Server Technology, Inc. Technical Note
Sales/Support (775) 284-2000 • Fax: (775) 284-2065 • E-mail: sales@servertech.com • World Wide Web: www.servertech.com
© 2018 Server Technology, Inc. All rights reserved.
SPECIFICATIONS SUBJECT TO CHANGE WITHOUT NOTICE
303-9999-26 Rev A (110513)3 OF 27
Data Center Security
Server Technology has addressed the key areas of security in the Bluetooth®technology solution:
Secure Bluetooth®Communications
The Server Technology solution provides a secure and wireless way to obtain power data. Server Technology’s
mobile application, ST Eye, uses the improved technical methods from the Bluetooth®core specification, version
2.1, known as “secure simple pairing,” which eliminates security vulnerabilities found in older Bluetooth systems.
The Server Technology Bluetooth connection in this solution is encrypted with the EO stream cipher to prevent
passive eavesdropping. The encryption key is established using the Elliptic-Curve-Diffie-Hellman (ECDH) key
exchange. To prevent differential cryptanalysis attacks against the cipher, the encryption key is rotated every
packet. New keys will be established before they are reused.
Based on recommendations from the National Institute of Standards and Technology (NIST), several options have
been programmed into the solution to limit the discoverability of Cabinet Distribution Units (CDUs):
•Users can lower the range of the Bluetooth module to prevent connections from colocation neighbors.
•Sensitive data is not transmitted over the connection, such as user credentials.
•The pin code used for hardware authentication is hashed to prevent recovery.
•No commands are available via the ST Eye mobile app to modify the state of the CDU.
•Limited Discoverability Feature –The ST Eye app is shipped with limited discoverability so the Bluetooth
module does not broadcast until the user explicitly instructs the module to do so by pressing a button or by
making a configuration change.
The user can also rely on ST Eye’s unique QR code discovery method to connect out-of-band to a CDU used in
this solution. The QR code method prevents eavesdroppers from discovering Bluetooth modules in a colocation
environment.
In conclusion, the Server Technology solution uses the security improvements mentioned above to prevent
published attacks against the Bluetooth technology connection. The solution successfully balances security and
ease-of-use.
Note: This encryption does not prevent unwanted Bluetooth communications if a user somehow gains access to
the address of the Bluetooth module.
Security of the Bluetooth®Module
Within the existing security of the Bluetooth®module, the ST Eye mobile app security also relies on the physical
security of the module itself, as well as the short distances under which the Bluetooth module can communicate.
In addition, Server Technology added a check in the Sentry firmware not to allow any modifications to any part of
the firmware system through a Bluetooth connection. This means firmware system data cannot be changed through
the Bluetooth AUX port, even if there was physical access to a remote Bluetooth port, or even if the mobile phone
app was hacked in the attempt to write system data.
