Bluetooth Gains Direct Internet Access, Security Enhancements

jfruh writes: The Bluetooth spec never quite became the worldbeater it was billed as, but it's aiming to become indispensible to the Internet of Things. Updates to the spec make it possible for low-powered Bluetooth devices to gain direct access to the Internet, and, perhaps more importantly, make those devices a lot harder to hack.

I don't get it

> The Bluetooth spec never quite became the worldbeater it was billed as, but it's aiming to become indispensible to the Internet of Things. Updates to the spec >make it possible for low-powered Bluetooth devices to gain direct access to the Internet, and, perhaps more importantly, make those devices a lot harder to hack.

How does being connected to the internet make a device harder to hack? It seems to me the more connected a device is the EASIER it is to hack.

Re:I don't get it

Reading comprehension.

They have made updates to the spec. Those updates make devices following that spec harder to hack and allow internet access.

Re:I don't get it

[Jahta]

Reading comprehension.

They have made updates to the spec. Those updates make devices following that spec harder to hack and allow internet access.

Except that nothing is "harder to hack" than a device with no network connectivity; something that gets forgotten in the Internet of Things hype. Your toaster really doesn't need to be online, no matter how good the spec is.

Re:I don't get it

[mlts]

My computer is online, similar with my Wi-Fi network...

But, my Internet connected devices are behind a solid firewall that puts the kibosh on unauthorized connections in, and out (for example, nothing, and I mean -nothing- needs to ever send traffic to the Internet on port 25 from my LAN. Receiving, perhaps a different story if I went with a dynamic DNS approach, but outgoing E-mail gets relayed to a proper SMTP server via port 465 and SSL/TLS in place no matter what.)

What needs to be a part of IoT is a LAN/WAN design. Local devices can chat with each other all they want to, but if they want connectivity onto the Internet, they work with a central, hardened system. This doesn't have to be any special stuff. For example, setting up SNMP and sending traps to the server, or having the server do a walk every so often for periodic status, then taking the results and using them locally.

It is a lot easier to secure one device than a bunch of little devices, all made by the absolute lowest bidder in China.

Re:I don't get it

[unixisc]

Except that nothing is "harder to hack" than a device with no network connectivity; something that gets forgotten in the Internet of Things hype. Your toaster really doesn't need to be online, no matter how good the spec is.

Not the point, GP is right. They've made enhancements to Bluetooth that a) give it internet addresses AND b)new security features. The statement in the story suggests that b) more than compensates for a).

Yeah, the toaster or coffee maker doesn't need to be online. But it is useful if the home security system is online. Say I'm at work and my kid is locked out of the house, I can, sitting at my desk, send a command from my phone to open the garage door and let him in, without having to leave my office 5 minutes before a meeting. Or if I want to, I can program my pool to get heated on a day that I feel like taking a dip after getting home.

Just b'cos something is possible doesn't imply that it has to happen. Conversely, just b'cos something doesn't have to happen doesn't imply that it shouldn't be made possible. Let market innovations drive what can go online, and after that, consumers can decide what not to use. Like I rarely use cellular data instead of WiFi, but doesn't mean that it shouldn't be there.

Contradiction

I've literally never seen the words "gains direct internet access" and "security enhancements" in the same sentence before and I hope never to do so again. A quick look at the links does indeed show that these two things are promised by the new standard, but I'm not a programmer or a security expert, I couldn't hope to penetrate the 2700 page official document.There's no requirement for manufacturers to jump to the new specification either (check the FAQ document) so if the security stuff is the slightest bit onerous I'll wager a lot of companies will stay on the older standard.

Re:Contradiction

[unixisc]

In the above case, the Bluetooth enabled phone connects to the PC using Bluetooth, and the PC then connects to the internet using WiFi/ethernet. Turn off the PC, but leave the router on, but the phone will still lose its internet connectivity (unless its WiFi is invoked)

The new version of the specification would allow a Bluetooth enabled toy which can benefit from the internet to actually use the internet.

"Internet of things"?

BINGO!

Hack or Crack?

Harder to hack or harder to crack? It would be nice if we could use hack to mean hack at least here "News for nerds".

How ? It doesn't have 3G / WiFi. Needs a router...

[ami.one]

How exactly does it connect "directly to the internet" ? It doesn't have 3G/WiFi capability.

All I can see is that a BT 4.2 device can connect to an 'internet connected' router / phone which also supports this BT 4.2 profile (similar to PAN in BT3 with which we could do an internet tether or file share etc).

How is this "directly connected to the internet" when it is using a router to access the net. And all BT4 devices connected to smartphones are anyway getting data to/fro from the internet - like uploading your running data to a website etc.

Anyone with a better understanding care to explain ?

Re:Bad summary

[jrumney]

...and if they're touting this for the "internet of things", I'm guessing they've added a Low Energy form of PAN (which was always transparent to IPv6 anyway, being a lower network layer).

I can't see how this will improve security...

From the Bluetooth 4.2 FAQ:

Are there any mandatory features that need to be implemented to claim compliance to Bluetooth 4.2?

No, as was the case with Bluetooth 4.1, there are no mandatory features that must be claimed to use the
Bluetooth 4.2 specification. However, manufacturers are required to implement all errata applied to Bluetooth 4.2
in order to comply with the specification.

In order words, Chinese equipment manufacturers will implement the least amount possible to be able to communicate with Bluetooth 4.2-compatable internet gateways but implement none of the FIPS-compliant security measures.

Re:How ? It doesn't have 3G / WiFi. Needs a router

[Matheus]

DRTFA and BRTFS but I can give you an few lil tidbits about this:

1) Everything connected to the internet is connected to a router somewhere along the line... that's not interesting.
2) There are a lot of ways to connect to the internet that have absolutely nothing to do with WiFi or 3G.
3) Right now a Bluetooth device can connect to another device. That device may provide a variety of services for said Bluetooth device including providing network connectivity BUT that device isn't really connected to the Internet itself. The new spec provides this device to be connected "more directly" to the net as in it will have its own IP address. The router that it is connecting to supporting the BT4.2 protocol is really no different from the WiFi access point your WiFi equipped device is talking to. Just need to add to the alphabet soup: a,b,g,n,bt

Re:How ? It doesn't have 3G / WiFi. Needs a router

[Ungrounded+Lightning]

How is this "directly connected to the internet" when it is using a router to access the net.

By that definition, NOTHING connects directly to the internet.

Anyone with a better understanding care to explain ?

The proper definition of a host running an internet-facing application being "directly connecting to the internet" is using IP for the first hop, with the packets having a route from there to and from the rest of the Connected (capital-I) Internet.

Bluetooth 4.2 added support for IPv6 to/from bluetooth devices. This means IP packets formed on, or directed to, the Bluetooth 4.2 hosts, for delivery to/from other Internet-connected devices, do not require a protocol-translation gateway to select and translate some subset of the packet types, services, and features, modifying the transport semantics to support some tiny subset of functionality that the gateway explicitly understands. An IP packet formed on the bluetooth device goes all the way to its destination semantically unmodified, and ditto packets going from some other device to the bluetooth device. The full feature set of IP (or as much of it as the stack implementer choses to support) is available, while the routers can be "as dumb as rocks" and totally ignorant of what the application on the Bluetooth device is up to, in classic Internet style.

A Bluetooth 4.2 device, using IPv6 and with a route, IS on the Internet, and is a peer to all other internet-connected hosts.

Bluetooth 4.2?

[gmuslera]

You misspelled Backdoor. We know how riddled with backdoors, default/fixed passwords, vulnerabilities that never gets fixed and so on are typical consumer embedded devices. And we know how pushy are governments forcing manufacturers to include their backdoors, or to use weak encryption standards, to make them hackeable at will (even assuming good will of the main/components manufacturers, that are not all saints).

What possibly could go wrong?

Re:Bluetooth 4.2?

[Required+Snark]

"What possibly could go wrong?"

You will be attacked by your refrigerator.

Re:Bluetooth 4.2?

[Ol+Olsoc]

"What possibly could go wrong?"

You will be attacked by your refrigerator.

When you step on the iScale you have to step on to access the menu screen of your SmartFridge, it might decide you've already had enough to eat that day, and report your repeated attempts to overeat to your insurance company, and activate your Schwinn Over the Airflow exercise bike to beep every 5 seconds until you hop on and do a brisk 5 miles before allowing the SmartFridge to open again.

After it allows it to open again, you decide you want a beer to cool off with. The beer has an rfid chip in it, and upon opening, disables your automobile, and reports to your employer. You open a second beer, and the insurance company is notified, your employer, the manufacturer of the beer, and the local police. Before you can open the SmartFridge again, you'll have to blow into a breathalyzer, that reports to everyone. When you blow below .02 BAC, (hey, impairment begins with the first thought about drinking) the SmartFridge will open again.

Then checking your smartphone, there will be email from your insurance company and employer expressing concerns about your drinking and weight problems, and an ad from BuMilCoors about needing to restock your beer supply.

BT is the worldbeater it was billed as!

[sad_]

"The Bluetooth spec never quite became the worldbeater it was billed as"

What are you talking about, BT is the de-facto standard for connecting wirelessly with almost any device today, ranging from audio devices to input devices to applliances, how has it not beaten any comparable specification, in fact is there even another _usable_ alternative?

Re:BT is the worldbeater it was billed as!

[fisted]

Is shit, especially as of Feb 2014

Re:BT is the worldbeater it was billed as!

[LynnwoodRooster]

Precisely. I have a cell phone, a smart watch, a car, a motorcycle headset, a stereo headset, a tablet, a keyboard, a mouse, and a half-dozen other Bluetooth capable devices here. Two billion Bluetooth devices shipped in 2012, and they're expecting over 20 BILLION total devices by 2017 - about 3 per person on the face of the Earth. How is that not a "worldbeater"?

Re:BT is the worldbeater it was billed as!

[firewrought]

"The Bluetooth spec never quite became the worldbeater it was billed as"

What are you talking about, BT is the de-facto standard for connecting wirelessly with almost any device today, ranging from audio devices to input devices to applliances, how has it not beaten any comparable specification, in fact is there even another _usable_ alternative?

I'm assuming O.P. is of the opinion that Bluetooth was massively over-hyped when it was first introduced to the masses (c. 2001/2002... I seem to remember seeing a ridiculous billboard promising that it would change the world, etc.). However, nobody really used it for a long time. At this point in history, USB had firmly displaced PS/2 (while slowly encroaching on other ports--audio, ethernet, etc.) and WiFi had just gotten fast with the draft g spec. BT was the new kid on the block that everybody ignored... I mean, perhaps you could get a BT-enabled wireless mouse at CompUSA, if you we were willing to pay a $15 premium over a non-BT wireless mouse.

At some point, it gained traction with high-end cellphone users (giving rise to the now-absent earbud) and slowly started appearing in other products (speakers, laptops, etc). However, I think it took the rise of smartphones (starting with Apple's iPhone in 2007) to really establish the importance and permanence of BT. Now everyone has a host device that can talk BT and its myriad of task-specific protocols (audio, HID, etc.). So now you have a real ecosystem going.

But even now it's flaky. Devices from different manufacturers don't always work well. My wife's car talk with her iphone, but loses the pairing every few days. My laptop can talk to one pair of BT headphones, but not the other. And new standards are encroaching from both ends... NFC's and QR codes for extremely short distances, MiraCast/Wi-Fi Direct for longer distances and greater volumes of data.

Don't get me wrong... Bluetooth is secure and can confidently call itself a worldbeater. But maybe not the same type of worldbeater that USB turned out to be.

Re:BT is the worldbeater it was billed as!

[unixisc]

"The Bluetooth spec never quite became the worldbeater it was billed as"

What are you talking about, BT is the de-facto standard for connecting wirelessly with almost any device today, ranging from audio devices to input devices to applliances, how has it not beaten any comparable specification, in fact is there even another _usable_ alternative?

How about IRDA for remote controllers? Do they have any reason to switch to Bluetooth?

Oxymoronic...

[wbr1]

I never thought I would hear 'directly connected to internet AND more secure' in the same sentence. Is it April fools?

Re:How ? It doesn't have 3G / WiFi. Needs a router

[Digital+Mage]

How is this "directly connected to the internet" when it is using a router to access the net.
By that definition, NOTHING connects directly to the internet.

I feel like there is a Zen koan here:
The student asked the master, "How will I know when my computer has connected to the internet?" The master replied, "Only when it is connected to nothing will you know".

Re:How ? It doesn't have 3G / WiFi. Needs a router

[romiz]

The difference is about Bluetooth & Bluetooth Smart (aka Low Energy). The second one is in fact a different protocol, once called Wibree, which uses some parts of the Bluetooth stack, but not a lot of it. While Bluetooth "Classic" already has network connectivity through PAN since a long time ago, Bluetooth Smart, introduced in the 4.0 revision of the specification, does not.

The main reason for this is that the maximum packet size in Bluetooth Smart is quite small (around 256 bytes in the original spec). The latest revision allows for higher MTUs, as well as an IPv6 header compression scheme called 6lowPAN, already developped for IEEE802.15, another low energy radio protocol.

Re:Bad summary

[unixisc]

No, Bluetooth devices needed to connect to something else that had internet connection. There was no way Bluetooth could get IPv4 addresses, since those are already limited. But with the adaption of IPv6 addresses, Bluetooth devices now have native internet addressing, as opposed to having to have a separate addressing scheme of their own.

If Bluetooth is supposed to be a player in the 'Internet of things', it only makes sense that it adapts the addressing standard capable of addressing everything.

Re:No one is going to????

[unixisc]

How difficult is the first? Just get an iPod Touch, disable the internet (after downloading whatever apps you'd need) and then use it exclusively as an offline PDA

Version# != Feature list

[unixisc]

The version number of a standard should not be conflated with the number of features that the standard offers. USB 1 offered just low speed and full speed options, USB 2 added high speed options and USB 3 has added super speed options.

Now, that doesn't imply that a USB 2 keyboard works at 480Mbps. An USB 2 keyboard is still a low speed USB peripheral, but it supports version 2 of the standard - the features that are not tied to high speed. Same would go for a USB 3 mouse - it would still be a low speed peripheral, but since USB itself has been updated, it would still be a USB 3 mouse. Again, don't expect it to work at 10Gbps.

Re:How ? It doesn't have 3G / WiFi. Needs a router

[unixisc]

I think the phone was a bad example, since all phones would probably have WiFi. Which would bring up another question - wouldn't Bluetooth 4.2 be to WiFi what 100BaseT is to Gigabit Ethernet? In other words, an equivalent standard, but slower?

Security should be #1.

[cant_get_a_good_nick]

Shouldn't it be "makes it more secure and perhaps allows connectivity to Internet"

With all the holes we've seen in everything, security should be thought of the first minute, not even wait to the middle of first day of design. The only thing I saw in that landing page is "uses more encryption" which may improve information (read: privacy) leaks, but doesn't do much for security and being hacked into. This with the Sony hack still on the first page.