Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

A Chapter on Bluetooth by Rab Nawaz Jadoon

advertisement 
Rab Nawaz Jadoon
(Assistant Professor)
Department of Computer Science
COMSATS University, Abbottabad, Pakistan
rabnawaz@ciit.net.pk
1
TABLE OF CONTENTS
1. Introduction ..................................................................................................................... 3
1.1 History....................................................................................................................... 3
1.2 Bluetooth Versions.................................................................................................... 3
2. System Architecture ........................................................................................................ 4
2.1 Piconet....................................................................................................................... 4
2.1.1 Single secondary communication: ......................................................................... 5
2.1.2 Multiple secondary communications. .................................................................... 5
2.2 Scatternet................................................................................................................... 6
2.2.1 Range: .................................................................................................................... 7
2.3 Security Architecture. ............................................................................................... 7
2.3.1 Bluetooth Security Risks........................................................................................ 8
2.4 Connection establishment ......................................................................................... 8
3. Protocol stack .................................................................................................................. 9
3.1 Base-band Layer ..................................................................................................... 10
3.2 Link Manager Protocol ........................................................................................... 10
3.3 HCI (Host Controller Interface) .............................................................................. 10
3.4 L2CAP (Logical Link Control and Adaptation Protocol)....................................... 10
3.5 RFCOMM ............................................................................................................... 10
3.6 SDP (Service Discovery Protocol).......................................................................... 10
3.7 TCS Binary (Telephony Control-Binary) ............................................................... 10
3.8 PPP (Point-to-Point Protocol) ................................................................................. 10
3.9 UDP/TCP/IP ........................................................................................................... 11
4. Frame Format ................................................................................................................ 11
4.1 Access Code ............................................................................................................ 11
4.2 Header ..................................................................................................................... 12
4.3 Payload:................................................................................................................... 12
5. Bluetooth Profiles ......................................................................................................... 12
5.1 Some available Bluetooth profile............................................................................ 13
References ......................................................................................................................... 14
2
Rab Nawaz Jadoon
(Assistant Professor)
Department of Computer Science
COMSATS Institute of Information Technology, Abbottabad.
1. Introduction
Bluetooth is a wireless protocol for exchanging data over short distances for creating personal area
networks (PANs). Basically it is a standard for short range radio communication technology. Originally it
was developed by Ericsson, a cell manufacturer company in 1994 [1]. The embedded Bluetooth capability
is widely used in many type of devices, like PDAs, computer peripherals (Mice, keyboards, joysticks,
cameras, printers, LAN access points etc), cell phones, audio peripherals and other many more applications
[1]. The radio technology used in Bluetooth is FHSS (Frequency Hopping Spread Spectrum), which send
the data in the form of chunks over entire 79 channels. To reduce the interference the Bluetooth technology
utilizes AFH (Adaptive Frequency Hopping) mechanism. Frequency hopping works within the available
spectrum to take advantage of the available frequency. This frequency hopping provides more efficient
transmission within the spectrum, providing users with greater performance even if they are using other
technologies along with Bluetooth technology. The maximum range for Bluetooth radio is 10m, but it can
be extended up to 100m by using amplifiers. The data rate achieved is 1 Mb/s. The Bluetooth standard
work on ISM band on 2.4 GHz frequency range, which is available globally unlicensed [2].
1.1 History
The name “Bluetooth” and its logo are the trade mark of an associated named BSIG (Bluetooth Special
Interest Group). The promoter members of this technology are, Microsoft, Ericsson, IBM, Intel, Agere,
th
Motorola, Nokia and Toshiba and even thousands of others. The word “Bluetooth” is taken from the 10
century Danish King Harald Bluetooth. The kind united the Scandinavian Europe during an era when this
region was in parts. This technology was first introduced in Scandinavia and this technology merges
different industries such as cell phones, computing and automotive market. The Bluetooth officially
introduced the first core specification version in 1998. Cable replacement was the basic intended purpose of
Bluetooth technology. After the first version a lot has changed. In 2003 the Bluetooth SIG has announced
the 2.1 version. In 2004, Bluetooth version 2.0+ERD was introduced. Devices using this version hit the
market in 2005.
1.2 Bluetooth Versions
Many Bluetooth versions have been released since this technology was introduced in 1998. The earliest
versions 1.0 and 1.0B has many problems. The main problem was that there was a lack of interoperability
among devices. The first successful core version of Bluetooth technology was 1.1 and corrected many
3
problem found in the earliest versions. After 1.1 version the next version 1.2 come. Version 1.2 is directly
backward compatible with Bluetooth 1.1 and it also reduces the radio interference by using adaptive
frequency hopping (AFH). It has faster transmission speed of 1Mbps. It also improves voice quality of
audio connections by enabling retransmissions of corrupted data. It has also the specification of received
Signal Strength Indicator as well.
The next version was 2.0 or ERD (Enhanced Data Rate) was first introduced by the Bluetooth SIG in June
2004 and appearing in Bluetooth devices in late 2005. It has the data rate up to 3 times faster than the
original Bluetooth specifications. It provides enhanced multiple connectivity. It also facilitates the end user
to run multiple Bluetooth devices at the same time. As a result of this version the BPAN will become more
common. Using this specification a user can easily synchronize a Bluetooth enabled computer with a
Bluetooth PDA, and at the same time they can listen music at the same time using bluetooth wireless
headphones.
2. System Architecture
The architecture defines how Bluetooth devices group themselves for communication. A
Bluetooth Wireless Personal Area Network (BT-WPAN) consists of two sub architecture,
1) Piconet
2) Scatternet
2.1 Piconet
It is a basic unit of communication in Bluetooth. Piconet is an Ad hoc network. Each piconet is a network
of eight Bluetooth devices. One device is acting as a master device while rests of the devices (up to seven
active Bluetooth devices) are acting as slaves or secondary devices [2], but there is no limit to the total
number of devices in a piconet. If there are more than seven slaves in one piconet then rest of the slave
devices must be in “Parked” state. The maximum upper limit of “Parked” slave devices in one piconet is
255 with direct addressing scheme [1]. To activate a parked slave into slave, the master node must first
place a currently active slave into a parked state. When two Bluetooth devices start communicating when
they come into the radio range of each other. If no piconet is available at that time a negotiation process
will occur. Once device will become master and the other become slave [1]. All the devices in one piconet
communicate with each other through master node. For communication purpose all the devices synchronize
their hopping sequence with the master device. A master node is also responsible for telling the slave
devices to switch to different states during the inactivity period. The master radio shares its global ID and
clock information with each slave in its piconet. When a new node joins a piconet, it first recreates the
Frequency hopping sequence of that piconet. The slave node must know the frequency and then
synchronize itself with the master’s clock. Basically connecting two or more piconets a gateway is used for
multihope communication. The bridge communicates with all the piconets connecting to it by
synchronizing each piconet when it is ready to communicate. However a bridge can communicate with
only one piconet at a time. The bridge device can be slave in all piconets or it may a master in one piconet
and a slave in the others. The frequency hopping sequence and the polling order of the slaves are selected
by the master node. The maximum range is up to 10m within one piconet, and the maximum data transfer
rate is between 400 to 700Kbps, depending on the connection used i.e. synchronous or asynchronous [7].
Each piconet has its own hopping channel [6]. The following figure shows the architecture of piconet.
4
Figure. 1: Piconet in Bluetooth
Bluetooth transceiver uses all 79 channels, and utilizes random hop sequence over these channels at 1600
hops per second for standard transmissions [1]. Amplifier can only be used in bluetooth to extand the radio
range up to 100meters. One important thing to be noted that bluetooth specification uses time division
duplexing (TDD) and time division multiple access (TDMA) for device communicaiton within one piconet
or in a scatternet scenario [1]. The duration of each time slot is 625 micro second.
Bascially there are two types of communication accured in piconet, single secondary communication and
multiple secondary communications [12].
2.1.1 Single secondary communication:
If there is only secondary/slave device in a piconet. TDMA operation is very simple by first divding the
time into 625micro second. The primary device uses the even numbered slots while the secondary uses the
odd number slots. The communication in this scenario is half duplex mode. In slot 0 the primery device
sends and slave device recieves. In slot 1 the secondary/slave sends and primery recieves. Single secondary
communication as shown in figure.
In slot F1 secondary
device sends a frame
to primary.
In slot F0 Primary
device sends a
frame to secondary.
The secondary uses
odd number slots
for sending data to
primary.
The master device
utilizes even number
slots for sending
data.
Figure. 2: Single secondary communication
2.1.2 Multiple secondary communications.
In this case the primery uses the even number slots as used in previous case but the secondary sends in the
next odd numbered slot if the packet in the previous slot was addressed to it. All the secondary devices
listen to even numbered slot and send only one secondary device in any odd numbered slot. Following
figure show the operation.
5
Figure. 3: Multiple Secondary communications
In slot 0 the master or primery sends a frame to secondary 1.
In slot 1 only secondary 1 sends a frame to the primery because the previous frame was send to it, other
secondaries are in silent mode.
In slot 2 the primery sends a frame to secondry 3.
In slot 3 only secondary 2 sends a frame to
primery. Through this way the cycle continuous.
2.2 Scatternet
The overlapping piconets are called Scatternet. A Scatternet is a number of interconnected piconets that
supports communication between more than 8 devices. Scatternet can be formed when a member of one
piconet can be a member either slave or master in other piconet. The device participating in both piconets
can relay data between members of both ad-hoc networks. Using this approach, it is possible to combine
more than one piconet to form a Scatternet. Through Scatternet we can expand the physical size of the
network beyond Bluetooth's limited range. More than one devices can be the member of more than one
piconets [2]. The following figure shows that in piconet 1 two slave devices acts as master in two other
piconets.
6
Piconet 1
Piconet 2
Piconet 3
Figure.4: Scatternet formation
2.2.1 Range:
The operating ranges of bluetooth depend on the device class:
Class 3 radios – it has a range up to 1 meter.
Class 2 radios – it has range up to 10m, commonly found in mobile devices.
Class 1 radios – it has a range up to 100m used primarily in industrial use cases.
As I earlier mentioned that the most commonly used radio for Bluetooth is class 2 which consumes 2.5mW
of power. The Bluetooth technology design to have very low power consumption. It is mentioned in
Bluetooth specification that the radio of Bluetooth device should be powered down during inactive period.
2.3 Security Architecture.
Security is a major issue in wireless environment. In general, the security architecture in Bluetooth has
three modes, none-secure, service level enforced security and link level enforced security [10].
Non Secure
In this mode of security a Bluetooth device does not initiate any security measures. There is no as such
security measurements are addressed in this mode of operation.
Service level enforced security
In this mode of security a Bluetooth device can establish a no secure ACL link. Authentication,
authorization and other encryption techniques are initiated when a L2CAP connection-oriented or
connectionless channel request is made [10].
Link level enforced security.
In this mode of security a Bluetooth device first calls the security procedures before going to establish the
channel.
7
Authentication includes the identity of the device or device user. Authorization is concerned with granting
network resources or not, and encryption deals with translating the data into some other forms, not
understandable by the human.
2.3.1 Bluetooth Security Risks
Following are some security risks,
Bluejacking
Bluesnarfing
Backdoor Attacks
Cabir Worm
Bluejacking: It is the process in which the Bluetooth enable devices receives unsolicited messages, or
business cards. In non-discoverable mode, Bluetooth devices are not susceptible to Bluejacking. The
sending and receiving devices should be within range of 10 meters to each other in order for Bluejacking to
work. While for promotional purposes this method has been widely used, Bluetooth users should be careful
enough not to store the contact into their address book. While Bluejacking is not done with the malicious
purpose, repetitive and redundant messages can be annoying to the user, can render the product inoperable.
The door for social engineering attacks may be opened due to this reason.
Bluesnarfing: It is the method used for hacking purpose, basically it hacks the information like contact
book, calendar or anything else stored in the phone’s memory of the Bluetooth enable devices. When the
Bluetooth device is non-discoverable mode, then it is difficult to find and attack the device. However, there
are many tools are available on the web which is used to steal information from the Bluetooth enable
mobile phones, and also the knowledge about their usage is growing. Companies such as Nokia and Sony
Ericsson are trying to produce bluesnarfing free phones.
Backdoor Attacks: Through the “pairing” mechanism, the backdoor attack involves establishing a trust
relationship, but ensuring that it will not appear in target’s register of paired devices. In this way, unless the
owner is looking for devices in precise moment a connection is established and they are unlikely to notice
anything disturbing and unexpected, and the attacker is free to use any resources by utilizing the trusted
relationship. This means the attacker not only can access the data from the phone but can also access the
services like modem, or internet, WAP and GPRS without the owner’s knowledge or permission.
Cabir Worm: It is malicious software that pushes itself to available Bluetooth devices by making use of
Bluetooth technology. According to Bluetooth SIG (2006), the mobile phones which have Symbian series
60 user interface platform and feature Bluetooth wireless technology are affected by Cabir worm.
Furthermore the user has to manually accept the worm and has to install malware to infect his phone. It
shows that it is achievable to write mobile viruses and disseminate them over Bluetooth devices and it may
cause hackers to explore to write the Bluetooth viruses [10].
2.4 Connection establishment
A Bluetooth device has one of the following states during connection establishment: standby, inquiry, page,
connected, transmit holds, park or sniff.
a. Standby State
A device is said to be in standby mode when it is powered on but has not yet joined a
piconet. b. Inquiry State
8
A device enters in the inquiry state when it sends out a request to devices in a piconet to which it wants to
connect.
c. Page state
A master in a piconet can be in Page state, sending out messages looking for devices that it can invite to
join its own piconet.
d. Connected State
A new device acting as slave when communicating successfully with the master node and receive an active
address, it is said to be in connected state.
e. Transmit state.
When slave device transmit data to master, the slave is in a Transmit state. At the end of its transmission, it
returns to the connected state again.
f. Sniff state.
It is a power saving state. The slave sleeps until its pre allocated time slot. It wakes up at its appointed time
slot for data transmission.
g. Hold state.
It is another low power state in which the slave is inactive for a predetermined amount of time. No data
transmission can be occurred in the Hold state.
h. Park state.
When slave device has no data to send or receive, the master node compels the slave device to enter in the
park state. In the park state the slave being a part of the piconet but not sending or receiving the data. The
above mentioned states can be represented pictorially as,
Standby
Unconnected
Page
Master
Inquiry
Transmit
Park
Connected
Sniff
Page Scan
Slave
Connecting
States
Active States
Hold
Low Power
States
Figure. 5: Bluetooth States diagram
3. Protocol stack
The complete Bluetooth protocol stack is show in the figure below. The radio frequency of
Bluetooth operates at 2.4 GHz, in an unlicensed ISM band.
9
3.1 Base-band Layer
The Base-band and Link Control Layer enables the physical link between other units of Bluetooth by
forming a piconet. The Base-band layer do the synchronization and issue related to frequency hopping
sequence [6]. This layer also has two link types’ names Synchronous Connection Oriented (SCO) and
Asynchronous Connectionless (ACL). The SCO link used for audio and ACL links are used for data only.
3.2 Link Manager Protocol
The link manager protocol is responsible for link establishment between Bluetooth units. This protocol is
used to control and negotiation of data packet sizes during data transmission [6]. This protocol also deals
with the power related issues regarding power consumption. It also deals with controlling of links and
issues regarding security i.e. encryption keys for authentication and encryption and decryption.
3.3 HCI (Host Controller Interface)
It is an interface method used to access the Bluetooth hardware as shown in the figure. It has a command
interface to the Base-band controller and link manager and method used to access hardware status.
3.4 L2CAP (Logical Link Control and Adaptation Protocol)
It provides some connection oriented and connectionless services to upper layers of the protocol
stack. Issues regarding multiplexing, segmentation and reassembly and QoS etc.
3.5 RFCOMM
This is a serial port emulation protocol which uses the serial port only for application. This protocol
emulates RS-232 control and data signals over the Base-band layer. Transporting services to upper layer is
also done by this layer [6].
3.6 SDP (Service Discovery Protocol)
This protocol defines how a client can search for any application or service without any knowledge about
that particular service or application. This protocol provides a mechanism to discover new service
becoming available when client finding a Bluetooth server. This protocol is also used for detecting a
service which is no longer available [9].
3.7 TCS Binary (Telephony Control-Binary)
It is bit oriented protocol. It handles the issues regarding the speech and data calls between Bluetooth units.
It also handles the signaling information not relevant to ongoing calls.
3.8 PPP (Point-to-Point Protocol)
It is packet oriented protocol used for packet data stream. PPP runs over the RFCOMM to establish point to
point connections.
10
3.9 UDP/TCP/IP
These standard protocols allow the Bluetooth units to communicate with rest of the units of Bluetooth
connected to it. “Bluetooth unit can act as a bridge in internet scenario. The TCP/IP/PPP protocol
configuration is used for internet bridge usage scenarios in Bluetooth 1.0 and OBEX in future versions”.
Bluetooth supports many AT commands for transmitting control signals for telephony control through the
serial ports based on RFCOMM [6].
Application
Application Group
UDP/TCP/IP
ATCom
OBEX
Transport
protocol
Group
PPP
TCS
RFCOMM
SDP
Host Controller
Interface
L2CAP
Audio
Link Manager
Transport
protocol
Group
Base-band
Radio Layer
Figure. 6: Bluetooth protocol Stack
4. Frame Format
The Bluetooth packet contains the following format [1]. Basically it has 3 parts including access
code, header and payload. The frame format shown in the figure 5.
4.1 Access Code
It contains 72 bits. It normally contains synchronous bits and an identifier to separate the frames of
one piconet to another.
11
Figure. 6: Packet header format
4.2 Header
Header is actually 18 bits but it repeats three times. Header contains the following set of fields, address,
type, F, A, S and HEC (Header error correction).
Address (ADD): It can define up to 7 slaves. If the address is 0, then it is broadcast from primary to all
slaves in a piconet.
Type: It defines the type of data coming from upper
layers. F: A one bit field is used for flow control.
A: Also one bit field used for Acknowledgment. S:
It is also one bit field used for sequence number.
HEC: header error correction is an eight bit field used for checksum to detect errors in each 18 bit header
section.
4.3 Payload:
This area of the frame contains the data/control information coming from upper layer of protocol stacks.
5. Bluetooth Profiles
Basically profiles are behaviors through which Bluetooth devices communicate to each other. Connecting
one or more devices to each other, Bluetooth must support some Bluetooth profiles. Profiles define the
possible application and shows how this technology is to be used for each specific device. For example, the
file transfer profile is used to define the file transfer between a Bluetooth enabled PDA device to another
devices like cell phone, laptops etc. at the development stage the manufacturer assigns some specific
Bluetooth profiles for that particular device [11]. When a Bluetooth device communicate with other device,
then it is necessary for both the devices to use and share at least one of the same Bluetooth profiles.
For example if one can use the Bluetooth enabled headset with Bluetooth enabled cell phone, then both the
devices must use the headset profile. The HS (head set) profile shows how headsets and cell phones use
Bluetooth technology to connect to one another. Every Bluetooth profile contains information on the
following issues,
12
Dependencies on other profiles.
Recommended user interface formats.
Particular part of the protocol stack used by the profile.
Many Bluetooth devices have few profiles i.e. a Bluetooth headset will only use the headset profile (HS)
but not using any other like LAN access profile [11].
Currently there are 25 Bluetooth profiles are available and they all are in use. The SIG continue working on
the development of new Bluetooth profiles. If we have a Bluetooth enabled printer for basic printing and
has printing profile. But if we have a PDA with this technology, things may be more complicated. A
Bluetooth enabled PDA has many profiles such as Synchronization Profile, LAN Access Profile, File
Transfer Profile and many others.
5.1 Some available Bluetooth profile
All Bluetooth devices have a common profile named “foundation Profile” upon which all other profiles are
dependent. It is also called Generic Access Profile (GAP). It is used for detecting other Bluetooth devices,
and link management issues. It also addresses the security aspects [11].
Some commonly used Bluetooth profiles are listed
below, Generic Access Profile (GAP)
Service Discovery Application Profile (SDAP)
Cordless Telephony Profile (CTP)
Intercom Profile (ICP)
Serial Port profile (SPP)
Headset Profile (HSP)
Dialup Networking Profile
(DUN) Fax Profile (FAX)
Generic Object Exchange Profile (GOEP)
Object Push Profile (OPP)
File Transfer Profile (FTP)
Synchronization Profile (SP)
13
References
[1] McDermott-Wells, P, “What is Bluetooth?” Potentials, IEEE Volume 23, Issue 5, Dec 2004-Jan 2005
Page(s):33 – 35, Digital Object Identifier 10.1109/MP.2005.1368913
[2] Rashid, R.A.; Yusoff, R, “Bluetooth Performance Analysis in Personal Area Network (PAN)” RF
and Microwave Conference, 2006. RFM 2006. International
12-14 Sept. 2006 Page(s):393 - 397 Digital Object Identifier 10.1109/RFM.2006.331112
[3] OConnor, Terrence; Reeves, Douglas, “Bluetooth Network-Based Misuse Detection”,
Computer Security Applications Conference, 2008. ACSAC 2008. Annual 8-12 Dec. 2008 Page(s):377 –
391. Digital Object Identifier 10.1109/ACSAC.2008.39
[4] Bayaki, E.; Lampe, L.; Schober, R, “Performance Evaluation of Bluetooth Systems With LDI,
Modified LDI, and NSD Receivers” Vehicular Technology, IEEE transactions on Volume 57, Issue 1, Jan.
2008 Page(s):157 - 168 Digital Object Identifier 10.1109/TVT.2007.905613
[5] Chakrabarti, S.; Liyun Wu; Son Vuong; Leung, V.C.M, “A remotely controlled Bluetooth enabled
environment” Consumer Communications and Networking Conference, 2004. CCNC 2004. First IEEE 58 Jan. 2004 Page(s):77 - 81 Digital Object Identifier 10.1109/CCNC.2004.1286836
[6] Yabin Liu; Shouqian Yu; Weihai Chen; Wei Li, “Wireless Communication Technology Based on
Bluetooth and Its Application to a Manipulator” Industrial Informatics, 2006 IEEE International
Conference on 16-18 Aug. 2006 Page(s):1251 - 1256 Digital Object Identifier
10.1109/INDIN.2006.275819
[7] McDermott-Wells, P, “Bluetooth Scatternet models” Potentials, IEEE Volume 23, Issue 5, Dec
2004-Jan 2005 Page(s):36 - 39 Digital Object Identifier 10.1109/MP.2005.1368914
[8] Chorng-Horng Yang; Yen-Chun Chin, “An Efficient Reformation Approach for Survivable
Bluetooth Piconets with Master Mobility”, TENCON 2006. 2006 IEEE Region 10 Conference 14-17
Nov. 2006 Page(s):1 - 4 Digital Object Identifier 10.1109/TENCON.2006.344009
[9] F. Zhu, M. Mutka, and L. Ni, "Splendor: A Secure, Private, and Location-aware Service Discovery
Protocol Supporting Mobile Services", Presented at 1st IEEE Annual Conference on Pervasive
Computing and Communications, Fort Worth, Texas, 2003.
[10] Colleen Rhodes, “Bluetooth Security”, East Carolina University.
[11] www.bluetomorrow.com
[12] Behrouz A Frouzan, “Data communication and Networking” from Book.
14
Related documents
Hot Leads Campaign Brief
Hot Leads Campaign Brief
report_instruction
report_instruction
CH 8 – Review - WordPress.com
CH 8 – Review - WordPress.com
CH 6 – Review - WordPress.com
CH 6 – Review - WordPress.com
ahmad_baker__ayman_melhem - An
ahmad_baker__ayman_melhem - An
File - lets learn ict.com
File - lets learn ict.com
Chap 15
Chap 15
Download
advertisement