Having the right security implementation has become critically important in today’s connected world. Everyone enjoys digital gadgets and tools, but those devices are often susceptible to attacks without the proper protection. Thankfully, electronics manufacturers have made security a top priority. While every October there’s a heightened focus on cybersecurity with Cybersecurity Awareness Month, organizations like the Bluetooth Special Interest Group (SIG) stay vigilant all year round. Our focus on security never stops.
Bluetooth technology now stands more than 20 years old, and 10 million Bluetooth devices ship every day. Many factors contribute to the longevity of the technology, but one of them is how the industry – driven by the requirements and expertise of the Bluetooth Special Interest Group (SIG) and its members – has continuously evolved to improve it, making the technology more versatile, powerful, and secure.
With any technology we depend on, security has become a major concern and Bluetooth SIG and its members has stayed vigilant in protecting against bad actors. Our collaboration with the security research community has become fundamental to the continued advancement and improvement of Bluetooth technology.
We believe it’s important for the security community to understand the Bluetooth specifications. In essence, specifications state the procedures that developers use to create connections and interoperability between Bluetooth devices. More use cases for Bluetooth technology have emerged beyond audio streaming and simple data transfer to include device networks and location services. The applications for Bluetooth technology include industrial asset tracking and commercial lighting.
As Bluetooth specifications expand, the security measures they include expand as well. Bluetooth’s core specification defines the fundamental building blocks developers use to create the interoperable devices that make up the thriving Bluetooth ecosystem. But there are also more than 100 additional profile and service specifications that define how to build everything from an interoperable Bluetooth headphone to creating large-scale Bluetooth mesh device networks for lighting control.
Developers follow guidelines within each specification to purpose-fit their implementation as needed for their product design. Each specification has its own techniques and procedures that let developers address security precautions for their products and secure communications between Bluetooth devices.
Think of it as a tool chest that developers can select from to implement the appropriate security level for their products. Some of the security features available to developers of Bluetooth Low Energy products include:
- Encrypted communication between two Bluetooth Low Energy devices using AES in CCM mode.
- Protection against man-in-the-middle (MITM) attacks during device pairing.
- Use of elliptic curve cryptography to make the pairing procedure secure.
- Protection against device tracking through a privacy mechanism that disguises and regularly changes device addresses.
While specifications go through security reviews during the development process, it’s up to each of the Bluetooth SIG’s 36,000 members to choose the best security option necessary for their products. For example, a Bluetooth-enabled condition monitoring system in a factory would require significantly different security features than a wireless mouse. It’s up to the developer to choose the necessary security features to implement in their Bluetooth product.
Having Bluetooth specifications offer these options and flexibility makes Bluetooth technology unique among the variety of low-power wireless technologies available. These options give developers the freedom to choose the best security features for their products, but that can also mean that developers may need assistance in choosing the security features sufficient for their application.
Helping members design, develop and deploy securely
In helping members choose the appropriate security options for their applications, the Bluetooth SIG regularly publishes study guides, training videos, and a wide variety of other educational materials. These materials explain why certain security options work better than others in specific applications. They also explain the common security risks in each specification and how best to avoid them.
Common implementation best practices include:
- Following the latest version of the Bluetooth specifications to ensure developers have the most current guidance.
- Documenting the security requirements of product design so that appropriate security gets used in the implementation.
- Testing and auditing the security features of implementations.
- Ensuring that UX interfaces provide appropriate notification to users of any security or privacy issues.
- Enforcing secure coding practices in the development of any interface facing external data sources, especially wireless ones.
While these educational materials point members in the right direction, Bluetooth technology has become an open, global standard. The Bluetooth SIG and its members share the responsibility of producing secure Bluetooth devices and applications with the security research community’s help.
What happens when a researcher files a report on a flaw
The Bluetooth SIG has enjoyed a working relationship with the security research community for a long time. We encourage the ongoing review of the technology and reporting of vulnerabilities within specifications through the Bluetooth Security Response Program, which ensures that reported vulnerabilities are investigated, resolved, and communicated across our member organization.
For example, last year researchers at the École Polytechnique Fédérale de Lausanne (EPFL) helped to expose a flaw related to pairing in Bluetooth BR/EDR connections. Once reported, the Bluetooth SIG worked quickly to remedy the vulnerability, providing a recommendation for members to integrate any necessary patches while the Core Specification was updated. The collaboration between EPFL, the Bluetooth SIG, and its members ensures continuous improvement and security of the technology. Relationships like these allow us to quickly address any security issues that result from new developments in the technology.
The potential and power of Bluetooth technology continues to grow. With billions of new Bluetooth-enabled devices shipping every year, Bluetooth wireless technology has become embedded in the fabric of our lives – and it’s not a responsibility the Bluetooth SIG and its members take lightly and why we will always make security standards a top priority.
Martin Woolley, senior developer relations manager, EMEA, Bluetooth Special Interest Group