A long time ago (historians differ on the exact dates, but it was sometime in the 10th Century C.E.) in a country far, far away, (which was mostly Denmark, with a little bit of Norway added in for flavor,) there lived a Viking king who was principally noted for converting to a foreign religion called Christianity. He was known as Harald Bluetooth, son of Gorm the Old, and he united most of Denmark before his estranged son, Sven Forkbeard, sent him to Valhalla and took over the family business. A little more than 1000 years later, succumbing to an attack of Scandinavian pride, the giant Swedish telecom manufacturer Ericsson decided to honor old, weird Harald by naming its new wireless networking standard after him. It convinced founding Special Interest Group co-partners Nokia, Toshiba, IBM and Intel that Bluetooth was the right name for the thing and, together, they set off to conquer the air. By December 1, 1999, 3Com, Lucent, Microsoft and Motorola had joined the Promoter Group -- the folks that were willing to spend money to hype the standard -- and in the neighborhood of 1200 other companies had joined the SIG. (Signing up for membership costs nothing, so it isn't exactly an exclusive club.) Between them, they manged to generate a lot of coverage about Bluetooth in the trade press. Since the computer trade press mainly consists of English and journalism majors with no hands-on technical background, most of whom make a living re-wording press releases, the fanfare meant very little, however. Meanwhile, actual consumers waited for actual products actually to emerge. As is often the case with consortium-driven standards -- even "open" ones like Bluetooth -- that took a while. And, as is also often the case, the majority of the early products were aimed not at consumers, but at developers. While the world waited, grass-roots programmers and engineers began playing with a brand new wireless standard: an offshoot of good, old Ethernet called 802.11b. Like Bluetooth, it used the unlicensed 2.4 - 2.48GHz portion of the radio spectrum, so 802.11b products would work anywhere on the planet without any special license from the local authorities. And it was fast -- much faster than Bluetooth's nominal 1Mbps -- and it had about 10 times the range that Bluetooth's Class 3 devices could boast. Time passed and soon it was 2001, the beginning of a brand-new millenium. The clumsy-sounding 802.11b moniker had since been supplanted by the less-tongue-twisting name "Wi-Fi" and the cost of its hardware was plunging like a dotcom stock option. The world was still waiting for Bluetooth -- and, to its SIG partners' dismay, Microsoft announced that the initial release of its forthcoming Windows XP would not include Bluetooth support. Microsoft's stated reason for omitting the Viking technology from the next release of its flagship OS was the lack of a critical mass of Bluetooth-enabled devices demanding Windows support. That basically translated to the Redmond behemoth simply acknowledging a conspicuous worldwide lack of user demand for the namesake of Gorm the Old's son. That's not the only problem with Bluetooth, however. The Unfaithful Servant First of all, there's the issue of cost. The low end of the cellular phone hardware market is savagely price-competitive and Bluetooth silicon is still much too expensive to be included in the "gimme" phones that entice a substantial segment of cellular consumers to take the plunge. That creates a chicken-or-egg conundrum, since Bluetooth must become ubiquitous in order to achieve the enconomies of scale that would make it affordable to average consumers -- but first it must universally be adopted in order to achieve those very economies of scale. Then there's the question of Bluetooth's security -- or, more properly, the gaping holes therein. Although some have tried to wish the problem away, others have taken a more skeptical view of the fundamental weaknesses in Bluetooth's PIN-based generation of a device's initialization key. Juha T. Vainio of the Helsinki University of Technology's Department of Computer Science and Engineering quite rightly points out [4] that a 4-digit PIN offers only 10,000 total possible combinations -- making 4-digit PINs highly susceptible to brute-force cracking techniques -- and the problem is further exacerbated by the well-known user laziness factor that results in a large number of 4-digit PINs being set to 0000. There's also the possibility that one Bluetooth device may use its exchange of unit keys with a second device and third device to eavesdrop on their "private" conversation -- or even falsely to authenticate itself to the one, masquerading as the other. That's because, when the first two devices exchange unit keys, they can "decide" to use one or the other as a shared "secret" to generate their link key. When a third device then enters into a key exchange with the second device, and also opens a session with the first device, it reveals its unit key to both. The first device now knows both of the others' "secrets" -- and their entirely-public 48-bit BD_ADDRs -- and it's also synched to the same master clock. Now, merely by faking one of the other box's BD_ADDR, it can generate the public keys necessary to listen in on its two neighbors' "private" traffic. Assuming that the first device can eavesdrop on their conversations, it can also authenticate itself as either device to the other, since that imposture requires no additional data. The above problem is more than simply theoretical. Bell Labs scientists Marcus Jakobsson and Susanne Wetzel demonstrated exactly that scenario in the lab, as ZDnet reported on the 8th of September, 2000. No Expectations And, of course, even the weak security Bluetooth currently offers is part and parcel of the techology's price problem. Encryption, decryption and key generation all require significant processor power -- especially when the encryption in question has to take place on the fly and simultaneously be at all robust -- and that doesn't come cheap, particularly when the market is still small. Of course Wi-Fi has its own security issues -- I'll address them another time -- and it can be just as much of a pain in the posterior to configure as is its Scandanavian competitor. But the distinction between the two technologies is perhaps best illustrated by taking a look at their deployment in the real world. On that score, Wi-Fi wins, hands down. Oh sure, RegistryMagic (now known as VoiceFlash) and the Wall Street Holiday Inn made a big fuss last February about their demonstration of Bluetooth for guest check-in during the Internet World Wireless conference, but a quick check of the current Holiday Inn Wall Street Web site shows nary a mention of the thing today. Perhaps the Venetian resort/hotel/casino will be more enthusiastic about Harald's namesake after it tries its own pilot Bluetooth demo during Fall 2001 Comdex in Las Vegas. Perhaps not. Now We're Getting Somewhere Meanwhile, Wi-Fi networks are springing up like mushrooms in a cow pasture after a warm Spring rain. Starbucks now has one in every store -- albeit with access priced to discourage all but the investment banking crowd. Likewise, airport terminals around the country are installing 802.11b nets to capture traffic from the hordes of passengers waiting for their too-often delayed or canceled flights. Businesses are also discovering that Wi-Fi makes a lot of sense in office suites where rapid staff expansion -- or contraction -- causes frequent moves and changes. And there is also a rapidly-growing assortment of free nets, mostly built by the open source community with pooled resources, eager to offer access to all comers. And that really exemplifies the difference in my mind. There aren't any plans for Bluetooth-based open-access-point networks of which I'm aware. The gear itself remains painfully scarce, prohibitively expensive and seemingly destined to wind up joining ISDN in the Museum of Little Techologies that Couldn't. Which may explain why developers are turning off to Bluetooth in droves. Bring it on home There are, of course, those who disagree with my gloomy assesment, including some right here on dW Wireless. Big Blue itself is still extremely big on the technology. It offers a Bluetooth PCCard for its latest laptops and it has even gone so far as to release a Bluetooth protocol stack for Linux, to enable the Penguin People to make Tux talk Viking. The thing is, I still can't help but think that, like Harald, the modern Bluetooth is just going to wind up teeing off so many people who are crucial to its survival that, again like him, it will wind up face-down in a muddy field with an arrow in its back. That would leave Wi-Fi, starring as Sven Forkbeard, to inherit Harald's kingdom of the air -- and to go on to overthrow HomeRF, in its role as Ethelred the Unready. But that's another story altogether.
Microsoft Windows Hardware Strategy General Manager Carl Stork's "explanation" of the MS decision to pull Bluetooth support from the rollout of Windows XP Bluetooth SIG security architecture white paper from 1999 (in PDF format) Gareth Barlow's Polyanna-ish analysis of Bluetooth security architecture Juha T. Vainio's more critical analysis Marcus Jakobsson and Susanne Wetzel have left Bell Labs. As a consequence, their joint paper confirming Bluetooth's vulnerability to eavedropping appears here ZDnet UK reports Bluetooth security flaw confirmed by Lucent researchers ZDnet UK report on Bluetooth configuration blues Wall Street Holiday Inn goes Bluetooth Venetian Resort-Hotel-Casino in Las Vegas joins the party Developers turning away from Bluetooth Brent A. Miller and Chatschik Bisdikian's upbeat series of articles about Bluetooth on developerWorks Homepage of IBM alphaWorks BlueDrekar protocol stack for Linux . . .
A somewhat different version of this work was first published by IBM developerWorks at
(Copyright© 2001 by Thom Stark--all rights reserved) |