Performance Evaluation of Bluetooth Security Mechanisms for Handheld Devices Georgios Kambourakis * , Alexis Andreadis, Charalampos Paganos, Angelos Rouskas and Stefanos Gritzalis Department of Information and Communication Systems Engineering University of the Aegean, Karlovassi, GR-83200 Samos, Greece Tel: +30-22730-82247 Fax: +30-22730-82009 * Correspondent author email:{gkamb}@aegean.gr Abstract— Bluetooth standard has been long criticized for various vulnerabilities and security inefficiencies, as its designers are trying to balance wisely between performance and complementary services including security. On the other hand, well respected security protocols like IP secure (IPsec) and Secure Shell (SSH) provide robust, low cost and easy to implement solutions for exchanging data over insecure communication links. Although, the deployment of these mechanisms is a well established and accustomed practice in the wireline world, more research effort is needed for wireless links, due to several limitations of the radio-based connections especially for handheld devices e.g. link unreliability, bandwidth, low processing power and battery consumption. This paper focuses on performance rather than on security, evaluating the efficiency of these de-facto security protocols over Bluetooth connections when low-end handheld devices are utilized. Several Personal Area Network (PAN) parameters, including absolute transfer times, link capacity and throughput are evaluated. Our experiments employ both Bluetooth native security mechanisms as well as the two aforementioned protocols. Through a plethora of scenarios we offer a comprehensive in-depth comparative analysis of each of the aforementioned security mechanisms when deployed over Bluetooth links. Index Terms— Bluetooth; Performance evaluation; Security; Security modes; IPSec; SSH. I. INTRODUCTION luetooth technology has already become the de-facto standard for replacing short range wired communications using radio technology [1]. According to estimations, devices incorporating Bluetooth are predicted to quadruple in number between now and 2008, from under 100m to about 440m. As a result, Bluetooth enabled devices are used in several different environments and cover a wide variety of applications. For instance, in mobile applications, a handheld device (e.g. smartphone, palmtop) periodically connects to the network to download music, to transfer files or to synchronize with one’s laptop on calendar and other files [2]. Consequently, the security of these applications and the private information stored on the handheld devices becomes a prominent issue. Thus, security features [3, 4] must be carefully considered and analyzed in order to decide whether Bluetooth technology indeed provides the right answer for any particular task or application. Until now, both Bluetooth Special Interest Group (SIG) [5] and several researchers have made a great contribution to Bluetooth security aspects, discovering numerous vulnerabilities and potential weaknesses and proposing solutions. An obvious choice for any Bluetooth application would be to use Bluetooth encryption provided at link layer. Virtually all Bluetooth devices support this feature, and it is, in most cases, considered to be secure. However, this does not apply for all deployment scenarios. In order to establish a secure channel with another Bluetooth device, a pre-shared secret, called PIN is needed. A symmetric key is generated from this PIN. On customer devices this PIN usually consists of 4 or 5 digits. Supposing a whole piconet network would use this PIN to encrypt its communication, anyone knowing this PIN could theoretically decrypt all communication. On top of that, in applications like VoIP that mandate IP connectivity to Access Points (APs), the encryption would end at the AP, which means that the AP, or any host that can manipulate the communication between the Mobile Device and the other end, can expose the data (see Figure 1). Thus, it is obvious that Bluetooth encryption is not well suited for all applications which may exploit Bluetooth connections. Figure 1. Scenario that requires upper layer security Under these circumstances, the investigation of complementary and advanced security protocols apart from Bluetooth’s native security mechanisms is an interesting research issue. At first, as Bluetooth wireless technology is targeting devices with particular needs and constraints (e.g. processing power and battery consumption) the trade-offs between security services and performance must be carefully considered. Moreover, as radio links generally suffer from limited bandwidth and are unreliable by nature, performance issues must be thoroughly investigated to make a decision whether certain security protocols and their mechanisms are advantageous over Bluetooth connections, delivering robust and agile security services within tolerable service response times. B 1