Editing Bluetooth (section)

=== Overview ===
{{see also|Mobile security#Attacks based on communication networks}}

Bluetooth implements [[confidentiality]], [[authentication]] and [[key (cryptography)|key]] derivation with custom algorithms based on the [[Secure and Fast Encryption Routine|SAFER+]] [[block cipher]]. Bluetooth key generation is generally based on a Bluetooth PIN, which must be entered into both devices. This procedure might be modified if one of the devices has a fixed PIN (e.g., for headsets or similar devices with a restricted user interface). During pairing, an initialization key or master key is generated, using the E22 algorithm.<ref>{{cite web
|author=Juha T. Vainio
|date=25 May 2000
|title=Bluetooth Security
|publisher=Helsinki University of Technology
|url=http://www.iki.fi/jiitv/bluesec.pdf
|access-date=1 January 2009
|archive-date=25 September 2020
|archive-url=https://web.archive.org/web/20200925110917/http://www.yuuhaw.com/bluesec.pdf
|url-status=live
}}</ref>
The [[E0 (cipher)|E0]] stream cipher is used for encrypting packets, granting confidentiality, and is based on a shared cryptographic secret, namely a previously generated link key or master key. Those keys, used for subsequent encryption of data sent via the air interface, rely on the Bluetooth PIN, which has been entered into one or both devices.

An overview of Bluetooth vulnerabilities exploits was published in 2007 by Andreas Becker.<ref>{{cite web
|author=Andreas Becker
|date=16 August 2007
|title=Bluetooth Security & Hacks
|publisher=Ruhr-Universität Bochum
|url=http://gsyc.es/~anto/ubicuos2/bluetooth_security_and_hacks.pdf
|access-date=10 October 2007
|archive-date=21 March 2016
|archive-url=https://web.archive.org/web/20160321205619/http://gsyc.es/~anto/ubicuos2/bluetooth_security_and_hacks.pdf
|url-status=dead
}}</ref>

In September 2008, the [[National Institute of Standards and Technology]] (NIST) published a Guide to Bluetooth Security as a reference for organizations. It describes Bluetooth security capabilities and how to secure Bluetooth technologies effectively. While Bluetooth has its benefits, it is susceptible to denial-of-service attacks, eavesdropping, man-in-the-middle attacks, message modification, and resource misappropriation. Users and organizations must evaluate their acceptable level of risk and incorporate security into the lifecycle of Bluetooth devices. To help mitigate risks, included in the NIST document are security checklists with guidelines and recommendations for creating and maintaining secure Bluetooth piconets, headsets, and smart card readers.<ref>{{cite web
|author1=Scarfone, K.
|author2=Padgette, J.
|name-list-style=amp
|date=September 2008
|title=Guide to Bluetooth Security
|publisher=National Institute of Standards and Technology
|url=http://csrc.nist.gov/publications/nistpubs/800-121-rev1/sp800-121_rev1.pdf
|access-date=3 July 2013
|archive-date=11 June 2017
|archive-url=https://web.archive.org/web/20170611040534/http://csrc.nist.gov/publications/nistpubs/800-121-rev1/sp800-121_rev1.pdf
|url-status=live
}}</ref>

Bluetooth v2.1&nbsp;– finalized in 2007 with consumer devices first appearing in 2009&nbsp;– makes significant changes to Bluetooth's security, including pairing. See the [[#Pairing mechanisms|pairing mechanisms]] section for more about these changes.