Address usage

In this section, the addresses and address usage for devices supporting the anonymous mode are described. In contrast to ordinary Bluetooth, fixed addresses cannot be used for all purposes. Therefore, new addresses are intro- duced and the device address is used in a little bit different way than in the Blue- tooth 1.2 specification. This also means that a slightly new and different terminology is used. The anonymity mode makes use of three different kinds of device addresses:

1. Fixed device address,BD_ADDR_fixed; 2. Active device address,BD_ADDR; 3. Alias addresses,BD_ADDR_alias.

In the following sections, the different addresses and how they are used in the anonymity mode are discussed.

8.2.1 The fixed device address,BD_ADDR_fixed

Each Bluetooth transceiver is allocated a unique 48-bit Bluetooth device address (BD_ADDR_fixed)1 _{from the manufacturer. The BD_ADDR_fixed consists of}

three parts: LAP, UAP, and NAP. Figure 7.3 in Chapter 7 shows the address field sizes and the format. The fixed address is derived from the IEEE 802 stan- dard [1]. The LAP and UAP form the significant part of theBD_ADDR.

The fixed address is used to allow a device to directly page another device that it has previously been paired with. Without a fixed address that can be used for this purpose, the devices would always need to repeat the inquiry procedure. Obviously, this would result in very slow connection setup. However, in order not to jeopardize the anonymity, these addresses shall only be used between trusted devices (see Section 8.6).

8.2.2 The active device address,BD_ADDR

TheBD_ADDRis the active device address, and anonymous devices regularly update this address (more detail is given below). Devices not supporting the anonymity mode or devices in nonanonymous mode only use one address,

BD_ADDR. Actually, for such devices the BD_ADDR always equals the

BD_ADDR_fixed(see previous section).

Anonymous devices use the active address as a replacement for an ordinary fixed address for connection establishment and communication. Since the address is changed all the time, it will not be possible to track a device based on this address.

TheBD_ADDRhas exactly the same format asBD_ADDR_fixedand con- sists of three parts: LAP, UAP, and NAP. The UAP and NAP parts are fixed and shall be chosen to a nondevice-specific value. In particular, they can be chosen to a value that does not overlap with any company assigned IEEE MAC address space [1]. This is accomplished, for example, by using the locally assigned IEEE MAC address space [1]. The LAP part of the BD_ADDR needs to be chosen uniformly and at random. It can take any value except the 64 reserved LAP val- ues for general and dedicated inquiry, that is, values from 0x9E8B00 to 0x9E8B33.

In order to combat the location tracking threat, anonymous devices regu- larly update the active LAP. The rules for when the address shall be updated are given below. A LAP value is generated by selecting uniformly at random any value between 0x000000 and 0xFFFFFF. If the value falls within the reserved LAP range, that is, values from 0x9E8B00 to 0x9E8B33, a new random LAP value is generated. This procedure is repeated until a value outside the range is obtained.

The LAP updating is determined by two time parameters. The parameters are:

1. Update period,TADDR update;

2. Time period reserved for inquiry,TADDR inquiry period.

The update period tells how often the device shall attempt to update the active address. The parameterTADDR inquiry periodtells how long a time a device must

wait before it is allowed to update the active address after it has sent the current address in an inquiry response message.

The basic principle is that a device shall update the address everyTADDR

updateseconds. However, if this updating occasion happens to be when the device

has just sent the current address in an inquiry response, any unit trying to con- nect to the anonymous device would fail with the connection request. For this

reason the updating waiting period defined by the second parameterTADDR inquiry

periodhas been introduced. In addition, there shall be no update if the device is

acting as a master device and has connections with devices not supporting the anonymous node. Otherwise, the CAC will change and the legacy devices would immediately lose the connection when the CAC is changed. These facts provide the motivation for the updating rules used for updating the active address.

The detailed updating rules are shown in the flow diagram in Figure 8.1. The updating flow is as follows:

1. A new LAP is always generated at power-up.

2. Two time variables are set,t1=0 andt2=TADDR inquiry period+1.t1meas-

ures the general updating intervals andt2measures the time from the

last use of the “old address” in an inquiry response. (At the start,t2is

set to a value greater than the defined updating waiting period after inquiry response,TADDR inquiry period.)

3. TheBD_ADDRis updated and the first timert1is started.

4. A loop is created where the timer t1is continuously checked. If the

timer exceeds the updating period, TADDR update, the looping process

stops. If an inquiry response message is returned during the execution of the loop, the second timert2is set to zero and started.

5. Ift2is less than or equal toTADDR inquiry period, return to the loop in step 4.

6. If the device has no existing connections, a new LAP is generated, fol- lowed by a jump to step 2.

7. A new loop is entered. The loop runs as long as the device has any con- nection with a device not supporting the anonymity mode or any parked device, or if the device is parked itself. If there are no connec- tions when the loops ends, a new LAP is generated, followed by a jump back to step 2.

8. A new LAP is generated. If the device is not a master in any piconet, the new (not yet updated)BD_ADDRis sent to all connected devices using the new LMP command, LMP active address (see Section 8.7). Then jump to step 2.

9. The switch instant time, Tsis chosen. It should be chosen such that

the master will be able to inform all connected slaves of the new

BD_ADDRbefore the instant is reached. Next the master sends the new BD_ADDR (not yet updated) and the switch instant Ts to all

slaves using the new LMP commandLMP active address(see Section 8.7). When the instant is reached, jump back to step 2.

Power up Generate new LAP t 0 t T 1

2 ADDR inquiry period +1

= =

Update BD_ADDR, Start timer t1

t1>TADDR updates? t2>TADDR updates?

Inquiry response? Yes Yes Yes Yes Yes Yes Yes Yes No No No No No No No No t 0 Start timer t 2 2 = Connection with unit not supporting the

anonymity mode? Connection with parked unit or parked itself? Any existing connections? Generate new LAP Generate new LAP Master unit in any piconet?

Set address switch instant time, Ts

Send new BD_ADDR and T (only to slaves)s

Send new BD_ADDR to connected units

Switch instant reached?

8.2.3 Alias addresses,BD_ADDR_alias

Since it is not possible to identify other anonymous devices based on their

BD_ADDR when they are operating in the anonymous mode, anonymous devices must make use of an alternative device identifier in the Bluetooth authentication procedure. Also, the authentication procedure must be slightly modified. The new procedure, alias authentication, will be described in more detail in Section 8.5. The alias authentication is based on the usage of alias addresses, BD_ADDR_alias. An alias address is used purely for authentication purposes. For simplicity, theBD_ADDR_aliascan be chosen to 48 bits like any ordinary device address. All the bits should be chosen uniformly, independently, and at random. Hence, the address field cannot be divided into any meaningful subfields. The support and use of alias addresses and authentication are neces- sary for making authentication in the anonymity mode work.