The following is an email I sent to NIST in response to a request for comments on the draft Guide to Bluetooth Security (NIST Special Publication 800-121 Rev. 1).
Thank you for your efforts to produce and update SP 800-121! Although I have some criticisms, your document is important and unique.
My principal concern about the guide is that the recommended practices are too weak to support the safe use of Bluetooth. Looking at the SP 800-153 draft (Guidelines for Securing Wireless Local Area Networks), I see several recommendations listed in the Executive Summary that would be just as applicable to Bluetooth:
"When planning WLAN security, consider the security not only of the WLAN itself, but also how it may affect the security of other networks."
"Have policies that clearly state which forms of dual connections are permitted or prohibited for WLAN client devices, and enforce these policies through the appropriate security controls."
"Ensure that the organization's WLAN client devices and APs have configurations at all times that are compliant with the organization's WLAN policies."
"Perform both attack monitoring and vulnerability monitoring to support WLAN security."
"Conduct regular periodic technical security assessments for the organization's WLANs."
My second concern is that it is unclear how to implement many of the recommendations. Unfortunately this is more a problem with Bluetooth itself and the available tools than with your document. Along with others in the information security community, I am working to develop Project Ubertooth into a tool that will bridge the gap as much as possible, but more needs to be done.
Third, I have some specific comments and criticisms:
It is incorrect to say that Frequency Hopping Spread Spectrum (FHSS) provides even "a limited level of transmission security." Other features of Bluetooth provide security benefits. FHSS provides interference avoidance.
It is easy to overstate the security benefits of power control. I suggest eliminating discussion of transmit power from the document.
Where you state, "If that device remained discoverable, its location could be tracked by an adversary", it should be corrected to state that discoverability is not required. See Spill/Bittau and this blog post:
Table 4-1 is an important contribution that I will recommend to many people.
Section 4.2 "Bluetooth Threats" seems weak. The list of threats is disjointed, inconsistent, and in places dated.
Thank you again for your contribution. I hope you find some of these comments helpful.
Great Scott Gadgets