NIST Special Publication 800-121
`Revision 2
`
`Guide to Bluetooth Security
`
`John Padgette
`John Bahr
`Mayank Batra
`Marcel Holtmann
`Rhonda Smithbey
`Lily Chen
`Karen Scarfone
`
`This publication is available free of charge from:
`https://doi.org/10.6028/NIST.SP.800-121r2
`
`C O M P U T E R
`
`S E C U R I T Y
`
`IPR2020-00783
`Philips North America LLC EX2028
`Page 1 of 67
`
`

`

`NIST Special Publication 800-121
`Revision 2
`
`Guide to Bluetooth Security
`
`John Padgette
`Accenture Federal Services
`Arlington, VA
`
`Rhonda Smithbey
`Spanalytics
`Richmond, VA
`
`John Bahr
`Bahr Engineering
`Superior, CO
`
`Lily Chen
`Computer Security Division
`Information Technology Laboratory
`
`Mayank Batra
`Qualcomm Tech. Intl., Ltd.
`Cambridge, United Kingdom
`
`Marcel Holtmann
`Intel Corporation
`Munich, Germany
`
`Karen Scarfone
`Scarfone Cybersecurity
`Clifton, VA
`
`This publication is available free of charge from:
`https://doi.org/10.6028/NIST.SP.800-121r2
`
`May 2017
`
`National Institute of Standards and Technology
`Kent Rochford, Acting NIST Director and Under Secretary of Commerce for Standards and Technology
`
`U.S. Department of Commerce
`Wilbur L. Ross, Jr., Secretary
`
`IPR2020-00783
`Philips North America LLC EX2028
`Page 2 of 67
`
`

`

`Authority
`
`This publication has been developed by NIST in accordance with its statutory responsibilities under the
`Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law
`(P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including
`minimum requirements for federal information systems, but such standards and guidelines shall not apply
`to national security systems without the express approval of appropriate federal officials exercising policy
`authority over such systems. This guideline is consistent with the requirements of the Office of Management
`and Budget (OMB) Circular A-130.
`
`Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and
`binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these
`guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce,
`Director of the OMB, or any other federal official. This publication may be used by nongovernmental
`organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would,
`however, be appreciated by NIST.
`
`National Institute of Standards and Technology Special Publication 800-121 Revision 2
`Natl. Inst. Stand. Technol. Spec. Publ. 800-121 Rev. 2, 67 pages (May 2017)
`CODEN: NSPUE2
`
`This publication is available free of charge from:
`https://doi.org/10.6028/NIST.SP.800-121r2
`
`Certain commercial entities, equipment, or materials may be identified in this document in order to describe an
`experimental procedure or concept adequately. Such identification is not intended to imply recommendation or
`endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best
`available for the purpose.
`
`There may be references in this publication to other publications currently under development by NIST in accordance
`with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies,
`may be used by federal agencies even before the completion of such companion publications. Thus, until each
`publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative. For
`planning and transition purposes, federal agencies may wish to closely follow the development of these new
`publications by NIST.
`
`Organizations are encouraged to review all draft publications during public comment periods and provide feedback to
`than
`the ones noted above, are available at
`NIST. Many NIST cybersecurity publications, other
`http://csrc.nist.gov/publications.
`
`Comments on this publication may be submitted to:
`National Institute of Standards and Technology
`Attn: Computer Security Division, Information Technology Laboratory
`100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930
`Email: 800-121r2comments@nist.gov
`
`All comments are subject to release under the Freedom of Information Act (FOIA).
`
`IPR2020-00783
`Philips North America LLC EX2028
`Page 3 of 67
`
`

`

`NIST SP 800-121 REV. 2
`
`GUIDE TO BLUETOOTH SECURITY
`
`Reports on Computer Systems Technology
`
`The Information Technology Laboratory (ITL) at the National Institute of Standards and
`Technology (NIST) promotes the U.S. economy and public welfare by providing technical
`leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test
`methods, reference data, proof of concept implementations, and technical analyses to advance the
`development and productive use of information technology. ITL’s responsibilities include the
`development of management, administrative, technical, and physical standards and guidelines for
`the cost-effective security and privacy of other than national security-related information in federal
`information systems. The Special Publication 800-series reports on ITL’s research, guidelines, and
`outreach efforts in information system security, and its collaborative activities with industry,
`government, and academic organizations.
`
`Abstract
`
`Bluetooth wireless technology is an open standard for short-range radio frequency communication
`used primarily to establish wireless personal area networks (WPANs), and has been integrated into
`many types of business and consumer devices. This publication provides information on the
`security capabilities of Bluetooth and gives recommendations to organizations employing
`Bluetooth wireless technologies on securing them effectively. The Bluetooth versions within the
`scope of this publication are versions 1.1, 1.2, 2.0 + Enhanced Data Rate (EDR), 2.1 + EDR, 3.0 +
`High Speed (HS), 4.0, 4.1, and 4.2. Versions 4.0 and later support the low energy feature of
`Bluetooth.
`
`Bluetooth; information security; network security; wireless networking; wireless personal area
`networks
`
`Keywords
`
`This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-121r2
`
`ii
`
`IPR2020-00783
`Philips North America LLC EX2028
`Page 4 of 67
`
`

`

`NIST SP 800-121 REV. 2
`
`GUIDE TO BLUETOOTH SECURITY
`
`Acknowledgments
`
`The authors, John Padgette of Accenture, John Bahr of Bahr Engineering (representing Philips
`Healthtech), Mayank Batra of Qualcomm, Marcel Holtmann of Intel, Rhonda Smithbey of
`Spanalytics, Lily Chen of the National Institute of Standards and Technology (NIST), and Karen
`Scarfone of Scarfone Cybersecurity, wish to thank their colleagues in the Bluetooth Security
`Experts Group (SEG) who contributed technical content and reviewed drafts of this document. The
`authors greatly appreciate the comments and feedback provided by Mark Nichols of Spanalytics,
`and the contributions of Alan Kozlay of Biometric Associates, LP. The authors would also like to
`acknowledge Catherine Brooks of the Bluetooth SIG technical staff for providing the new graphics.
`
`Note to Readers
`
`This document is the second revision to NIST SP 800-121, Guide to Bluetooth Security. Updates in
`this revision include an introduction to and discussion of Bluetooth 4.1 and 4.2 security
`mechanisms and recommendations, including Secure Connections for BR/EDR and low energy.
`
`This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-121r2
`
`iii
`
`IPR2020-00783
`Philips North America LLC EX2028
`Page 5 of 67
`
`

`

`NIST SP 800-121 REV. 2
`
`Executive Summary
`
`GUIDE TO BLUETOOTH SECURITY
`
`Bluetooth is an open standard for short-range radio frequency (RF) communication. Bluetooth
`wireless technology is used primarily to establish wireless personal area networks (WPANs).
`Bluetooth has been integrated into many types of business and consumer devices, including cell
`phones, laptops, automobiles, medical devices, printers, keyboards, mice, headsets, and, more
`recently, medical devices and personal devices (such as smart watches, music speakers, home
`appliances, fitness monitors, and trackers). This allows users to form ad hoc networks between a
`wide variety of devices to transfer voice and data. This document provides an overview of
`Bluetooth wireless technology and discusses related security concerns.
`
`Several Bluetooth versions are currently in use in commercial devices, while the most current
`version can be found at bluetooth.com. At the time of writing, Bluetooth 4.0 (adopted June 2010) is
`the most prevalent. The most recent versions include Bluetooth 4.1 and Bluetooth 4.2. Bluetooth
`4.1 (adopted December 2013) improved the strengths of the Basic Rate/Enhanced Data Rate
`(BR/EDR) technology cryptographic key, device authentication, and encryption by making use of
`Federal Information Processing Standard (FIPS)-approved algorithms. Bluetooth 4.2 (adopted
`December 2014) improved the strength of the low energy technology cryptographic key by making
`use of FIPS-approved algorithms, and provided means to convert BR/EDR technology keys to low
`energy technology keys and vice versa. This publication addresses the security of all versions of
`Bluetooth.
`
`Bluetooth wireless technology and associated devices are susceptible to general wireless
`networking threats, such as denial of service (DoS) attacks, eavesdropping, man-in-the-middle
`(MITM) attacks, message modification, and resource misappropriation. They are also threatened
`by more specific attacks related to Bluetooth wireless technology that target known vulnerabilities
`in Bluetooth implementations and specifications. Attacks against improperly secured Bluetooth
`implementations can provide attackers with unauthorized access to sensitive information and
`unauthorized use of Bluetooth devices and other systems or networks to which the devices are
`connected.
`
`To improve the security of Bluetooth implementations, organizations should implement the
`following recommendations:
`
`Organizations should use the strongest Bluetooth security mode that is available for their
`Bluetooth devices.
`
`The Bluetooth specifications define several security modes, and each version of Bluetooth supports
`some, but not all, of these modes. The modes differ primarily by the point at which the device
`initiates security; hence, these modes define how well they protect Bluetooth communications and
`devices from potential attack. Some security modes have configurable security level settings which
`affect the security of the connections.
`
`For Bluetooth 4.1 devices that have BR, EDR, and High Speed (HS) features, Security Mode 4,
`Level 4 is recommended because it requires Secure Connections, which uses authenticated pairing
`and encryption using 128-bit strength keys generated using FIPS-approved Advanced Encryption
`Standard (AES) encryption. For Bluetooth 2.1 through 4.0 devices, Security Mode 4, Level 3 is the
`
`iv
`
`This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-121r2
`
`IPR2020-00783
`Philips North America LLC EX2028
`Page 6 of 67
`
`

`

`NIST SP 800-121 REV. 2
`
`GUIDE TO BLUETOOTH SECURITY
`
`most secure, and for Bluetooth 2.0 and older devices Security Mode 3 is recommended. Security
`Modes 2 and 4 can also use authentication and encryption, but do not initiate them until after the
`Bluetooth physical link has already been fully established and logical channels partially
`established. Security Mode 1 devices never initiate security and therefore should never be used.
`
`For the low energy feature of Bluetooth (introduced in Version 4.0 and updated in 4.1 and 4.2),
`Security Mode 1 Level 4 is the strongest mode because it requires authenticated low energy Secure
`Connections pairing with Elliptic Curve Diffie-Hellman (ECDH) based encryption. Security Mode
`1 Level 3 requires authenticated pairing and encryption but does not use ECDH-based
`cryptography and thus provides limited eavesdropping protection due to weak encryption. Other
`security modes/levels allow unauthenticated pairing (meaning no MITM protection is provided
`during cryptographic key establishment), and some do not require any security at all.
`
`The available modes vary based on the Bluetooth specification version supported by the device, so
`organizations should choose the most secure mode available for each case.
`
`Organizations should address Bluetooth wireless technology in their security policies and
`change default settings of Bluetooth devices to reflect the policies.
`
`A security policy that defines requirements for Bluetooth security is the foundation for all other
`Bluetooth related countermeasures. The policy should include a list of approved uses for
`Bluetooth, a list of the types of information that may be transferred over Bluetooth networks, and,
`if they are used, requirements for selecting and using Bluetooth personal identification numbers
`(PINs).1 A baseline configuration for Bluetooth default settings should accompany the security
`policy. The checklist in Table 4-2 provides a “Technical Recommendations” section which may be
`used as a guide. After establishing a Bluetooth security policy, organizations should ensure that
`Bluetooth devices’ default settings are reviewed and changed as needed so that they comply with
`the security policy requirements. For example, a typical requirement is to disable unneeded
`Bluetooth profiles and services to reduce the number of vulnerabilities that attackers could attempt
`to exploit. When available, a centralized security policy management approach should be used to
`ensure device configurations are compliant.
`
`Organizations should ensure that their Bluetooth users are made aware of their security-
`related responsibilities regarding Bluetooth use.
`
`Annual required security awareness programs should be updated to include Bluetooth security
`policy guidelines. A security awareness program helps educate and train users to follow security
`practices that protect the assets of an organization and prevent security incidents. For example,
`users should be provided with a list of precautionary measures they should take to better protect
`handheld Bluetooth devices from theft. Users should also be made aware of other actions to take
`regarding Bluetooth device security, such as ensuring that Bluetooth devices are turned off when
`they are not needed to minimize exposure to malicious activities, and performing Bluetooth device
`
`This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-121r2
`
`1
`
`Starting with Simple Secure Pairing in Bluetooth 2.1, PINs are not used for pairing any more.
`
`v
`
`IPR2020-00783
`Philips North America LLC EX2028
`Page 7 of 67
`
`

`

`NIST SP 800-121 REV. 2
`
`GUIDE TO BLUETOOTH SECURITY
`
`pairing as infrequently as possible and ideally in a physically secure area where attackers cannot
`observe passkey entry and eavesdrop on Bluetooth pairing-related communications.
`
`vi
`
`This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-121r2
`
`IPR2020-00783
`Philips North America LLC EX2028
`Page 8 of 67
`
`

`

`NIST SP 800-121 REV. 2
`
`GUIDE TO BLUETOOTH SECURITY
`
`Table of Contents
`
`1
`
`3
`
`Introduction ........................................................................................................................ 1
`1.1
`Purpose and Scope .................................................................................................................. 1
`1.2
`Audience and Assumptions ..................................................................................................... 1
`1.3
`Document Organization ........................................................................................................... 1
`2 Overview of Bluetooth Wireless Technology ....................................................................... 3
`2.1
`Bluetooth Wireless Technology Characteristics ........................................................................ 4
`2.1.1 Basic, Enhanced, and High Speed Data Rates ............................................................................. 5
`2.1.2
`Low Energy .................................................................................................................................. 6
`2.1.3 Dual Mode Devices (Concurrent Low Energy & BR/EDR/HS Support) ........................................ 7
`2.2
`Bluetooth Architecture ............................................................................................................ 8
`Bluetooth Security Features .............................................................................................. 11
`3.1
`Security Features of Bluetooth BR/EDR/HS ............................................................................ 12
`3.1.1 Pairing and Link Key Generation ............................................................................................... 15
`3.1.2 Authentication .......................................................................................................................... 19
`3.1.3 Confidentiality ........................................................................................................................... 23
`3.1.4
`Trust Levels, Service Security Levels, and Authorization .......................................................... 26
`3.2
`Security Features of Bluetooth Low Energy ............................................................................ 27
`3.2.1
`Low Energy Security Modes and Levels .................................................................................... 29
`Low Energy Pairing Methods .................................................................................................... 29
`3.2.2
`3.2.3
`Legacy Low Energy Key Generation and Distribution ............................................................... 33
`3.2.4
`Low Energy Secure Connection Key Generation ....................................................................... 34
`3.2.5 Confidentiality, Authentication, and Integrity .......................................................................... 34
`3.2.6
`Low Energy Long Term Key Derivation from Bluetooth Link Key .............................................. 35
`3.2.7 Bluetooth Link Key Derivation from Low Energy Long Term Key .............................................. 35
`Bluetooth Vulnerabilities, Threats, and Countermeasures ................................................. 37
`4.1
`Bluetooth Vulnerabilities ....................................................................................................... 37
`4.2
`Bluetooth Threats ................................................................................................................. 40
`4.3
`Risk Mitigation and Countermeasures ................................................................................... 41
`4.4
`Bluetooth Security Checklist .................................................................................................. 42
`
`4
`
`List of Appendices
`Appendix A— Glossary .............................................................................................................. 50
`Appendix B— Acronyms and Abbreviations .............................................................................. 51
`Appendix C— Internal Bluetooth Functions .............................................................................. 54
`Appendix D— References .......................................................................................................... 55
`Appendix E— Resources ............................................................................................................ 56
`
`vii
`
`This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-121r2
`
`IPR2020-00783
`Philips North America LLC EX2028
`Page 9 of 67
`
`

`

`NIST SP 800-121 REV. 2
`
`GUIDE TO BLUETOOTH SECURITY
`
`List of Figures
`Figure 2-1. Bluetooth 4.x Device Architecture .................................................................... 8
`Figure 2-2. Bluetooth Ad Hoc Topology .............................................................................. 9
`Figure 2-3. Bluetooth Networks (Multiple Scatternets) ...................................................... 10
`Figure 3-1. Bluetooth Air-Interface Security ...................................................................... 11
`Figure 3-2. Link Key Generation from PIN ........................................................................ 16
`Figure 3-3. Link Key Establishment for Secure Simple Pairing ......................................... 18
`Figure 3-4. AMP Link Key Derivation ................................................................................ 19
`Figure 3-5. Bluetooth Legacy Authentication .................................................................... 20
`Figure 3-6. Bluetooth Secure Authentication .................................................................... 22
`Figure 3-7. Bluetooth E0 Encryption Procedure ............................................................... 25
`Figure 3-8. Bluetooth AES-CCM Encryption Procedure ................................................... 26
`Figure 3-9. Bluetooth Low Energy Legacy Pairing ............................................................ 30
`Figure 3-10. Bluetooth Low Energy Secure Connections Pairing ..................................... 31
`Figure 3-11. Low Energy Long Term Key Derivation from Bluetooth Link Key ................. 35
`Figure 3-12. Bluetooth Link Key Derivation from Low Energy Long Term Key ................. 36
`
`List of Tables
`Table 2-1. Bluetooth Device Classes of Power Management ............................................. 5
`Table 2-2. Key Differences Between Bluetooth BR/EDR and Low Energy ......................... 7
`Table 3-1. BR/EDR/HS Security Modes ........................................................................... 12
`Table 3-2. BR/EDR/HS Security Mode 4 Levels Summary ............................................... 14
`Table 3-3. Most Secure Mode for a Pair of Bluetooth Devices ......................................... 14
`Table 3-4. Most Secure Level in Mode 4 for a Pair of Bluetooth Devices ......................... 15
`Table 4-1. Key Problems with Native Bluetooth Security .................................................. 37
`Table 4-2. Bluetooth Piconet Security Checklist ............................................................... 43
`Table 4-3. Recommendation Mappings to NIST SP 800-53 Security Controls ................. 49
`
`This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-121r2
`
`viii
`
`IPR2020-00783
`Philips North America LLC EX2028
`Page 10 of 67
`
`

`

`NIST SP 800-121 REV. 2
`
`
`1
`
`Introduction
`
`1.1 Purpose and Scope
`
`
`
`
`
`GUIDE TO BLUETOOTH SECURITY
`
`
`The purpose of this document is to provide information to organizations on the security capabilities
`of Bluetooth and provide recommendations to organizations employing Bluetooth wireless
`technologies on securing them effectively. The Bluetooth versions within the scope of this
`publication are versions 1.1, 1.2, 2.0 + Enhanced Data Rate (EDR), 2.1 + EDR, 3.0 + High Speed
`(HS), 4.0, 4.1, and 4.2. Bluetooth with low energy functionality is present in 4.0 and later. Bluetooth
`5.0 is not in the scope of this document.
`
`1.2 Audience and Assumptions
`
`This document discusses Bluetooth wireless technologies and security capabilities in technical detail.
`This document assumes that the readers have at least some operating system, wireless networking,
`and security knowledge. Because of the constantly changing nature of the wireless security industry
`and the threats and vulnerabilities to the technologies, readers are strongly encouraged to take
`advantage of other resources (including those listed in this document) for more current and detailed
`information.
`
`The following list highlights people with differing roles and responsibilities that might use this
`document:
`
`• Government managers (e.g., chief information officers and senior managers) who oversee the
`use and security of Bluetooth within their organizations
`• Systems engineers and architects who design and implement Bluetooth wireless technologies
`• Auditors, security consultants, and others who perform security assessments of wireless
`environments
`• Researchers and analysts who are trying to understand the underlying wireless technologies.
`1.3 Document Organization
`
`The remainder of this document is composed of the following sections and appendices:
`
`• Section 2 provides an overview of Bluetooth wireless technology, including its benefits,
`technical characteristics, and architecture.
`• Section 3 discusses the security features defined in the Bluetooth specifications and highlights
`their limitations.
`• Section 4 examines common vulnerabilities and threats involving Bluetooth wireless
`technologies and makes recommendations for countermeasures to improve Bluetooth security.
`• Appendix A provides a glossary of terms.
`• Appendix B provides a list of acronyms and abbreviations used in this document.
`• Appendix C lists Bluetooth functions.
`
`
`
`1
`
`This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-121r2
`
`IPR2020-00783
`Philips North America LLC EX2028
`Page 11 of 67
`
`

`

`NIST SP 800-121 REV. 2
`
`
`
`
`
`
`GUIDE TO BLUETOOTH SECURITY
`
`
`• Appendix D lists Bluetooth references.
`• Appendix E lists Bluetooth online resources.
`
`2
`
`
`
`
`
`
`
`This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-121r2
`
`IPR2020-00783
`Philips North America LLC EX2028
`Page 12 of 67
`
`

`

`NIST SP 800-121 REV. 2
`
`
`
`
`
`
`GUIDE TO BLUETOOTH SECURITY
`
`
`2 Overview of Bluetooth Wireless Technology
`
`Bluetooth is an open standard for short-range radio frequency (RF) communication. Bluetooth is used
`primarily to establish wireless personal area networks (WPANs). Bluetooth has been integrated into
`many types of business and consumer devices, including cell phones, laptops, automobiles, printers,
`keyboards, mice, headsets, and, more recently, medical devices and personal devices (such as smart
`watches, music speakers, home appliances, fitness monitors, and trackers). This allows users to form
`ad hoc networks between a wide variety of devices to transfer voice and data. Bluetooth is a low-cost,
`low-power technology that provides a mechanism for creating small wireless networks on an ad hoc
`basis, known as piconets.2 A piconet is composed of two or more Bluetooth devices in close physical
`proximity that operate on the same channel using the same frequency hopping sequence. An example
`of a piconet is a connection between a cell phone and a headset using Bluetooth wireless technology.
`
`Bluetooth piconets are often established on a temporary and changing basis, which offers
`communications flexibility and scalability between mobile devices. Some key benefits of Bluetooth
`are—
`
`• Cable replacement. Bluetooth replaces a variety of cables, such as those traditionally used
`for peripheral devices (e.g., mouse and keyboard connections), printers, and wired headsets
`and earbuds that interface with desktops, laptops, cell phones, etc.
`• Ease of file sharing. A Bluetooth-enabled device can form a piconet to support file sharing
`capabilities with other Bluetooth devices, such as laptops.
`• Wireless synchronization. Bluetooth can provide automatic synchronization between
`Bluetooth-enabled devices. For example, Bluetooth allows synchronization of contact
`information between smartphones and automobiles.
`• Internet connectivity. A Bluetooth device with Internet connectivity can share that access
`with other Bluetooth devices. For example, a laptop can use a Bluetooth connection to
`leverage the personal hotspot capability of a smartphone to provide Internet access to the
`laptop.
`Bluetooth was originally conceived by Ericsson in 1994. Ericsson, IBM, Intel, Nokia, and Toshiba
`formed the Bluetooth Special Interest Group (SIG), a not-for-profit trade association developed to
`drive development of Bluetooth products and serve as the governing body for Bluetooth
`specifications.3 Bluetooth is standardized within the IEEE 802.15 Working Group for Wireless
`Personal Area Networks that formed in 1999 as IEEE 802.15.1-2002.4
`
`This section provides an overview of Bluetooth, including frequency and data rates, range, and
`architecture.
`
`This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-121r2
`
`
`
`2 As discussed in Section 2.2, the term “piconet” applies to both ad hoc and infrastructure Bluetooth networks.
`3 The Bluetooth SIG website (https://www.bluetooth.com/) is a resource for Bluetooth related information and provides numerous
`links to other sources of information.
`For more information, see the IEEE website at http://grouper.ieee.org/groups/802/15/.
`
`4
`
`
`3
`
`IPR2020-00783
`Philips North America LLC EX2028
`Page 13 of 67
`
`

`

`NIST SP 800-121 REV. 2
`
`
`
`
`
`
`GUIDE TO BLUETOOTH SECURITY
`
`
`2.1 Bluetooth Wireless Technology Characteristics
`
`Bluetooth operates in the unlicensed 2.4000 gigahertz (GHz) to 2.4835 GHz Industrial, Scientific,
`and Medical (ISM) frequency band. Numerous technologies operate in this band, including the IEEE
`802.11b/g/n wireless local area network (WLAN) standard, making it somewhat crowded from the
`standpoint of the volume of wireless transmissions. Bluetooth employs frequency hopping spread
`spectrum (FHSS) technology for transmissions. FHSS reduces interference and transmission errors
`but provides minimal transmission security.
`
`With FHSS technology, communications between Bluetooth Basic Rate (BR)/EDR devices use 79
`different 1 megahertz (MHz) radio channels by hopping (i.e., changing) frequencies about 1600 times
`per second for data/voice links and 3200 times per second during page and inquiry scanning. A
`channel is used for a very short period (e.g., 625 μs for data/voice links), followed by a hop to another
`channel designated by a pre-determined pseudo-random sequence; this process is repeated
`continuously in the frequency hopping sequence.
`
`Bluetooth low energy communication uses the same frequency range as BR/EDR devices but splits it
`instead into 40 channels of 2 MHz width. Three of these channels are used for advertising
`(broadcasting data and for connection setup) and the other 37 are data channels. These 40 channels,
`combined with a time division multiple access (TDMA) scheme, provide the two multiple access
`schemes for the low energy feature of Bluetooth. A polling scheme is used in which the first device
`sends a packet at a predetermined time and a corresponding device responds after a predetermined
`interval. These exchanges of data are known as either Advertising or Connection Events.
`
`Bluetooth also provides for radio link power control, which allows devices to negotiate and adjust
`their radio power according to signal strength measurements. Each device in a Bluetooth network can
`determine its received signal strength indication (RSSI) and request that the other network device
`adjust its relative radio power level (i.e., incrementally increase or decrease the transmission power).
`This is performed to conserve power and/or to keep the received signal characteristics within a
`preferred range.
`
`The combination of a frequency hopping scheme and radio link power control provides Bluetooth
`with some additional, albeit limited, protection from eavesdropping and malicious access. The
`frequency-hopping scheme, primarily a technique to avoid interference, makes it slightly more
`difficult for an adversary to locate and capture Bluetooth transmissions than to capture transmissions
`from fixed-frequency technologies, like those used in IEEE 802.11b/g. Research has shown that the
`Bluetooth frequency hopping sequence for an active piconet can be determined using relatively
`inexpensive hardware and free open source software.5
`
`The range of Bluetooth BR/EDR devices is characterized by three classes that define power
`management. Table 2-1 summarizes the classes, including their power levels in milliwatts (mW) and
`decibels referenced to one milliwatt (dBm), and their operating ranges in meters (m).6 Most small,
`battery-powered devices are Class 2, while Class 1 devices are typically universal serial bus (USB)
`
`
`
`This publication is availabl