Bluetooth
Bluetooth is a short-range wireless communication protocol standard used for peripherals, operating on the 2.4 GHz band. Bluetooth host support is mostly found in laptops, tablets and cell phones but increasingly in desktop computers: especially in small form factors. There are also Bluetooth receivers for plugging into USB ports.
Bluetooth keyboards and mice typically use the "HID" protocol borrowed from USB.
Contents
Versions
Bluetooth was introduced in 1999 by the Swedish telecom company Ericsson for use with mobile phones. Version 2.0 introduced EDR (Enhanced Data Rate), with the old speed called BR ("Basic Rate).
Bluetooth Low Energy (BLE) was introduced in Bluetooth 4.0. It is actually a completely different protocol than classic Bluetooth: it had been developed at Nokia as a rival protocol before being absorbed into the Bluetooth specification in Dec 2009.
Peripherals using Bluetooth 4.0 or higher might use BLE instead of BR/EDR and thus not be backwards-compatible with receivers for earlier versions.
Bluetooth 4.2 / BLE introduced heightened security.
Security
The security protocols in Bluetooth are widely considered to be relatively weak. This is a reason for input devices using Bluetooth being banned in many security-conscious environments.
Some Bluetooth host implementations (Apple MacOS and iOS, and Linux including Android) even have a flaw allowing pairing with a keyboard without any user interaction, thus allowing an attacker to send key strokes without getting noticed. The vulnerability was supposedly fixed in Linux in 2020 but the fix was left disabled by default in most distributions.[1]
Pairing
The use of PIN codes (or QR codes) is considered insecure in classic Bluetooth below v2.1 and in BLE below v4.2. If the attacker could eavesdrop during the pairing process, the PIN number could be cracked too easily and used to produce traffic encryption keys. Even if pairing has been in a secure location, some devices can be manipulated to restart the pairing process. [2]
It is also important that the PIN number be generated randomly each time. If a PIN (or QR code) is printed in the manual or on the back of the device, it is likely the same on every device of that type, and an attacker does not even need to crack it.
The most secure way is to always use a numeric comparison (both devices display a number that must match) or an Out-of-Band (OOB) transfer of an initial encryption key over another protocol such as USB or NFC.
There is a standard protocol for OOB pairing of both BR/EDR and BLE over NFC[3], which is wireless but has super-low range: in practice direct contact. NFC is common on cell phones, less so on tablets but almost nonexistent on PCs. Current Apple iOS and Android from version 7 support NFC pairing but not other types of OOB pairing.
USB is used for out-of-band pairing of Apple Magic Keyboard with macOS, and controllers with various games consoles but the protocols are proprietary.
Microsoft Windows allows BLE peripherals from the same manufacturer as the host to be pre-paired. The keys are stored in the host's UEFI BIOS and the peripheral's firmware. This scheme relies however also on a protocol over BLE that is Microsoft-specific.
Traffic
Traffic encryption of classic Bluetooth below version 4.1 is considered to be using a weak encryption algorithm. BLE and newer classic Bluetooth use AES-CCM for traffic encryption, which is considered secure [2]
Many devices are vulnerable to the "KNOB" attack which exploits a weakness in the Bluetooth standard itself: the devices could be coerced when connecting (after already pairing) to use a traffic encryption key length of only one byte — which is very easy to crack. However, for the attack to work, both the host and the peripheral need to be vulnerable. All major operating systems should have received updates. [4]
Limits
Protocol
Bluetooth keyboards and mice typically use the higher levels of the HID protocol borrowed from the USB standard. Classic Bluetooth have a packet size of 8 bytes, which in effect limits keyboards to an 8-byte protocol with 6-key rollover.
Bluetooth 4.0/BLE supports up to 22 byte packages, and Bluetooth 4.2/BLE up to 244 with a Data Length Extension.
Pairing and Connection
In theory, up to seven devices can be connected to a host-side receiver at once, but in practice only three to four active devices are considered usable at once because of them sharing bandwidth. There are many other devices and protocols on the 2.4 GHz band, and interference from those could lower the practical use even more.[5]
Hosts may also limit the number of simultaneous connected devices with the same profile: for instance allow only one headset at once but allow multiple keyboards.
The Bluetooth standard allows a host receiver to pair up to 255 devices, but the actual limit may be smaller depending on the receiver. If the peripheral supports it, it could be paired to up to five hosts but be connected to only one at a time, unless it has "multipoint functionality".
Speed
Both classic Bluetooth and BLE have a packet sent at periodic intervals, which impacts latency. Also, wireless protocols are susceptible to interference and if a packet gets lost then it will not be re-transmitted until the next time slot.
The scheduling, including the "connection interval" between each report is controlled by the host ("central") and varies depending on the operating system and network conditions.
The minimum connection interval allowed by the BLE spec is 7.5 ms, but operating systems could impose a larger minimum. For instance, some version of Apple iOS have 11.25 ms minimum for BLE-HID (input devices), but 30 ms for other types of connections.[6] The minimum connection interval could be larger if a device asks for a larger interval. Also if a host has many connected devices, it would choose a larger connection interval to be able to schedule time slots for all connections. The maximum connection interval allowed by the BLE-HID specification is 50 ms.
The data transfer speed is rated at between 1 and 3 megabit/second, but that is only during a time-slot when actually transmitting. Starting with BLE in Bluetooth 5, a packet could be sent either at double the speed (which saves battery) or at ½ or ⅛ the speed with more resilience against transmission errors. (The lower speed modes are actually intended to increase the range without increasing signal strength)
Trivia
The name refers to the historic Nordic king Harald Gormsson ( - 985 AD), more known as "Harald Bluetooth". The protocol's symbol is a combination of Nordic runes for H and B. A popular tale is that "Bluetooth" would have had poor dental hygiene, but it is more likely that it was the name of his sword — one being made of blued steel.
References
- ↑ Skysafe on Github—Hi, My Name Is Keyboard: CVE-2023-45866: Unauthenticated Bluetooth keystroke-injection in Android, Linux, macOS and iOS. Disclosed 2023-12-06. Retrieved 2023-12-16
- ↑ 2.0 2.1 Pomcor—Has Bluetooth Become Secure? by Francisco Corella. Dated 2015-06-03. Retrieved 2020-04-10
- ↑ NFC Forum—Bluetooth® Secure Simple Pairing Using NFC (PDF). Version 1.2. 2019-05-31. Retrieved 2020-04-10
- ↑ Ars Technica—New Attack exploiting serious Bluetooth weakness can intercept sensitive data. By Dan Goodin. Published 2019-08-17. Retrieved 2019-08-18.
- ↑ Apple—Using a Bluetooth mouse, keyboard, or trackpad with your Mac. Dated 2018-11-26. Retrieved 2019-01-13.
- ↑ Punch Through—BLE Maximizing BLE Throughput on iOS and Android. Dated 2016-04-03. Retrieved 2020-04-02
