The first three bytes of this address (the bytes that are denoted by M’s above) refer to the manufacturer of the chipset. Blueprinting takes the SDP profiles.relies on device specific information that has been collected in experiments such as the CeBIT experiment. therefore. Therefore. This is done for auto configuration purposes and to help a user setup a connection to the specific device. for identifying a manufacturer’s model.11 SDP Profiles Service Description Protocol (SDP) profiles are a concept that is used by Bluetooth in order to identify a certain service to other devices. The firmware version that runs on certain devices can be derived based upon devices different characteristics. MM:MM:MM:XX:XX:XX).13. which can be queried from devices that offer services. 13. SDP Profiles are served by the device’s sdp server and provide information . manufacturer specific (the first part of the Bluetooth device address) or model-specific (service description records). The address is programmed into the Bluetooth radio.10 Bluetooth Device Address As mentioned above the Bluetooth device address (BD ADDR) is unique and globally refers to one single device. This BD ADDR address consists out of 48 bits (6 bytes) that are usually notated like MAC addresses (e.13. it is not possible to tell anything about the device model by interpretation of the remaining three bytes. and. Every Bluetooth enabled device has some characteristics that are either unique (Bluetooth device address).g. 13. These bytes (denoted by X’s above) are used randomly in different models. Unfortunately. is not as detailed as it could be. Blueprinting is combining the different information that Bluetooth-enabled devices reveal in order to identify the manufacturer as well as the model of the device.

13. the Record Handles for the profile entries at the SDP server are not dynamically assigned but statically coded in the phone’s firmware. Table 13.1 OPUSH Profile from a Nokia 6310i Service Name: OBEX Object Push Service RecHandle: 0x1000c Service Class ID List:"OBEX Object Push" (0x1105) Protocol Descriptor List:"L2CAP" (0x0100) "RFCOMM" (0x0003)Channel: 9"OBEX" (0x0008) Language Base Attr List: code ISO639: 0x656e encoding: 0x6a base offset: 0x100 Profile Descriptor List:"OBEX Object Push" (0x1105) Version: 0x0100 Record Handle. According to the standard. 13.1 RecHandle Channel Product 0x1000b 2 131094 0x1000c 9 589932 0x1000d 1 65549 0x1000e 15 983250 0x1000f 3 196653 0x10010 13 852176 . this would be RFCOMM channel 9.13. One part of a device’s Blueprinting hash is the sum of the Rechanneled times the Channel for all running services. 0x1000c in table 1).13.12 Blueprinting Blueprinting uses specific information from SDP profiles of a device to create a hash for the respective device.12. In the above profile. The other value that is taken into the hash is the RFCOMM channel or the L2CAP psm number that the service can be accessed under.13.12. which is a 32 bit number that is assigned by the SDP server when a service is registered during startup of the device (e. there is always a field that holds the Service. Every SDP profile entry has some properties that can be used to identify the device. The following example shows this by the example of a Nokia 6310i SDP profile export.g. In the case of mobile phones.on how to access the offered profiles.

The btdsd projects goal is to collect information on (default) security settings of Bluetooth enabled devices. 13.22 15-11-02 NPL-1 date: n/a type: mobile phone note: vulnerable to Bluebug attack 13. check the Bluetooth Device Security Database page . 13.1 Bluetooth Security Device Database The Bluetooth Device Security Database was created after various security related bugs where found on embedded Bluetooth devices. RELATED WORK is inviting everyone to contribute in all future efforts.0x10011 12 786636 3605290 13. For simplicity. The implementation also combines the actual fingerprint with the manufacturer part of the BD ADDR to achieve a higher matching rate. version: V 5.2 Blueprinting Software The Blueprint software is a proof-of-concept implementation of the herein described Bluetooth fingerprinting technique.12. Continued progress relies on developing a more comprehensive set of SDP profiles. it was implemented in Perl and reads the output of sdptool. The trifinite.2 Future Work The work described here is the basis for ongoing work in this area. The database was used in the evaluation of the Blueprinting technique. Blueprint uses a simple text based database which contains fingerprints and information about the associated device.3 Non-SDP Fingerprinting . For information on how to contribute. The collection shows that nearly all manufacturers have different default security settings and security features implemented. which can be sent via email.

because there is not a sufficient array of production-quality devices that conform to the Bluetooth specification for Microsoft to test. Support for Bluetooth wireless technology is not in the first release of Windows XP. The information gathered so far about the SDP profiles demonstrates a decreasing diversity in mobile phone operating systems. The increasing uniformity is evident from similar Blueprinting hashes even when the hardware and the manufacturer of the products differ.Blueprinting.5 Blueprint Device Hashes This section lists the hashes that have been collected so far. The specific delivery vehicles are to be determined. 13. current trends dictate the variety of Blueprinting hashes will most likely decrease. 13. data from higher and lower level protocols should be used for identification as well. and devices bridged to network resources through a PC.14. Examples could be: Link Manager (LM) commands (when connecting to a specific service) or Obex behavior. complementing USB and IEEE 1394. PC companions. The explanation for this is that these devices have different firmware versions that result in a different Blueprinting hash.g.14. Microsoft supports the Bluetooth technology as a wireless bus. Microsoft is actively developing support for Bluetooth technology and will ship this support in a . However. 14. the prevalent usage of e. BLUETOOTH AND WINDOWS XP Microsoft® has announced support for Bluetooth in the next release of Windows® XP as follows: Microsoft is creating native support in the Microsoft® Windows® operating system for Bluetooth wireless technology. The fact that many phones have the same operating system could result in serious trouble once a security flaw is discovered for a common operating system. only uses the Service Discovery Protocol (SDP) information for identifying devices. so far. Some of the devices have multiple entries. such as PC peripherals. This support is entirely new and is not based on existing software from other companies. Symbian. In the future.4 Conclusions Blueprinting is a novel method for the identification of Bluetooth-enabled devices by means of their radio interface and the Bluetooth stack of the operating system. The goal for Microsoft software support is to Windows work with several types of devices that implement Bluetooth wireless technology. In the future.

reliability and compatibility are principal ship goals for Windows XP.future release. Quality. and Microsoft will not compromise on the customer experience 15. FUTURE OF BLUETOOTH  Success of Bluetooth depends on how well it is integrated into consumer products  Consumers are more interested in applications than the technology  Bluetooth must be successfully integrated into consumer products  Must provide benefits for consumer  Must not destroy current product benefits .