Wednesday, November 16, 2011

comments on SP 800-121 Rev 1 draft

The following is an email I sent to NIST in response to a request for comments on the draft Guide to Bluetooth Security (NIST Special Publication 800-121 Rev. 1).

Thank you for your efforts to produce and update SP 800-121! Although I have some criticisms, your document is important and unique.

My principal concern about the guide is that the recommended practices are too weak to support the safe use of Bluetooth. Looking at the SP 800-153 draft (Guidelines for Securing Wireless Local Area Networks), I see several recommendations listed in the Executive Summary that would be just as applicable to Bluetooth:

"When planning WLAN security, consider the security not only of the WLAN itself, but also how it may affect the security of other networks."

"Have policies that clearly state which forms of dual connections are permitted or prohibited for WLAN client devices, and enforce these policies through the appropriate security controls."

"Ensure that the organization's WLAN client devices and APs have configurations at all times that are compliant with the organization's WLAN policies."

"Perform both attack monitoring and vulnerability monitoring to support WLAN security."

"Conduct regular periodic technical security assessments for the organization's WLANs."

My second concern is that it is unclear how to implement many of the recommendations. Unfortunately this is more a problem with Bluetooth itself and the available tools than with your document. Along with others in the information security community, I am working to develop Project Ubertooth into a tool that will bridge the gap as much as possible, but more needs to be done.

Third, I have some specific comments and criticisms:

It is incorrect to say that Frequency Hopping Spread Spectrum (FHSS) provides even "a limited level of transmission security." Other features of Bluetooth provide security benefits. FHSS provides interference avoidance.

It is easy to overstate the security benefits of power control. I suggest eliminating discussion of transmit power from the document.

Good job on citing some important work! (Spill/Bittau, Wool/Shaked)

Where you state, "If that device remained discoverable, its location could be tracked by an adversary", it should be corrected to state that discoverability is not required. See Spill/Bittau and this blog post:

Table 4-1 is an important contribution that I will recommend to many people.

Section 4.2 "Bluetooth Threats" seems weak. The list of threats is disjointed, inconsistent, and in places dated.

Thank you again for your contribution. I hope you find some of these comments helpful.


Michael Ossmann
Great Scott Gadgets


SDRGuy said...
This comment has been removed by the author.
SDRGuy said...


That isn't all:

You can generate a Bluetooth Pin code
With or without the Bluetooth devices

Meaning you CAN broadcast a Message
To the Bluetooth device(s) with ZERO interaction
with the end user.

There is a Bluetooth/GSM Exploit Auditing tool which has
yet to be released to the general public, which
demonstrates this.

We're having Attornies review this currently.


Agen Bola Terpercaya said...

I am terribly happy to scan this.
Agen bola terpercaya

Agen Bola said...

this is often the type of manual that must incline and not the random information that is at the opposite blogs. Appreciate your sharing this best posting.

Agen Bola