124 |
Bluetooth Security |
inquiry and paging must be handled a little bit differently than for nonanonymous devices. This is primarily handled by using three different connectable modes: connectable mode, private connectable mode, and general connectable mode. The secure identification in anonymity mode is built on the usage of the alias addresses and the so-called alias authentication. Also, the pairing has to be slightly changed in order to allow anonymous devices to securely page and identify each other. All these new features mean that some additional control signaling is needed and that some new LMP commands need to be defined.
8.2 Address usage
In this section, the addresses and address usage for devices supporting the anonymous mode are described. In contrast to ordinary Bluetooth, fixed addresses cannot be used for all purposes. Therefore, new addresses are introduced and the device address is used in a little bit different way than in the Bluetooth 1.2 specification. This also means that a slightly new and different terminology is used. The anonymity mode makes use of three different kinds of device addresses:
1.Fixed device address, BD_ADDR_fixed;
2.Active device address, BD_ADDR;
3.Alias addresses, BD_ADDR_alias.
In the following sections, the different addresses and how they are used in the anonymity mode are discussed.
8.2.1The fixed device address, BD_ADDR_fixed
Each Bluetooth transceiver is allocated a unique 48-bit Bluetooth device address (BD_ADDR_fixed)1 from the manufacturer. The BD_ADDR_fixed consists of three parts: LAP, UAP, and NAP. Figure 7.3 in Chapter 7 shows the address field sizes and the format. The fixed address is derived from the IEEE 802 standard [1]. The LAP and UAP form the significant part of the BD_ADDR.
The fixed address is used to allow a device to directly page another device that it has previously been paired with. Without a fixed address that can be used for this purpose, the devices would always need to repeat the inquiry procedure. Obviously, this would result in very slow connection setup. However, in order not to jeopardize the anonymity, these addresses shall only be used between trusted devices (see Section 8.6).
1. This address corresponds to the ordinary Bluetooth device address.
Providing Anonymity |
125 |
|
|
8.2.2The active device address, BD_ADDR
The BD_ADDR is the active device address, and anonymous devices regularly update this address (more detail is given below). Devices not supporting the anonymity mode or devices in nonanonymous mode only use one address, BD_ADDR. Actually, for such devices the BD_ADDR always equals the BD_ADDR_fixed (see previous section).
Anonymous devices use the active address as a replacement for an ordinary fixed address for connection establishment and communication. Since the address is changed all the time, it will not be possible to track a device based on this address.
The BD_ADDR has exactly the same format as BD_ADDR_fixed and consists of three parts: LAP, UAP, and NAP. The UAP and NAP parts are fixed and shall be chosen to a nondevice-specific value. In particular, they can be chosen to a value that does not overlap with any company assigned IEEE MAC address space [1]. This is accomplished, for example, by using the locally assigned IEEE MAC address space [1]. The LAP part of the BD_ADDR needs to be chosen uniformly and at random. It can take any value except the 64 reserved LAP values for general and dedicated inquiry, that is, values from 0x9E8B00 to
0x9E8B33.
In order to combat the location tracking threat, anonymous devices regularly update the active LAP. The rules for when the address shall be updated are given below. A LAP value is generated by selecting uniformly at random any value between 0x000000 and 0xFFFFFF. If the value falls within the reserved LAP range, that is, values from 0x9E8B00 to 0x9E8B33, a new random LAP value is generated. This procedure is repeated until a value outside the range is obtained.
The LAP updating is determined by two time parameters. The parameters
are:
1.Update period, TADDR update;
2.Time period reserved for inquiry, TADDR inquiry period.
The update period tells how often the device shall attempt to update the active address. The parameter TADDR inquiry period tells how long a time a device must wait before it is allowed to update the active address after it has sent the current address in an inquiry response message.
The basic principle is that a device shall update the address every TADDR update seconds. However, if this updating occasion happens to be when the device has just sent the current address in an inquiry response, any unit trying to connect to the anonymous device would fail with the connection request. For this
126 |
Bluetooth Security |
reason the updating waiting period defined by the second parameter TADDR inquiry period has been introduced. In addition, there shall be no update if the device is acting as a master device and has connections with devices not supporting the anonymous node. Otherwise, the CAC will change and the legacy devices would immediately lose the connection when the CAC is changed. These facts provide the motivation for the updating rules used for updating the active address.
The detailed updating rules are shown in the flow diagram in Figure 8.1. The updating flow is as follows:
1.A new LAP is always generated at power-up.
2.Two time variables are set, t1 = 0 and t2 = TADDR inquiry period + 1. t1 measures the general updating intervals and t2 measures the time from the last use of the “old address” in an inquiry response. (At the start, t2 is set to a value greater than the defined updating waiting period after inquiry response, TADDR inquiry period.)
3.The BD_ADDR is updated and the first timer t1 is started.
4.A loop is created where the timer t1 is continuously checked. If the timer exceeds the updating period, TADDR update, the looping process stops. If an inquiry response message is returned during the execution of the loop, the second timer t2 is set to zero and started.
5.If t2 is less than or equal to TADDR inquiry period, return to the loop in step 4.
6.If the device has no existing connections, a new LAP is generated, followed by a jump to step 2.
7.A new loop is entered. The loop runs as long as the device has any connection with a device not supporting the anonymity mode or any parked device, or if the device is parked itself. If there are no connections when the loops ends, a new LAP is generated, followed by a jump back to step 2.
8.A new LAP is generated. If the device is not a master in any piconet, the new (not yet updated) BD_ADDR is sent to all connected devices using the new LMP command, LMP active address (see Section 8.7). Then jump to step 2.
9.The switch instant time, Ts is chosen. It should be chosen such that the master will be able to inform all connected slaves of the new BD_ADDR before the instant is reached. Next the master sends the new BD_ADDR (not yet updated) and the switch instant Ts to all slaves using the new LMP command LMP active address (see Section 8.7). When the instant is reached, jump back to step 2.
Providing Anonymity |
127 |
|
|
Power up
Generate |
|
|
|
|
|
new LAP |
|
|
|
|
|
t1 = 0 |
|
|
|
|
|
t2 = TADDR inquiry period +1 |
|
|
|
|
|
Update BD_ADDR, |
|
|
|
|
|
Start timer t1 |
|
|
|
|
|
t1 > TADDR updates? |
Yes |
t2 > TADDR updates? |
Yes |
|
|
|
|
|
|
||
No |
|
No |
|
|
|
|
Yes |
|
|
|
|
Inquiry response? |
|
|
|
|
|
|
|
t2 = 0 |
|
|
|
No |
|
Start timer t2 |
|
|
|
|
|
|
Connection with |
Yes |
|
|
|
|
|
|
|
|
Any existing |
Yes |
unit not supporting the |
|
|
|
anonymity mode? |
|
|
||
|
connections? |
|
|
|
|
|
|
|
|
|
|
|
No |
|
No |
|
|
|
|
|
|
|
|
|
Generate |
|
|
|
|
|
new LAP |
|
Connection with |
Yes |
|
|
|
|
|
||
|
|
|
parked unit or |
|
|
|
|
|
|
|
|
|
|
|
parked itself? |
|
|
|
|
|
No |
|
|
|
|
|
Generate |
|
|
|
|
|
new LAP |
|
|
|
|
|
Set address switch |
|
|
|
|
Master unit |
instant time, Ts |
|
|
|
|
Yes |
|
|
|
|
in any piconet? |
|
|
|
|
|
|
|
Send new BD_ADDR |
|
|
|
|
No |
and Ts (only to slaves) |
|
|
|
Send new BD_ADDR |
|
|
|
|
|
to connected units |
|
|
|
|
|
|
|
Switch instant |
Yes |
|
|
|
|
|
||
|
|
|
|
reached? |
|
|
|
|
|
No |
|
Figure 8.1 The BD_ADDR updating rules.