Professional Documents
Culture Documents
In the current scenario the world is plagued by accidents which are primarily due to human errors
in judgment and hence thousands of lives are lost. These accidents can be avoided if only there
was a mechanism to alert the driver of approaching danger. This can be done by monitoring the
distance between nearby cars and alerting the driver whenever the distance becomes too short.
This is precisely the aim of this paper. In this paper we propose the use of Bluetooth Technology
by which we can check the speed of the car whenever it comes dangerously close to any other
vehicle up front, thereby saving very many lives.
CONTENTS:
1. INTRODUCTION
2. ROAD ACCIDENT STATISTICS
3. OPERATION
4. AUTOMATIC BRAKING SYSTEM
5. REPRESENTATION OF OUR IDEA
6. CONCLUSION
7. REFERENCES
INTRODUCTION
Since Bluetooth devices are capable of communicating with eight other devices simultaneously
we can monitor and check the speeds of up to eight cars simultaneously, thus preventing
accidents. Thus if we have two Bluetooth enabled devices in two cars the devices automatically
communicate with each other when they come in the range of up to 100 meters of each other.
The range is dependant on the power class of the product. Power transmission rates vary in many
Bluetooth devices depending upon the power saving features available in a particular unit,
bandwidth requirements, transmission distance. The statistics of road accidents is tremendous
and highlights the need for such a system. The following is a statistic on the number of road
accidents occurring each year.
OPERATION:
Because of traveling at high speeds there is a possibility of having accident. The figure 2 shows
that when two cars or more come within the distance of 10 km at high speeds there is a
possibility of having accidents. The Bluetooth radio is a short distance, low power radio
operating in the unlicensed spectrum of 2.4 GHz and using a nominal antenna power of 20 dB
At the 20 dB the range is 100 meters, meaning equipment must be Within 100 meters to each
other (about 328 feet) to communicate using the Bluetooth standard. With the help of this
technology we can send data to the eight devices. The group of eight devices is known as
piconet. Here we have a piconet and a scatternet, in the piconet M is the master and S1 to S7 are
the slaves
Radio communication is subjected to noise and interference, as the 2.4 GHz frequencies is shared
between the all device in piconet. So the Bluetooth specification has solved this problem by
employing what is called as spectrum spreading, in which the Bluetooth radio hops among
different frequencies very quickly. There are 79 hops starting at 2.402 GHz and stopping at 2.480
GHz, each of which is displaced by 1 MHz. The Bluetooth avoids interference by hoping around
these 79 frequencies 1600 times per second. So in order to avoid it we use bluetooth equipped
car, in which each car have bluetooth transmitter and receiver. And the every car should have
mini computer to monitor the relative position of the car with the other car.
When any car comes close together Bluetooth device sends warning signal to the car. Based on
the type of warning signal received the computer sends signal to the brake control system to slow
down the speed of the car. There are various types of control signals. one type of signal control
the speed of the car and the another type of signal is to overtake the car which is moving
forward.
The automatic brake system is the next generation braking system for controlling the speed of
the car. On receiving the control signal from the traveling car the computer inside the car
manipulates the signal and gives control signal to the braking system. There are four main
components to an automatic braking system:
The computer constantly monitors the distance between each of these cars and when it senses
that the car is getting too close it moves the hydraulic valves to increase the pressure on the
braking circuit, effectively increasing the braking force on the wheels. if the distance between
two vehicle is within the 100m the Bluetooth devices get enabled and if the distance come closer
within 10m the automatic braking system takes the control. After the speed of the car is reduced
and distance increased the hydraulic valves decreases the pressure on the braking circuit, thus
effectively decrease the braking force on the wheels. The following steps show the various
functions of the hydraulic valves:
in position one, the valve is open; pressure from the master cylinder is passed right through to the
brake. in position two, the valve blocks the line, isolating that brake from the master cylinder.
This prevents the pressure from rising further should the driver push the brake pedal harder. in
position three, the valve releases some of the pressure from the brake.
7
when car A and car B come within the range of 100m both the Bluetooth devices get enabled and
if any one of the car comes too fast then the bluetooth device sends a warning signal to the other
car and it processes the signal and gives it to the automatic braking system.
Sends warning signal
Receives signal and control the speed of car Within 10m
CONCLUSION:
The Bluetooth technology is being widely adopted by the Industry leaders. The possibility for
new applications is very exciting with this versatile technology. It provides a simple, logical
answer to all the Problems which is built a single common radio into every mobile computer
,then neither do companies have to worry about WAN, nor do communication companies need to
worry about building external cables. The Bluetooth communication device will thus be a small,
low powered radio in a chip that will talk to other Bluetooth enabled products. Bluetooth has
been designed to solve a number of connectivity problems experienced by the mobile workers &
consumers. Thus, this technology helps make the electronic devices more user friendly and helps
address various other problems like accidents.
REFERENCES:
1. http://WWW.HOWSTUFFWORKS.COM
2. http://WWW.WIKIPEDIA.COM
3. http://WWW.BLUETOOTH.COM
4. http://WWW.SILICON.COM
5. IEEE JOURNALS
Reference: http://www.seminarprojects.com/Thread-accident-prevention-using-wireless-
communication-full-report#ixzz1C6vjlbIf
Scribd
Upload a Document
Top of Form
Search Documents
Bottom of Form
Explore
Documents
• Books - Fiction
• Books - Non-fiction
• Health & Medicine
• Brochures/Catalogs
• Government Docs
• How-To Guides/Manuals
• Magazines/Newspapers
• Recipes/Menus
• School Work
• + all categories
•
• Featured
• Recent
People
• Authors
• Students
• Researchers
• Publishers
• Government & Nonprofits
• Businesses
• Musicians
• Artists & Designers
• Teachers
• + all categories
•
• Most Followed
• Popular
• Sign Up
• |
• Log In
1
First Page
Previous Page
Next Page
/ 51
Zoom Out
Zoom In
Fullscreen
Exit Fullscreen
View Mode
BookSlideshowScroll
Top of Form
Search w it
Bottom of Form
Readcast
Add a Comment
Reading should be social! Post a message on your social networks to let others
know what you're reading. Select the sites below and start sharing.
Bottom of Form
Download
Auto-hide: off
A
SEMINAR REPORT
ON
“BLUETOOTH”
SUBMITTED IN PARTIAL FULFILLMENT
FOR THE AWARD OF THE
DEGREE OF
BACHELOR OF TECHNOLOGY
IN
ELECTRONICS ENGINEERING
SUBMITTED TO:-
SUBMITTED
BY:-
Er. NARANG
Sunil Panjeta
(Lec
1805262
ECN-3
HARYANA ENGINEERING COLLEGE
JAGADHRI
(2005-2009)
1. INTRODUCTION
When you usecomputers, entertainment systems orte lephones, the various pieces and
communicate with each other using a variety of wires, cables,radio signals and infrared
light beams, and an even greater variety of connectors, plugs and protocols.
There are lots of different ways that electronic devices can connect to one another. For
example:
•
Component cables
•
Electrical wires
•
Ethernet cables
•
WiFi
•
Infrared signals
The art of connecting things is becoming more and more complex every day. In this
streamline the process. A Bluetooth connection is wireless and automatic, and it has a
A unique new wireless technology specifically designed for short range (10-100) meters with modest
performance of 780Kbps dynamically configurable and hoc networking with low power. It is well suited for
handheld applications and support both voice and data. Uses 2.4 GHZ unlicensed ISM band. Frequency
hopping spread spectrum radio for higher interference immunity. Supports point to point and point to
multipoint connection with single radio link. Designed to provide low cost, robust, efficient, high capacity
voice and data networking. Uses a combination of circuit and packet switching.
Bluetooth wireless technology is finally here. Originally conceived as a low-power short range radio
technology designed to replace cables for interconnecting devices such as printers, keyboards, and mice, its
perceived potential has evolved into far more sophisticated usage models. The requirement to do this in a
totally automated, seamless, and user-friendly fashion, without adding appreciable cost, weight, or power drain
Bluetooth devices can form piconets of up to seven slaves and one master, enabling discovery of services and
subsequent implementation of many varied usage models including wireless headsets, Internet bridges, and
shorter distances and are designed to solve different problems. The Bluetooth SIG publishes the Bluetooth
specification. The IEEE has formed the 802.15 working group to define standards for wireless PANs. The
802.15.1 standard for WPAN™s will be modeled after the Bluetooth specification from the Bluetooth SIG.
Microsoft® has announced support for Bluetooth in the next release of Windows® XP. The waters of
Bluetooth security have yet to be tested. However, the Bluetooth specification has a robust key management
2.
2.BLUTOOTH
BLUTOOTH
“Bluetooth wireless technology is an open specification for a low-cost, low-
What is Bluetooth?
What is Bluetooth?
HaraldBla tand
Blatandwho
who
accessories.
accessories.
1998.
1998.
Fig1 (
1 ( a )
a.
.
b
b.
.bluetoo th
bluetoothconnecting
connectingexam pl
examplE
E
2.1 TIMELINE
2.1 TIMELINE
1998 : Bluetooth SIG formed: Ericsson, Intel, IBM, Nokia & Toshiba
1998 : Bluetooth SIG formed: Ericsson, Intel, IBM, Nokia & Toshiba
2005 :
Open Specification
Open Specification
Worldwide Usability
Worldwide Usability
Ad-hoc networks
Ad-hoc networks
Data/voice access
Data/voice accesspointS
pointS
Wireless
Wirelesste le matics
telematics
•Printers
Printers
•PDAs
PDAs
•Cell phones
Cell phones
•Wireless peripherals:
Wireless peripherals:
•Headsets
Headsets
•Came
Cameras
ras
•CD Player
CD Player
•TV/VCR/DVD
TV/VCR/DVD
•Access Points
Access Points
•Cordless Phones
Cordless Phones
•Cars
Cars
Example :
➢ S i m p l e t o i n s t a l l a n d e x p a n d
➢ N e e d n o t b e i n l i n e o f s i g h t
➢ L o w C o s t
➢ P e r f e c t f o r F i l e t r a n s f e r a n d
p r i n t i n g a p p l i c a t i o n
➢ S i m u l t a n e o u s h a n d l i n g o f
d a t a a n d v o i c e o n t h e s a m e
c h a n n e l
➢ E a s y t o h a n d l e
2.5 APPLICATIONS OF BLUETOOTH
2. Hidden Computing.
Spectrum
spectrum = 79 channels)
Modulation
1 mw – 100 mw
Data Rate
1 Mbps
Range
30 ft
Supported Stations
8 devices
Module size
9 x 9 mm
2.7 A Comparison`
For those who know little about the technology, and even for those who are more than a little acquainted with
it, the name Bluetooth may seem odd. You may wonder, in fact, how it relates to wireless technology, or
speculate that perhaps it’s derived somehow from the founding members of the SIG. Neither of these ideas is
correct.
The name is a romantic gesture that in some sense indicates the excitement the technology generates as well as
the belief in its value as a revolutionary concept. To combine these qualities in a name required ingenuity and
delving into the past. The name Bluetooth comes from Danish history. Harald Blatand, who was called
Bluetooth, was the son of King Gorm the Old, who ruled Jutland, the main peninsula of Denmark. By the time
Harald became king, he was a skilled Viking warrior. So, when his sister asked for help to secure control in
Norway after her husband died, Harald quickly seized the opportunity to unite the countries and expand his
kingdom. By 960 A.D. according to the story, Harald was at the height of his powers, and ruled both Denmark
and Norway. He was later credited with bringing Christianity to his Viking realm.
Although it’s popularly believed that King Harald had a blue tooth, and various stories explain how this came
about, it’s more likely that the Bluetooth name is the English derivative of the original Viking word, Blâtand.
wireless technology because its developers and promoters hope it will unite the mobile
4.
Bluetooth takes small-area networking to the next level by removing the need for user
Picture this: You're on your Bluetooth-enabled cell phone, standing outside the door to
your house. You tell the person on the other end of the line to call you back in five
minutes so you can get in the house and put your stuff away. As soon as you walk in the
house, the map you received on your cell phone from your car's Bluetooth-enabledGPS
phone picked up a Bluetooth signal from yourPC and automatically sent the data you
designated for transfer. Five minutes later, when your friend calls you back, your
Bluetooth-enabled home phone rings instead of your cell phone. The person called the
same number, but your home phone picked up the Bluetooth signal from your cell phone
and automatically re-routed the call because it realized you were home. And each
transmission signal to and from your cell phone consumes just 1 milliwatt of power, so
standard.
•
when bits are sent, how many will be sent at a time, and how the parties in a
conversation can be sure that the message received is the same as the message
sent.
The big draws of Bluetooth are that it is wireless, inexpensive and automatic. There are other ways to get
around using wires, including infrared communication.Infrared (IR) refers to light waves of a lower frequency
than human eyes can receive and interpret. Infrared is used in most television remote control systems. Infrared
communications are fairly reliable and don't cost very much to build into a device, but there are a couple of
drawbacks. First, infrared is a "line of sight" technology. For example, you have to point
Fig Photo courtesy Bluetooth SIG
the remote control at thete levision or DVD player to make things happen. The second
drawback is that infrared is almost always a "one to one" technology. You can send data
between your desktop computer and your laptop computer, but not your laptop computer
and yourPDA at the same time. (See How Remote Controls Work to learn more about
transmitters and receivers have to be lined up with each other, interference between
infrared receivers.
Bluetooth is intended to get around the problems that come with infrared systems. The
older Bluetooth 1.0 standard has a maximum transfer speed of 1 megabit per second
(Mbps), while Bluetooth 2.0 can manage up to 3 Mbps. Bluetooth 2.0 is backward-
Bluetooth networking transmits data via low-power radio waves. It communicates on a frequency of 2.45
gigahertz (actually between 2.402 GHz and 2.480 GHz, to be exact). This frequency band has been set aside by
international agreement for the use of industrial, scientific and medical devices (ISM).
A number of devices that you may already use take advantage of this sameradio-
frequency band. Baby monitors, garage-door openers and the newest generation of
cordless phones all make use of frequencies in the ISM band. Making sure that
Bluetooth
and these other devices don't interfere with one another has been a crucial part of the
design process.
One of the ways Bluetooth devices avoid interfering with other systems is by sending out very weak signals of
about 1 milliwatt. By comparison, the most powerful cell phones can transmit a signal of 3 watts. The low
power limits the range of a Bluetooth device to about 10 meters (32 feet), cutting the chances of interference
between your computer system and your portable telephone or television. Even with the low power, Bluetooth
doesn't require line of sight between communicating devices. The walls in your house won't stop a Bluetooth
signal, making the standard useful for controlling several devices in different rooms.
Bluetooth can connect up to
the same 10-meter (32-foot) radius, you might think they'd interfere with one another,
but
the same 10-meter (32-foot) radius, you might think they'd interfere with one another,
but
it's unlikely. Bluetooth uses a technique called
that
makes it rare for more than one device to be transmitting on the same frequency at the
makes it rare for more than one device to be transmitting on the same frequency at the
same time. In this technique, a device will use 79 individual, randomly chosen
same time. In this technique, a device will use 79 individual, randomly chosen
frequencies within a designated range, changing from one to another on a regular basis.
frequencies within a designated range, changing from one to another on a regular basis.
In the case of Bluetooth, the transmitters change frequencies 1,600 times every second,
In the case of Bluetooth, the transmitters change frequencies 1,600 times every second,
meaning that more devices can make full use of a limited slice of the
meaning that more devices can make full use of a limited slice of the radio spectrum
radio s
pectrum.
unlikely that two transmitters will be on the same frequency at the same time. This
same
unlikely that two transmitters will be on the same frequency at the same time. This
same
technique minimizes the risk that portable phones or baby monitors will disrupt
Bluetooth
technique minimizes the risk that portable phones or baby monitors will disrupt
Bluetooth
devices, since any interference on a particular frequency will last only a tiny fraction of
a
devices, since any interference on a particular frequency will last only a tiny fraction of
a
second
second
When Bluetooth-capable devices come within range of one another, an electronic conversation takes place to
determine whether they have data to share or whether one needs to control the other. The user doesn't have to
press a button or give a command -- the electronic conversation happens automatically. Once the conversation
has occurred, the devices -- whether they're part of a computer system or a stereo -- form a network. Bluetooth
systems create a personal-area network (PAN), orpiconet, that may fill a room or may encompass no more
the headset on your head. Once a piconet is established, the members randomly hop frequencies in unison so
they stay in touch with one another and avoid other piconets that may be operating in the same room
5. THE PROMISE OF BLUETOOTH – WHAT IT CAN DO
The promise of Bluetooth is extremely ambitious. If Bluetooth lives up to its potential, it will revolutionize the
way people interact with information technology. Originally conceived as a low-power short-range radio
technology designed to replace cables for interconnecting devices such as printers, keyboards, and mice, its
perceived potential has evolved into much more. It has given rise to the concept of the Personal Area Network
(PAN), a technology of convenience where everything within the Personal Operating Space (POS) of an
individual that is related to communicating information (both voice and data) is automatically tied into a
seamless peer-to-peer network that self-configures to make information easily accessible. Scenarios for its
usage are many and diverse and are only limited by the imaginations of the companies that create the products.
5.1 COMPARED WITH WIRELESS LANS
There is even talk of Bluetooth competing with WLANs, but Bluetooth products work
over shorter distances and are designed to solve different problems. While the
of a Bluetooth component requires a host. The host can be any number of Bluetooth
enabled devices such as cell phones, headsets, keyboards, PDAs, vending machines,
The leading adoption of Bluetooth will initially be in the arena of mobile phones. Nearly every major
mobile phone manufacturer has already released Bluetooth- enabled models of their popular phones. The
driver for this adoption is the ability to use a wireless headset with the phone. The impact of mobile phone
radiation on health has been under scrutiny for some time, especially since the phone is usually held near the
head. The radio frequency energy emitted by a Bluetooth wireless headset is a fraction of that emitted by a
Bluetooth wireless technology can be used to allow a mobile phone or cordless modem to provide Dial-
Up Networking (DUN) capabilities for a PC, allowing it to connect to the Internet without a physical phone
line. This enables a laptop to automatically utilize the user’s nearby cell phone to dial and connect to a dial-up
service. The user doesn’t need to touch the phone, which might be in a briefcase or coat pocket.
5.2.3 File Exchange
The ability to perform peer-to-peer file exchange without the presence of a network infrastructure has
many advantages. For example, a salesperson may choose to share the contents of an electronic slide
presentation (as well as datasheets, business cards, and other electronic collateral) with the audience. Bluetooth
enables the automatic detection of any Bluetooth devices in the room, enabling the transfer (with the receiver’s
permission) of all selected files. (This could also be done with a wireless LAN, but all parties involved would
have to configure their clients to use compatible network settings. This is not required for Bluetooth.)
5.2.4 Synchronization
Bluetooth allows for data synchronization between devices. For example, a desktop computer that is
Bluetooth enabled can wirelessly synchronize its contact list, task information, calendar, etc., to a user’s phone,
PDA, or notebook. Several Bluetooth- based synchronization models already exist for both Pocket PC and
Palm-based PDAs.
5.2.5 Printing
HP is making printers and notebooks with embedded Bluetooth technology. Bluetooth-enabled devices
can automatically detect Bluetooth-enabled printers in their area and wirelessly send documents to the printer
without going through lengthy network and printing setup processes. Mobile users who frequently visit remote
offices will find Bluetooth printing a significant improvement in convenience to their current experience.
5.3 AN ENGINEERING CHALLENGE
T h e d e m a n d s o f
c r e a t i n g B l u e t o o t h -
e n a b l e d p r o d u c t s a r e
v e r y c h a l l e n g i n g .
B l u e t o o t h m u s t h a v e a
v e r y f l e x i b l e
a p p l i c a t i o n t o p o l o g y .
F o r e x a m p l e , y o u m i g h t
want your PDA to be able to communicate with any nearby printer, but do you
want your cell phone to send its audio to any nearby hands-free headset?
B l u e t oo t h m u s t b e
a u t o m a t i c a l l y
c o n f i g u r a b l e . I f a
B l u e t o o t h p r o d u c t c a n ’ t
f i g u r e
out whom it should and shouldn’t talk to and how, the marketplace will consider it
B l u e t o o t h m u s t h a v e
q u a l i t y o f s e r v i c e
( Q o S ) f e a t u r e s t o
s u p p o r t v o i c e .
N o o n e w a
n t s c e l l
p h o n e s w i h t
s h o r t e r
b a t t e r y l i f e , s o t h e
p o w e r r e q u i r e d t o
N o o n e w a n t s P D A s
t h a t a r e l a r g e r , s o
a d d i n g B l u e t o o t h
c a p a b i l i t y t o a d e v i c e
I n o r d e r t o r
p l a c e e
c a b l e s , B l u e t o o t h
c a n n o t c o s t m o r e t h a n
c a b l e s . T h i s m e a n s
that Bluetooth technology cannot add more than $5 to the cost of the host device.
The phrase “Wireless connections made easy,” which is printed on the cover page of the more than 1,500
pages of engineering specifications that define Bluetooth, means easy for the user, but hard for the engineers
designing the products. For the reasons outlined above, Bluetooth presents some of the most demanding
engineering challenges in the telecommunications arena, and products are only just now beginning to appear
on the market.
5.4 BLUETOOTH PRODUCT CERTIFICATION
The Bluetooth Special Interest Group1 (SIG) is a group of companies that cooperate to define Bluetooth
standards and qualify Bluetooth products. A product that has passed certain testing criteria can be stamped
Any Bluetooth device can be a master or a slave, depending on the application scenario. Bluetooth employs
frequency hopping spread spectrum (FHSS) to communicate. So in order for multiple Bluetooth devices to
communicate, they must all synchronize to the same hopping sequence. The master sets the hopping sequence,
and the slaves synchronize to the Master. A piconet is formed by a master and up to seven active slaves. The
slaves in a piconet only communicate with the master. A scatter net can be formed by linking two or more
piconets. When a device is present in more than one piconet, it must time-share and synchronize to the master
Bluetooth networks are far more diverse and dynamic. They are constantly being
formed,
modified, and dissolved, as Bluetooth devices move in and out of range of one another. And because different
Bluetooth devices can represent many different usage profiles, there are any different ways in which Bluetooth
The concept of service discovery is utilized to determine what kind of Bluetooth devices are present and what
services they desire or offer. When a Bluetooth device requires a service, it begins a discovery process by
sending out a query for other Bluetooth devices and the information needed to establish a connection with
them. Once other Bluetooth devices are found and communication is established, the Service Discovery
Protocol (SDP) is utilized to determine what services are supported and what kinds of connections should be
made. In order for the above to happen, devices willing to connect must be located. Some devices may be set
up so that they are invisible. In this case, they can scan for other Bluetooth devices, but will not respond if they
are likewise queried. Applications determine whether a device is connectable or discoverable, and thus
Once a connection has been established between two devices an Asynchronous Connection-Less (ACL) link is
formed between them. An ACL link provides packet- switched communication and is the most common link
used to handle data traffic. A master has the option to change an ACL link to a Synchronous Connection
Oriented (SCO) link. An SCO link provides a Quos feature by reserving time slots for transmission of time-
critical Information such as voice. A piconet can have up to three full-duplex voice links.
6.4 STANDARD PROFILES TO ENABLE USAGE MODELS.
The number and variety of different Bluetooth usage models mean that Bluetooth devices must call from a
large collection of different protocols and functions to implement a specific usage model. In order to ensure
that all usage models will work among devices from many different manufacturers, this collection of protocols
and functions must be standardized. Bluetooth profiles are standardized definitions of protocols and functions
required for specific kinds of tasks. The current Bluetooth Standard 1.1 contains 13 profiles, with more being
continually added. One or more of these profiles are utilized when implementing various usage models. Some
profiles are dependent upon others. Some of the most basic are:
6.4.1 General Access Profile (Gap)
This profile is required by all usage models and defines how Bluetooth devices discover and connect to
one another, as well as defines security protocols. All Bluetooth devices must conform to at least the GAP to
devices.
The SDAP uses parts of the GAP to define the discovery of services for Bluetooth
devices.
This profile defines how to set up and connect virtual serial ports between two devices. This serial cable
emulation can then be used for tasks such as data transfer and printing.
6.4.4 GENERIC OBJECT EXCHANGE PROFILE (GOEP)
GOEP is dependent on the Serial Port Profile and is used by applications to handle object exchanges. This
capability is then used, in turn, by other profiles to perform such functions as Object Push, File Transfer, and
This profile is used for the exchange of small objects, such as electronic calling cards.
6.4.7 SYNCHRONIZATION
devices.
New profiles not yet part of the standard include the following: a Basic Printing Profile to facilitate printing of
text emails, short messages, and formatted documents; a Hands Free Profile to enable a mobile phone to be
used with a hands-free device in a car; a Basic Imaging Profile enabling Bluetooth devices to negotiate the size
and encoding of exchanged images; and a Hardcopy Cable Replacement Profile, used by devices such as
to operate at a power level of 0 dBm (1 mW), which provides a range of up to 10 m. Class 2 devices can utilize
as much as 4 dBm (2.5 mW) output power, and class 1 devices can utilize up to 20 dBm (100 mW) of output
power. Class 1 devices can have a range up to 100 m. Bluetooth class 2 and 3 devices can optionally
implement adaptive power control. Required for class 1 devices, this mechanism allows a Bluetooth radio to
reduce power to the minimum level required to maintain its link, thus saving power and reducing the potential
Since the original Bluetooth specification was published in 1999, more than 2000 additional companies have
signed on as associate members, able to participate in development of future standards and extensions by
The fundamental elements of a Bluetooth product are defined in the two lowest
protocol layers, the radio layer and the baseband layer. Included in these layers
are hardware tasks such as frequency hopping control and clock synchronization,
as well as packet assembly with associated FEC (Forward Error Correction) and
The Bluetooth SIG is currently working on a new specification, due for publication sometime in 2002. In the
interest of maintaining backwards compatibility, most of this work is confined to describing new profiles.
One of the most intriguing is a car profile that describes the use of personal devices like pagers, cell phones,
and laptops in an automotive environment. Envisioned usages include the automatic adjustment of various
settings in an automobile, such as seat and mirror positions and radio tuning, based on personal preferences
stored in a Bluetooth device. Another profile would link a cell phone, car radio, and text-to-speech software on
developing optional extensions to the current Bluetooth standard that include higher data rates and handoff
capability to support roaming, and the coexistence working group is collaborating with the IEEE 802.11 and
802.15 working groups to address interference concerns and ensure that Bluetooth can coexist in the same
In November 2003, it was. discovered that there are serious flaws in the authentication and/or data transfer
mechanisms on some bluetooth enabled devices. Specifically, three vulnerabilities have been found:
Firstly, confidential data can be obtained, anonymously, and without the owner's knowledge or consent, from
some bluetooth enabled mobile phones. This data includes, at least, the entire phonebook and calendar, and the
phone's IMEI.
Secondly, it has been found that the complete memory contents of some mobile phones can be accessed by a
previously trusted ("paired") device that has since been removed from the trusted list. This data includes not
only the phonebook and calendar, but media files such as pictures and text messages. In essence, the entire
Thirdly, access can be gained to the AT command set of the device, giving full access to the higher level
commands and channels, such as data, voice and messaging. This third vulnerability was identified by Martin
Herfurt, and they have since started working together on finding additional possible exploits resulting from this
vulnerability.
Finally, the current trend for "Bluejacking" is promoting an environment which puts
Vulnerabilities
It is possible, on some makes of device, to connect to the device without alerting the
owner of the target device of the request, and gain access to restricted portions of the
stored data therein, including the entire phonebook (and any images or other data
associated with the entries), calendar, realtime clock, business card, properties, change
log, IMEI (International Mobile Equipment Identity [6], which uniquely identifies the
phone to the mobile network, and is used in illegal phone 'cloning'). This is normally only
possible if the device is in "discoverable" or "visible" mode, but there are tools available
on the Internet that allow even this safety net to be bypassed[4]. Further details will not
be released at this time (see below for more on this), but the attack can and will be
The backdoor attack involves establishing a trust relationship through the "pairing"
mechanism, but ensuring that it no longer appears in the target's register of paired
devices. In this way, unless the owner is actually observing their device at the precise
moment a connection is established, they are unlikely to notice anything untoward, and
the attacker may be free to continue to use any resource that a trusted relationship with
that device grants access to (but note that so far we have only tested file transfers). This
means that not only can data be retrieved from the phone, but other services, such as
modems or Internet, WAP and GPRS gateways may be accessed without the owner's
knowledge or consent. Indications are that once the backdoor is installed, the above
SNARF attack will function on devices that previously denied access, and without the
restrictions of a plain SNARF attack, so we strongly suspect that the other services will
The bluebug attack creates a serial profile connection to the device, thereby giving full
access to the AT command set, which can then be exploited using standard off the shelf
tools, such as PPP for networking and gnokii for messaging, contact management, diverts
and initiating calls. With this facility, it is possible to use the phone to initiate calls to
premium rate numbers, send sms messages, read sms messages, connect to data services
such as the Internet, and even monitor conversations in the vicinity of the phone. This
latter is done via a voice call over the GSM network, so the listening post can be
anywhere in the world. Bluetooth access is only required for a few seconds in order to set
up the call. Call forwarding diverts can be set up, allowing the owner's incoming calls to
be intercepted, either to provide a channel for calls to more expensive destinations, or for
"Bluejacking"[1] has recently come to the fore in the consumer arena, and is becoming a popular mechanism
for exchanging anonymous messages in public places. The technique involves abusing the bluetooth
"pairing"[2] protocol, the system by which bluetooth devices authenticate each other, to pass a message during
the initial "handshake" phase. This is possible because the "name" of the initiating bluetooth device is
displayed on the target device as part of the handshake exchange, and, as the protocal allows a large user
defined name field - up to 248 characters - the field itself can be used to pass the message. This is all well and
good, and, on the face of it, fairly harmless, but, unfortunately, there is a down side. There is a potential
security problem with this, and the more the practice grows and is accepted by the user community, and
leveraged as a marketing tool by the vendors, the worse it will get. The problem lies in the fact that the
protocol being abused is designed for information exchange. The ability to interface with other devices and
exchange, update and synchronise data, is the raison d'être of bluetooth. The bluejacking technique is using the
first part of a process that allows that exchange to take place, and is therefore open to further abuse if the
handshake completes and the "bluejacker" successfully pairs with the target device. If such an event occurs,
then all data on the target device bacomes available to the initiator, including such things as phone books,
calendars, pictures and text messages. As the current wave of PDA and telephony integration progresses, the
volume and quality of such data will increase with the devices' capabilities, leading to far more serious
potential compromise. Given the furore that errupted when a second-hand Blackberry PDA was sold without
the previous owner's data having been wiped[3], it is alarming to think of the consequences of a single
bluejacker gathering an entire corporate staff's contact details by simply attending a conference or camping
outside their building or in their foyer with a bluetooth capable device and evil intent. Of course, corporates are
not the only potential targets - a bluejacking expedition to, say, The House of Commons, or The US Senate,
could provide some interesting, valuable and, who's to say, potentially damaging or compromising data. The
above may sound alarmist and far fetched, and the general reaction would probably be that most users would
not be duped into allowing the connection to complete, so the risk is small. However, in today's society of
instant messaging, the average consumer is under a constant barrage of unsolicted messages in one form or
another, whether it be by
SPAM email, or "You have won!" style SMS text messages, and do not tend to treat them with much suspicion
(although they may well be sceptical about the veracity of the offers). Another message popping up on their
'phone saying something along the lines of "You have won 10,000 pounds! Enter this 4 digit PIN number and
then dial 0900- SUCKER to collect your prize!" is unlikely to cause much alarm, and is more than likely to
BLUEBUG is the name of a bluetooth security loophole on some bluetooth-enabled cell phones. Exploiting
this loophole allows the unauthorized downloading phone books and call lists, the sending and reading of SMS
LONG DISTANCE SNARF- An eye-opener to those who believe that the range of the wireless technology
Bluetooth is 100 meter maximum. The Long-Distance-Snarf Experiment that took place in the early morning
BLUETONE--The information on this page is intended to help people that want to modify their bluetooth
equipment in order to connect an external (directional) antenna to their Bluetooth dongle. This Bluetooth
tuning makes it possible to concentrate the emission of bluetooth signals to one direction instead of any
BLUEPRINTING--Blueprinting is a method to remotely find out details about bluetooth- enabled devices.
Blueprinting can be used for generating statistics about manufacturers and models and to find out whether
there are devices in range that have issues with Bluetooth security
BLOOVER--Since Adam Laurie's BlueSnarf experiment and the subsequent BlueBug experiment it is proven
that some Bluetooth-enabled phones have security issues. Until now, attackers need laptops for the snarfing of
other people's information. Unless attackers do a long-distance-snarf, people would see that there is somebody
with a laptop trying to do strange things. Blooover is a proof-of-concept tool that is intended to run on BT
AUDIT--The Bluetooth architecture consists out of two main protocols, L2CAP and RFCOMM which is
layered on top of L2CAP. Since these protocols utilize ports (as they are named in the popular TCP/IP UDP/IP
bound to them.
BLUESMACK- BlueSmack is a Bluetooth attack that knocks out some Bluetooth- enabled devices
immediately. This Denial of Service attack can be conducted using standard tools that ship with the official
the responds to an inquiry. The device class has a total length of 24 bits and is separated in three parts
9. BLUETOOTH SECURITY
Bluetooth security, when compared with WLAN security, is both more complex and simpler. It is more
complex in the sense that there are many different options for security based on different application scenarios.
It is simpler in the sense that, for the most part, they are transparent to the user. With WLANs it is up to the
network administrator to add security at higher levels. With Bluetooth, since the Bluetooth spec includes all
levels, higher-level security features are already built into the devices when appropriate. Bluetooth security
includes both authentication and confidentiality, and is based around the SAFER+ encryption algorithm.
SAFER+ is a block cipher, but in this application is implemented as a stream cipher. SAFER+ was thoroughly
NIST’s search for a national encryption standard. Although some versions were found to have very minor
The Bluetooth Baseband (link layer) specification defines methods for both
These methods utilize a number of keys generated by a process that begins with three basic device entities: a
public 48-bit device address, a random number generator, and a secret PIN which is either built into the unit by
the manufacturer or programmed by the user. A typical PIN may consist of just four decimal digits. However,
for applications
requiring more security a PIN code up to 128-bits long can be entered. The first of many
keys is created the first time the Bluetooth device is installed on the host
9.1.1 Authentication
When a Bluetooth session (defined as the time interval for which the device is part of a piconet) is initiated, a
series of additional keys is generated. One of these keys, referred to as the link key or authentication key, is a
one-time 128-bit secret key that is used only during that session. The process of authentication employs the
encryption of a random number by each device to verify that each is sharing the same secret link key.
9.1.2 Encryption
from the
link key, a ciphering offset number, and a random number. While the authentication key is always 128-bits, the
encryption key may be shorter to accommodate government restrictions on encryption, which vary from
country to country. A new encryption key is generated each time the device enters encryption mode. The
Bluetooth SIG has published the Bluetooth Security Architecture white paper5 that defines a suitable
architecture for implementing service-level enforced security on Bluetooth devices. The white paper splits
devices into different categories and trust levels, as well as suggesting three security levels for services. The
utilization of a database is suggested for enabling the user to authorize devices to utilize only particular
services. Because the implementation of security at this level does not affect interoperability, this white paper
procedures in order for a connection to be established. In addition to the above modes, a device can be
configured to not respond to paging, so that other devices cannot connect to it. Or it can be configured so that
only devices that already know its address can connect to it. Such numerous and complex levels of security are
necessary to accommodate the large variety of different usage scenarios. It falls on the designers of Bluetooth
products to ensure that the complexity of Bluetooth is hidden from the user, while still providing the user with
To permanently remove a pairing, and protect against future BACKDOOR attacks, it seems you must perform
a factory reset, but this will, of course, erase all your personal data. To avoid Blue jacking, "just say no”. The
above methods work to the best of our knowledge, but, as the devices affected are running closed-source
proprietory software, it not possible to verify that without the collaboration of the manufacturers. We therefore
make no claims as to the level of protection they provide, and you must continue to use Bluetooth at your own
risk.
11. Device Authentication In Bluetooth Technology
Bluetooth technology provides a method for authenticating devices. Device authentication is provided using a
shared secret between the two devices. The common shared secret is called a link key. This link key is
established in a special communications session called pairing. All paired devices (devices that have had a
previous connection to establish security procedures) share a common link key. There are two types of link
A device using a unit key uses the same secret for all of its connections. Unit keys are appropriate for devices
with limited memory or a limited user interface. During the pairing procedure the unit key is transferred
(encrypted) to the other unit. Note that only one of the two paired units is allowed to use a unit key.
Combination keys are link keys that are unique to a particular pair of devices.
The combination key is only used to protect the communication between these two devices. Clearly a device
that uses a unit key is not as secure as a device that uses a combination key. Since the unit key is common to
all devices with which the device has been paired, all such devices have knowledge of the unit key.
Consequently they are able to eavesdrop on any traffic based on this key. In addition, they could, in theory, be
modified to impersonate other devices using the key. Thus, when using a unit key there is no protection against
attacks from other devices with which the device has been paired.
As a result, the Bluetooth SIG discourages the use of unit keys in secure applications. Authentication is
performed with a challenge response scheme utilizing the E1 algorithm. E1 is a modification of the block
cipher SAFER+. The scheme operates as follows: The verifier issues a 128 bit long challenge. The claimant
then applies E1 using the challenge, its 48-bit Bluetooth address, and the current link key. He then returns the
The verifier confirms the response, in which case the authentication has succeeded. In this case, the roles are
switched and the same procedure is applied again, thereby accomplishing mutual authentication.
The Bluetooth challenge response algorithm differs from that used in 802.11b in very
form a plaintext/cipher text pair. This fact, combined with the simplicity of the encryption method (XOR),
allow an intruder to easily determine the authentication key string by listening to one authentication procedure.
In contrast, the Bluetooth authentication method never transmits the complete challenge response pair. In
addition, the E1 algorithm is not easily invertible. Thus even if an attacker has recorded an authentication
challenge response session, he cannot (directly) use this data to compute the authentication key.
12. BLUETOOTH PAIRING
Pairing is the procedure where a relationship (link key) is established between two previously unknown
devices. The link key is derived when the devices are initially paired (i.e. the link key does not exist before the
pairing procedure). Pairing is facilitated with yet another key, the initialization key. This key is computed by a
pair of devices using the Bluetooth addresses of each device, a random number, and a shared secret (PIN).
Since it
is only used in the initial pairing, the initialization key is only used once. The initial pairing is the most
profitable area of attack on a Bluetooth device. If the attacker can guess or steal the PIN during the initial
pairing, then he can perform a much more efficient search to derive the link key. This search is further
simplified if the communications occurring while the devices are paired is recorded. For this reason the
Bluetooth SIG strongly encourages the use of long, random PINs and suggests that pairing be performed only
in a private place. Assuming that both devices have a man- machine interface (such as a keypad) it is also
suggested that the PIN be manually entered into both devices or in any case communicated out-of-band (not
transmitted over the Bluetooth wireless link). Thus, long PINs provide improved security since the PIN cannot
be received over-the-air. To steal the PIN an attacker must guess or record it by some other means such as
direct observation of the user, a more difficult procedure if the PIN is long and the pairing is performed in
private.
As a communication standard, Bluetooth security focuses on the link level. It provides
both entity authentication and link privacy. Since these functions are focused at the lower network layers,
message authentication and secure end-to- end links are not provided. However, many applications, such as e-
mail and browser transactions require end-to-end security. As with other communication standards, this
Accordingly, the Bluetooth SIG encourages the reuse of existing transport, session and application layer
security. Accordingly the Bluetooth SIG strongly encourages pairing in a private place and the use of robust
PINs. In addition, simple devices that use unit keys should not be relied upon to communicate highly secure
data.
13. BLUESNARFING
SNARF and bluesnarfing are words that have been spooking through the Internet during the last months. These
words relate to a recently discovered security flaw in Bluetooth- enabled devices. This report is about a field-
trial that has evaluated this security loophole at the CeBIT 2004 in Hannover. As described in, the SNARF
attack enables access to restricted portions of the device. SNARF is a word coming from computer-hacker
jargon. To snarf something means “to grab a large document or file and use it without the author’s
permission”. So it is possible to, for example read out the affected devices’ phone books. These phone books
contain numbers and associated names of persons that are either stored in the device phone-book, on the SIM
card or in the lists of missed, received or dialed contacts. It is also possible to retrieve and send SMS messages
from the affected phone or to initiate phone calls to any existing number (this feature is of special interest if
In theory, all supported AT-commands could be issued to the respective device, but according to statements of
the manufacturers some of the commands are not permitted by means of this disallowed connection. But there
would be no reason of preventing commands from a connection that the firmware discloses by accident.
13.1 The BlueSnarf Field Trial
The hardware used for this trial was a COMPAQ Evo N600c with two low-cost MSI Bluetooth USB-dongles.
The software used with this hardware was linux-2.6.22together with Qualcomm’s Bluetooth stack
implementation Bluez (bluez-libs-2-.5, bluez-utils-2.4 and bluez-sdp-1.5). The actual application was
implemented in PERL and C. For better data-mining capabilities, an enterprise-level SQLDBMS (postgresql-
7.4.1) has been used in order to store and access the collected device-information.
13.3 Collected Data Samples and Results
In total, 1269 different devices have been discovered in the period from March 18th to 21st March 2004 at the
place described above. Due to the limited range of about ten meters, not all of the Bluetooth-enabled devices at
this place could have been detected. But still, the number of discovered devices is very high.
13.4 Discovered Device Vendors
The determination of the vendor is done by means of the Bluetooth address. Similar to the hardware-address
(MAC address) of Ethernet network interface cards, also the Bluetooth address refers to the manufacturer of
the Bluetooth chip-set. Table 1 shows the vendor and the three first bytes of the Bluetooth addresses that are
associated with the respective vendor. Also a value expressing the distribution among the vendors is provided
in this table.
The 70 percent of discovered Nokia handsets clearly represent Nokia’s market-leadership in Europe.
Interestingly, many companies use the Nokia 6310i as a company phone. One possible reason for this could be
the compatibility to the Nokiacar-kits that have been installed over years in many company cars.
13.5 Vendor Address-Bytes Percentage
Table 13.5.1 : Device Vendors
It cannot be determined from the device’s Bluetooth address which model of the respective vendor this is.
Therefore, the Bluetooth name that on many devices defaults to the model number has been used to identify
the model of the discovered device. The Bluetooth name of the devices can be set by the user and is therefore
not itself a reliable information to determine the model number. It is worth mentioning that many people use
The tables 2, 3 and 4 show the numbers of models that could have been uniquely determined by their names.
So, this graph is not totally correct, but gives a coarse idea on the vendor/model distribution.
The graph displayed in table 2 supports the assumption that has been made before,
that
obviously many companies are using the Nokia 6310i phone for their employees.
Characteristic for the German/European market was the relatively high presence
Unrecognized
T610
P900
P800
13.8 Device Number Percentage
As written in, there are a number of devices that are vulnerable to the SNARF attack. According to this
document there is the Ericsson phone T68/T68i, the SonyEricsson phones R520m, T610 and Z1010 and the
Nokia phones 6310/6310i, 8910/8910i and 7650. Adam Laurie also provides information, whether the
respective devices are attackable in invisible or visible mode, only. Since the setup used for this field trial did
not use a brute-force approach (as presented by @stake) for detecting also invisible devices, this study only
confirms the vulnerability of visible devices. Due to limited market take-up and the resulting low penetration-
rate of some devices, the vulnerability of some of the listed devices cannot be confirmed by this study.
As displayed in figures 2 and 3, the two top-selling Bluetooth-enabled models of
SonyEricsson and Nokia are vulnerable to the SNARF attack. Experiments with the
SonyEricsson T610 showed that this model is generally not vulnerable to the SNARF attack. During an earlier
presentation of the SNARF attacking February it happened that T610 phones with recent versions of the T610
firmware were disclosing personal information. Obviously, newer versions of the T610 firmware do allow
SNARF attacks.
Nokia 6310/6310i as mentioned above, this study confirms that the Nokia 6310 and the
more enhanced Nokia 6310i are very vulnerable to the SNARF attack. About 33 percent of all discovered
devices of this type were disclosing personal phone book entries without requiring user-interaction. Since the
snarf-process takes an average Time of 30 seconds (from the discovery to the end of the attack), it is very
likely that a lot more devices could have been read out. Too many people were just passing the location so that
they left the Bluetooth-covered area too early to be snarfed. SonyEricsson T610 In future when the newer
firmware is running on an increased number of T610-devices the success rate of the SNARF attack will also
increase. In the CeBIT 2004 field trail only 6 percent of all discovered T610 devices could be read out.
Siemens Phones As far as it has been observed in the CeBIT field trial, Siemens phones are not vulnerable to
the SNARF attack. Bluetooth-enabled Siemens phones like the S55 merely seem to be rather paranoid. Every
time a usual scan-request is received by these phones they cowardly ask for the user’s confirmation. Actually,
checked. It can be confirmed, that this phone is vulnerable. Total Snarfed 50, SonyEricsson T61033 to the
SNARF attack but switches into the hidden mode automatically (three minutes after activation of the Bluetooth
The SNARF attack used at the CeBIT was intended to finish as fast as possible. That is why only the first 10
entries of each phone book were read out. About 50 numbers from each snarfed phone have been retrieved.
13.13 What Could Have Been Done?
As mentioned in the introduction there could have been done a variety of different things with an unauthorized
Bluetooth connection to the phone. The following paragraphs give some ideas on the things this security flaw
The only good way to get to know the number of the snarfed phone is to send an SMS from the attacked phone
to another device. Depending on the manufacturer of the phone, SMS messages can either be provided in 7bit
encoded ASCII-text and/or have to be provided as a SMS-PDU which is rather tricky to generate. For the
creation of SMS- PDUs there is a tool called PDUSpy in the download section of Nokia phones allow to issue
text-mode and PDU-mode messages to the device, while SonyEricsson phones (and also Siemens phones) only
accept PDU-encoded SMS messages. The sending of an SMS is not visible to the user. Usually, the issued
SMS is not stored in the sent-box of the snarfed phone. In rare cases, the SMS settings of the snarfed phone are
set to require a report that is generated at the receiving phone. In this case the sender that was not aware of
having sent a message would receive a reception-report from the attacker’s phone (which includes a phone
number). By sending PDU encoded messages, it can be controlled by setting a flag whether a reception report
is generated or not.
This method to get the victim’s phone number is causing costs to the holder of the phone. That is why it has
not been done in the CeBIT field-trial. But it works for sure (at least on Nokia devices).
It would also be possible to get the device’s phone number by initiating a phone call to the number of a phone
that is able to display the caller’s number. However, this method would disclose the number of the dialed
phone to the owner of the attacked phone, because every call initiation is writing an entry into the dialed
It is possible to initiate phone calls to virtually any other number. It would be very lucrative to initiate calls to a
premium service number that is ran by the attacker. As mentioned before, dialed numbers are usually stored in
the phone’s calling lists and are also stored at the provider-site for billing purposes. Therefore, this kind of
abuse is rather unlikely. It would also be very easy to find out and sue the person being responsible for this
premium service.
13.13.3 Writing a Phone Book Entry
As mentioned before, every phone call is writing an entry into the “dialed contacts” or DC phone book of the
respective device. By writing a phone book entry into the DC phone book, the traces on the device that
evidence that a call has been made can be replaced by any number. Since the operator also stores dialed
numbers for billing purposes, this kind of obfuscation would only delay the process of finding the responsible
person. Of course it is also possible to do some nasty phone book entries. Just imagine an entry that has
’Darling’ as a name and the number of a person you dislike. This owner of the phone could then get into some
trouble with his/her spouse. In the CeBIT-trial no phone book entries have been done. Such entries would most
Ongoing experiments include a SNARF application on Java/J2ME phones. As a Requirement for this, the
respective phones would have to have the MIDP 2.0 API Implemented together with the optionally provided
Bluetooth-API. The only phone that has these features at the moment is the Nokia 6600.
13.13.5 Blueprinting
Blueprinting aims to set a standard for Bluetooth fingerprinting devices. The idea is similar to IP fingerprinting
techniques as used in tools like an map where it is possible to determine a hosts operating system by specific
behavior of the IP stack. With Blueprinting it is possible to determine the manufacturer, the device model and
the firmware version of the respective device. The complexity of the introduced method is
intentionally simple so that this procedure can be executed on constrained devices that are not capable of
calculating common hashes such as MD5: the J2ME Connected Limited Device Configuration (CLDC)
Version 1.0 (as used in many mobile handsets) can perform it. There are many different reasons that justify a
method that allows the identification of Bluetooth-enabled devices by the characteristics of their radio
interface.
13.13.6 Device Statistics
One of the purposes that Blueprinting could be used for is statistical examination of different environments.
This way, it is possible to create statistics over manufacturer and device models in special places as it was done
in the CeBIT field trial report. There are more scenarios where the determination of Bluetooth device
There are many different mobile handsets that all have different operating system platforms running. One of
the most popular platforms is Symbian but there is a number of other platforms Mobile device manufacturers
are developing applications for many different purposes. In order to deliver the application for the right
platform, the application distributor needs to know about the requesting device model, so that the application
that is pushed to the device might be a version that supports e.g. the bigger display of a certain device.
Unfortunately, there are also malicious applications like the proof-of-concept virus CIBER that could profit
Early implementations of the Bluetooth standard in devices of various device manufacturers are subject to
more or less severe security issues. Attacks like the BlueSnarf attack, the Bluebug attack or the Blue Smack
attack, which enable the extraction of sensitive information, the abuse of telecommunications services or the
denial of service are subject to the firmware and the model of some phones. In order to communicate eventual
Blueprinting encapsulates the necessary information in order to determine device specific properties such as
the manufacturer, the model information and the firmware version. Since mobile phones and PDAs make up
the biggest group of Bluetooth enabled devices, Blueprinting mainly focuses on these devices. The method
relies on device specific information that has been collected in experiments such as the CeBIT experiment,
and, therefore, is not as detailed as it could be. Every Bluetooth enabled device has some characteristics that
are either unique (Bluetooth device address), manufacturer specific (the first part of the Bluetooth device
address) or model-specific (service description records). Blueprinting is combining the different information
that Bluetooth-enabled devices reveal in order to identify the manufacturer as well as the model of the device.
The firmware version that runs on certain devices can be derived based upon devices different characteristics.
13.13.10 Bluetooth Device Address
As mentioned above the Bluetooth device address (BD ADDR) is unique and globally refers to one single
device. This BD ADDR address consists out of 48 bits (6 bytes) that are usually notated like MAC addresses
(e.g. MM:MM:MM:XX:XX:XX). The address is programmed into the Bluetooth radio. The first three bytes of
this address (the bytes that are denoted by M’s above) refer to the manufacturer of the chipset. An actual list of
all these codes that refer to different manufacturers can be found in the OUI database hosted by IEEE.
Unfortunately, it is not possible to tell anything about the device model by interpretation of the remaining three
bytes. These bytes (denoted by X’s above) are used randomly in different models. Therefore, for identifying a
manufacturer’s model, Blueprinting takes the SDP profiles, which can be queried from devices that offer
Service Description Protocol (SDP) profiles are a concept that is used by Bluetooth in order to identify a
certain service to other devices. This is done for auto configuration purposes and to help a user setup a
connection to the specific device. SDP Profiles are served by the device’s sdp server and provide information
on how to access the offered profiles. Every SDP profile entry has some properties that can be used to identify
the device.
13.13.12 Blueprinting
Blueprinting uses specific information from SDP profiles of a device to create a hash for the respective device.
According to the standard, there is always a field that holds the Service.
Table 13.13.12.1 OPUSH Profile from a Nokia 6310i
Record Handle, which is a 32 bit number that is assigned by the SDP server when a service is registered during
startup of the device (e.g. 0x1000c in table 1). In the case of mobile phones, the Record Handles for the profile
entries at the SDP server are not dynamically assigned but statically coded in the phone’s firmware. The other
value that is taken into the hash is the RFCOMM channel or the L2CAP psm number that the service can be
accessed under. In the above profile, this would be RFCOMM channel 9. One part of a device’s Blueprinting
hash is the sum of the Rechanneled times the Channel for all running services. The following example shows
0x1000b 2 131094
0x1000c 9 589932
0x1000d 1 65549
0x1000e 15 983250
0x1000f 3 196653
0x10010 13 852176
0x10011 12 786636
3605290
13.13.12.2 Blueprinting Software
The Blueprint software is a proof-of-concept implementation of the herein described Bluetooth fingerprinting
technique. For simplicity, it was implemented in Perl and reads the output of sdptool. Blueprint uses a simple
text based database which contains fingerprints and information about the associated device. The
implementation also combines the actual fingerprint with the manufacturer part of the BD ADDR to achieve a
date: n/a
The Bluetooth Device Security Database was created after various security related bugs where found on
embedded Bluetooth devices. The btdsd projects goal is to collect information on (default) security settings of
Bluetooth enabled devices. The collection shows that nearly all manufacturers have different default security
settings and security features implemented. The database was used in the evaluation of the Blueprinting
technique.
13.14.2 Future Work
The work described here is the basis for ongoing work in this area. The trifinite.group is inviting everyone to
contribute in all future efforts. Continued progress relies on developing a more comprehensive set of SDP
profiles, which can be sent via email. For information on how to contribute, check the Bluetooth Device
the future, data from higher and lower level protocols should be used for identification as well. Examples could
be: Link Manager (LM) commands (when connecting to a specific service) or Obex behavior.
13.14.4 Conclusions
Blueprinting is a novel method for the identification of Bluetooth-enabled devices by means of their radio
interface and the Bluetooth stack of the operating system. The information gathered so far about the SDP
profiles demonstrates a decreasing diversity in mobile phone operating systems; the prevalent usage of e.g.
Symbian. The increasing uniformity is evident from similar Blueprinting hashes even when the hardware and
the manufacturer of the products differ. In the future, current trends dictate the variety of Blueprinting hashes
will most likely decrease. The fact that many phones have the same operating system could result in serious
This section lists the hashes that have been collected so far. Some of the devices have multiple entries. The
explanation for this is that these devices have different firmware versions that result in a different Blueprinting
hash.
14. BLUETOOTH AND WINDOWS XP
Microsoft® has announced support for Bluetooth in the next release of Windows® XP as
follows:
Microsoft is creating native support in the Microsoft® Windows® operating system for Bluetooth wireless
technology. This support is entirely new and is not based on existing software from other companies. The
Microsoft supports the Bluetooth technology as a wireless bus, complementing USB and IEEE 1394. The goal
for Microsoft software support is to Windows work with several types of devices that implement Bluetooth
wireless technology, such as PC peripherals, PC companions, and devices bridged to network resources
through a PC.
Support for Bluetooth wireless technology is not in the first release of Windows XP, because there is not a
sufficient array of production-quality devices that conform to the Bluetooth specification for Microsoft to test.
However, Microsoft is actively developing support for Bluetooth technology and will ship this support in a
future release. Quality, reliability and compatibility are principal ship goals for Windows XP, and Microsoft
Consumers are more interested in applications than the technology Bluetooth must be successfully