This is the 58th article in the award-winning “Real Words or Buzzwords?” series about how real words become empty words and stifle technology progress, also published on SecurityInfoWatch.com.
By Ray Bernard, PSP, CHS-III
Why strong due diligence product evaluations are required for Bluetooth-enabled security and safety technologies
All-in-one RWOB
MAXIMIZE YOUR SECURITY OPERATIONS CAPABILITIES
Upgrade your security operations effectiveness through Security Technology Strategic Planning. Provably get more for your company's security technology investment.
★ ★ ★ GET NOTIFIED! ★ ★ ★
SIGN UP to be notified by email the day a new Real Words or Buzzwords? article is posted!
Real Words or Buzzwords?
The Award-Winning Article Series
#1 Proof of the buzzword that killed tech advances in the security industry—but not other industries.
#2 Next Generation (NextGen): A sure way to tell hype from reality.
#3 Customer Centric: Why all security industry companies aren't customer centric.
#4 Best of Breed: What it should mean to companies and their customers.
#5 Open: An openness scale to rate platforms and systems
#6 Network-friendly: It's much more than network connectivity.
#7 Mobile first: Not what it sounds like.
#8 Enterprise Class (Part One): To qualify as Enterprise Class system today is world's beyond what it was yesterday.
#9 Enterprise Class (Part Two): Enterprise Class must be more than just a top-level label.
#10 Enterprise Class (Part Three): Enterprise Class must be 21st century technology.
#11 Intuitive: It’s about time that we had a real-world testable definition for “intuitive”.
#12 State of the Art: A perspective for right-setting our own thinking about technologies.
#13 True Cloud (Part One): Fully evaluating cloud product offerings.
#14 True Cloud (Part Two): Examining the characteristics of 'native-cloud' applications.
#15 True Cloud (Part Three): Due diligence in testing cloud systems.
#16 IP-based, IP-enabled, IP-capable, or IP-connectable?: A perspective for right-setting our own thinking about technologies.
#17 Five Nines: Many people equate high availability with good user experience, yet many more factors are critically important.
#18 Robust: Words like “robust” must be followed by design specifics to be meaningful.
#19 Serverless Computing – Part 1: Why "serverless computing" is critical for some cloud offerings.
#20 Serverless Computing – Part 2: Why full virtualization is the future of cloud computing.
#21 Situational Awareness – Part 1: What products provide situational awareness?
#22 Situational Awareness – Part 2: Why system designs are incomplete without situational awareness?
#23 Situational Awareness – Part 3: How mobile devices change the situational awareness landscape?
#24 Situational Awareness – Part 4: Why situational awareness is a must for security system maintenance and acceptable uptime.
#25 Situational Awareness – Part 5: We are now entering the era of smart buildings and facilities. We must design integrated security systems that are much smarter than those we have designed in the past.
#26 Situational Awareness – Part 6: Developing modern day situational awareness solutions requires moving beyond 20th century thinking.
#27 Situational Awareness – Part 7: Modern day incident response deserves the help that modern technology can provide but doesn’t yet. Filling this void is one of the great security industry opportunities of our time.
#28 Unicity: Security solutions providers can spur innovation by envisioning how the Unicity concept can extend and strengthen physical access into real-time presence management.
#29 The API Economy: Why The API Economy will have a significant impact on the physical security industry moving forward.
#31 The Built Environment: In the 21st century, “the built environment” means so much more than it did just two decades ago.
#32 Hyper-Converged Infrastructure: Hyper-Converged Infrastructure has been a hot phrase in IT for several years, but do its promises hold true for the physical security industry?
#33 Software-Defined: Cloud-computing technology, with its many software-defined elements, is bringing self-scaling real-time performance capabilities to physical security system technology.
#34 High-Performance: How the right use of "high-performance" can accelerate the adoption of truly high-performing emerging technologies.
#35 Erasure Coding: Why RAID drive arrays don’t work anymore for video storage, and why Erasure Coding does.
#36 Presence Control: Anyone responsible for access control management or smart building experience must understand and apply presence control.
#37 Internet+: The Internet has evolved into much more than the information superhighway it was originally conceived to be.
#38 Digital Twin: Though few in physical security are familiar with the concept, it holds enormous potential for the industry.
#39 Fog Computing: Though commonly misunderstood, the concept of fog computing has become critically important to physical security systems.
#40 Scale - Part 1: Although many security-industry thought leaders have advocated that we should be “learning from IT,” there is still insufficient emphasis on learning about IT practices, especially for large-scale deployments.
#41 Scale - Part 2: Why the industry has yet to fully grasp what the ‘Internet of Things’ means for scaling physical security devices and systems.
#42 Cyberspace - Part 1: Thought to be an outdated term by some, understanding ‘Cyberspace’ and how it differs from ‘Cyber’ is paramount for security practitioners.
#43 Cyber-Physical Systems - Part 1: We must understand what it means that electronic physical security systems are cyber-physical systems.
#44 Cyberspace - Part 2: Thought to be an outdated term by some, understanding ‘Cyberspace’ and how it differs from ‘Cyber’ is paramount for security practitioners.
#45 Artificial Intelligence, Machine Learning and Deep Learning: Examining the differences in these technologies and their respective benefits for the security industry.
#46 VDI – Virtual Desktop Infrastructure: At first glance, VDI doesn’t seem to have much application to a SOC deployment. But a closer look reveals why it is actually of critical importance.
#47 Hybrid Cloud: The definition of hybrid cloud has evolved, and it’s important to understand the implications for physical security system deployments.
#48 Legacy: How you define ‘legacy technology’ may determine whether you get to update or replace critical systems.
#49 H.264 - Part 1: Examining the terms involved in camera stream configuration settings and why they are important.
#50 H.264 - Part 2: A look at the different H.264 video frame types and how they relate to intended uses of video.
#51 H.264 - Part 3: Once seen as just a marketing term, ‘smart codecs’ have revolutionized video compression.
#52 Presence Technologies: The proliferation of IoT sensors and devices, plus the current impacts of the COVID-19 pandemic, have elevated the capabilities and the importance of presence technologies.
#53 Anonymization, Encryption and Governance: The exponential advance of information technologies requires an exponential advance in the application of data protection.
#54 Computer Vision: Why a good understanding of the computer vision concept is important for evaluating today’s security video analytics products.
#55 Exponential Technology Advancement: The next 10 years of security technology will bring more change than in the entire history of the industry to now.
#56 IoT and IoT Native: The next 10 years of security technology will bring more change than in the entire history of the industry to now.
#57 Cloud Native IoT: The next 10 years of security technology will bring more change than in the entire history of the industry to now.
#58 Bluetooth vs. Bluetooth LE: The next 10 years of security technology will bring more change than in the entire history of the industry to now.
More to come about every other week.
Bluetooth-enabled products are now emerging in many fields, including security and safety, with a wide variety of implementations for a myriad of use cases.
Early Bluetooth-enabled physical security products were severely criticized by IT security folks because the product designers didn’t give any thought to data and communications security. Way back in 1989 – when Ericsson Mobile in Sweden began the development of the short-range wireless technology later named Bluetooth® – no physical security industry companies were paying attention to data security. It took almost two decades for physical security to start taking data security seriously.
Meanwhile, in 1998, Ericsson, IBM, Intel Corporation, Nokia and Toshiba formed the Bluetooth Special Interest Group (SIG) as its initial members. The first consumer Bluetooth device – a hands-free mobile headset – was launched in 1999 and earned the “Best of Show Technology Award” at COMDEX. Today, on the Bluetooth SIG website, there are over 36,000 member companies listed, and billions of Bluetooth-enabled devices ship every year.
Bluetooth-enabled products are now emerging in many fields, including security and safety, with a wide variety of implementations for a myriad of use cases. It has become important to understand Bluetooth due to the value Bluetooth-enabled products provide, but also because from one product to another the Bluetooth implementations – and their security – are not all the same. The devil is in the details, as the expression goes.
The Bluetooth SIG states, “Bluetooth specifications include a collection of features that provide developers the tools they need to secure communications between Bluetooth devices and implement the appropriate level of security for their products.
“All Bluetooth specifications are subject to security reviews during the development process. In addition, Bluetooth technology is an open, global standard, and the Bluetooth SIG encourages active review of the specifications by the security research community.”
Note that the security tools are there, but it’s up to manufacturers to design a security product or system. And it’s up to security designers and specifiers, security integrators, and end-user customers to pay close attention to the security aspects of their implementations.
Classic and Modern Bluetooth
The original Bluetooth radio technology – what we’re familiar with from our smartphones linking to cars – is now known as Bluetooth Classic radio. Supporting point-to-point device communication, Bluetooth Classic is mainly used to enable wireless audio streaming and has become the standard radio protocol behind wireless speakers, headphones, and in-car entertainment systems. Bluetooth Classic radio also enables data transfer applications, including mobile printing. It transmits over 79 channels in the 2.4 GHz unlicensed industrial, scientific, and medical (ISM) frequency band.
Bluetooth Low Energy (LE)
Bluetooth LE radio, originally marketed as Bluetooth Smart and commonly referred to as BLE, is designed for very low power operation while maintaining a similar communication range. However, BLE is much more than a low-power version of Bluetooth Classic. BLE operates in the same radio spectrum range as Bluetooth Classic, but uses a different set of 40 channels at typically about half or less the data rate of Bluetooth Classic.
Solution Areas
Differences in how the devices communicate make possible a wider set of applications and use cases for Bluetooth LE than for Bluetooth Classic. See Figure 1 below.
Figure 1. Solution areas for Bluetooth Classic and Bluetooth Low Energy.
Bluetooth Piconets
Piconet means “tiny” network, as explained by the PCMag Encyclopedia. A piconet is a Bluetooth network composed of two or more Bluetooth devices that operate in close proximity on the same channel and frequency hopping sequence. Piconets operate in both ad hoc (peer-to-peer) and infrastructure (central base station) modes of operation.
In a piconet, one device is the master, which establishes the frequency hopping scheme, and there can be up to seven active and 255 inactive slave devices. Only a master device can send data; slave devices can only receive. However, a slave in one piconet can be a master in another, creating a chain of piconets called a “scatternet” that extends the distance between all devices. While Bluetooth Classic is limited to point-to-point communication topologies, Bluetooth LE is not.</b
Bluetooth Technology Technical Differences
The Table 1 chart below shows a few similarities and many differences between the two technologies (data from both the Bluetooth SIG website and Wikipedia).
Specification | Bluetooth Classic | Bluetooth Low Energy |
Nominal max. range | 100 m (330 ft) | <100 m (<330 ft) |
Channels | 79 channels with 1 MHz spacing | 40 channels with 2 MHz spacing (3 advertising channels/37 data channels) |
Modulation | Frequency-Hopping Spread Spectrum (FHSS) | Frequency-Hopping Spread Spectrum (FHSS) – see the Regulatory Note paragraph that follows this chart |
Over the air data rate | 1–3 Mbit/s | 125 kbit/s, 500 kbit/s, 1 Mbit/s, 2 Mbit/s |
Application throughput | GFSK, π/4 DQPSK, 8DPSK | GFSK |
Communication Topologies | Point-to-Point (including piconet) |
|
Active Devices | Typically, 7 active devices per master, with up to 255 inactive devices; master device may be both a master and a slave device |
|
Data Transports |
|
|
Security | 56/128-bit and application layer user defined | 128-bit AES in CCM mode and application layer user defined |
Robustness | Adaptive fast frequency hopping, forward error correction (FEC), fast ACK | Adaptive frequency hopping, lazy acknowledgement, 24-bit CRC, 32-bit message integrity check |
Wake Latency from a non-connected state | Typically, 100 ms | 6 ms |
Minimal total time to send (battery life factor) | 0.625 ms | 3 ms |
Voice capable | Yes | No |
Peak current consumption | < 30 mA | < 15 mA |
Primary use cases | Mobile phones, gaming, headsets, wireless speakers, headphones, automotive, and smart homes | Mobile phones, gaming, wearables, automotive, PCs, security, proximity, healthcare, sports & fitness, industrial, asset tracking, direction finding, indoor navigation, item finding, location services, POI information, smart city, smart home, smart industry |
Positioning Features | None | Presence: Two Advertising Modes, Legacy and Extended
Proximity: Received Signal Strength Indication (RSSI) Direction: Angle of Arrival (AoA) /Angle of Departure (AoD) and Distance: High Accuracy Distance Measurement (coming soon – see demo for keyless entry systems) |
Table 1. Bluetooth Technology Differences.
Table 1 Links
- Advertising channels
- Received Signal Strength Indication (RSSI)
- Angle of Arrival (AoA) /Angle of Departure (AoD)
- Indoor Locating
- Demo for keyless entry systems
Regulatory Note
Bluetooth Low Energy uses frequency hopping to counteract narrowband interference problems. Classic Bluetooth also uses frequency hopping, but the details are different; as a result, while both FCC and ETSI classify Bluetooth Classic as an FHSS scheme, Bluetooth Low Energy is classified as a system using digital modulation techniques (FCC) or a direct-sequence spread spectrum (ETSI). These requirements have implications for the Bluetooth LE physical and link layers. (Bluetooth Low Energy Regulatory Aspects white paper, Bluetooth SIG, pages 6 and 12).
Bluetooth Myth vs. Fact
Bluetooth technology is more than 20 years old. Thus, depending on which types of Bluetooth applications people have been exposed to, their impressions of Bluetooth technology may be outdated. This is especially true because, like other information and communication technologies that are exponentially advancing, BLE is continually being improved by the Bluetooth SIG.
Large scale device networks of all types are feasible. Luminaire-level lighting controls (LLLC) are currently being championed for smart buildings. The Bluetooth Blog states, “The effective, reliable distance between Bluetooth® devices can be greater than a kilometer and can even support reliable remote control of beyond-visual-range (BVR) drones. Though several factors can influence the effective range of Bluetooth technology — from radio spectrum and transmit power to antenna gain and path loss — the variable range is proof of the technology’s versatility. Unlike other wireless technologies, the wide spectrum of achievable and reliable distances gives developers tremendous flexibility to create solutions that meet the precise needs of their target use case.”
Implications for Security and Safety Devices
Key limitations of Bluetooth classic don’t apply to Bluetooth Low Energy. A variety of network topologies can be used. Thus, when a device is stated to be a BLE device – the same type of device by another manufacturer may be significantly different in design and functionality. As stated above, BLE capabilities give product developers tremendous flexibility to create solutions that meet the precise needs of their target use case. Each target use case brings its own user experience requirements, as well as insider threat risks.
Bluetooth LE doesn’t require device pairing to a smartphone, like what a modern car requires for smartphone calls or audio playlist use. A smartphone can connect to a BLE-enabled access control reader and exchange mobile credential information in a fraction of a second, from a much longer range than typical smart credentials require. However, each manufacturer’s implementation of mobile credential use may provide a different user experience, depending on the mobile app required and what reader and mobile device capabilities are supported.
Multiple User Experience Requirements
This was apparent in my recent review of several different manufacturers’ multi-technology BLE-enabled card readers with support for smartphone mobile credentials. Each reader provided a different user experience. One reader could be configured to talk to the smartphone app and require the user provide a fingerprint or facial image – using the two-factor authentication capabilities of the phone. There is no requirement to hold the phone up to the reader. This can be configured to be a user-specific and/or reader specific requirement.
Another card reader does require holding up the smartphone within an inch of the reader for a second or two. Yet another card reader allows the smartphone to remain in pocket or purse, and only requires waving a hand in front of the reader. Still another reader also allows the smartphone to remain in pocket or purse but requires a two-finger touch to the reader, to signal that the user is not just a bystander but has intent to enter the door.
Use Case Convenience vs. Security
For someone driving a warehouse vehicle, the reader that only required a hand wave as the vehicle drives by could be most desirable. For senior management offices or areas containing highly sensitive information, two-factor authentication may be the most important capability. For doors where most of the pedestrian traffic involves users not authorized for access, there could be a significant insider threat risk if an unauthorized individual could follow behind an authorized user, wave a hand in front of the reader and gain entry. That’s an entirely new kind of tailgating. A capacitive two-finger touch for an office reader near an outdoor entryway would not be convenient in a situation where winter weather required gloves or mittens.
Fortunately, all of the readers I reviewed supported multiple configurations with options to suit the access control capabilities appropriate for each specific door.
Additionally, a modern access control system would allow the integration of IoT devices, so that – for example – a card reader in a warehouse vehicle pathway would only accept a credential presentation when a vehicle was also present in front of the reader. A pedestrian would be required to use a different reader at the door.
Understanding the access risks that apply to each door is even more important with modern technology, as it’s no longer a one-type fits all reader and credential situation as it has been in past decades.
The reader story just presented highlights the importance of keeping keep two things in mind about modern technology:
- Deployment requirements and user requirements of any modern device or system can vary significantly between various brands of the same type of product.
- Modern technology is evolving at a rapid pace, and so each device or system purchase requires the utmost diligence in examining current product capabilities to ensure that the highest security ROI is obtained.