Using Visual Tags to Bypass Bluetooth Device Discovery a b a b DavidScott RichardSharp AnilMadhavapeddy EbenUpton [email protected] [email protected] [email protected] [email protected] a ComputerLaboratory,UniversityofCambridge. 15,JJThomsonAvenue,Cambridge,CB30FD,UK b IntelResearchCambridge. 15,JJThomsonAvenue,Cambridge,CB30FD,UK One factor that has limited the use of Bluetooth as a networking technology for publicly accessible mobile services is the way in which it handles Device Discovery. Establishing a Bluetooth connection between two devices that have not seen each other before is slow and, from a usability perspective, often awkward. In this paper we present the implemen- tationofanend-to-endBluetooth-basedmobileserviceframeworkdesignedspecificallyto address this issue. Rather than using the standard Bluetooth Device Discovery model to detect nearby mobile services, our system relies on machine-readable visual tags for out- of-band device and service selection. Our work is motivated by the recent proliferation of cameraphonesandPDAswithbuilt-incameras. Wehaveimplementedthedescribedframe- work completely for Nokia Series 60 cameraphones and demonstrated that our tag-based connection-establishment technique (i) offers order of magnitude time improvements over the standard Bluetooth Device Discovery model; and (ii) is significantly easier to use in a varietyofrealisticscenarios. Ourimplementationisavailableforfreedownload. I. Introduction 2. The same visual tags are also used for service selection, enabling users to choose between the Bluetooth is increasingly becoming integrated into a multiple services or content downloads offered variety of mobile devices, making its way into cell byasingleBluetoothdevice. phones,laptopcomputersandPDAs. Therapidadop- 3. Unlike many research prototypes our system is tion of Bluetooth has led many to suggest that it will built entirely on commodity hardware, demon- act as a key enabling technology, driving the deploy- strating that our technique is immediately appli- ment of mobile services. Although today Bluetooth cabletoavarietyofexistingdevices. is typically used in a limited fashion (e.g. to transfer filesbetweenauser’slaptopandtheirPDA,ortocon- Wedemonstratethatoursystemforout-of-bandBlue- nect their wireless headset to their mobile phone), it toothconnectionestablishmentis(i)anorderofmag- hasthepotentialtodomuchmore. Forexample,pub- nitude faster than the conventional Bluetooth Device licly accessible Bluetooth-enabled devices in shops Discoverymodel;and(ii)that,inavarietyofrealistic could enable consumers to query whether a product usagescenarios,itissignificantlyeasiertouse. is currently in stock using their mobile phone and Ourworkismotivatedprimarilybytherecentpro- Bluetooth-basedactiveposterscoulddistributemobile liferation of cameraphones. The Nokia 3660 cam- content (e.g. 1-minute music samples of a band’s lat- eraphone, for example, is a fully programmable de- estalbum)tousers’PDAs. vice (running a general purpose OS) that incorpo- One factor that has limited the use of Bluetooth rates a camera and has Bluetooth capability. Tens of as an underlying networking technology for publicly millionsofBluetooth-enabledcameraphoneshaveal- accessible mobile services is that its device discov- readybeenshippedglobally,withmarkettrendsshow- erymodelisinappropriateforthiskindofinteraction ing that the rapid adoption of such devices is set to (seeSectionIII). Inthispaperwedescribetheimple- continue for the foreseeable future [8]. By running mentation of an end-to-end Bluetooth mobile service oursoftwareontheircameraphone,ausercansimply frameworkdesignedspecificallytoaddressthisissue. “pointandclick”atatagrepresentingaBluetoothser- Ourimplementationhasanumberofnovelfeatures: vice. Theconnectionissetupimmediately, eliminat- ingtheneedfordevicediscoveryentirely. Ourimple- 1. Visual tags are used for out-of-band device se- mentation is freely downloadable over the web [14] lection,bypassingthestandardBluetoothdevice allowing users to try it for themselves on their ex- discoverymodel. isting cameraphones. Note that, although this paper MobileComputingandCommunicationsReview,Volume1,Number2 1 specifically describes our cameraphone-based imple- over a pre-defined Inquiry [frequency] Hopping Se- mentation, the work is also applicable to the increas- quence in an attempt to locate other Bluetooth de- ing number of PDAs with Bluetooth capability and vices nearby. Devices in the Inquiry Scan state that built-incameras(e.g.SonyClie,PalmZire). heartheseinquirypacketsrespondwithapacketcon- The remainder of this paper is structured as fol- taining,amongstotherinformation,theirBD ADDR. lows. SectionIIgivesabriefoutlineofthepartsofthe Whilst the precisetechnicaldetails of Inquiryare be- Bluetoothspecificationthatarerelevanttothispaper: yond the scope of this paper, the Bluetoothspecifica- device discovery is considered in Section II.A; ser- tionrequirestheInquiryHoppingSequencetobetra- vicediscoveryisdescribedinSectionII.B. SectionIII versed multiple times to ensure all inquiry responses considersusingBluetoothtoconnecttwodevicesthat have been collated. In an error-free environment, the have not seen each other before and argues that, in inquiry phase must last for 10.24s if it is to discover scenarios such as this, the current-generation Blue- all devices [1, 19]. In a noisy or error-prone environ- tooth device discovery model suffers from a number ment,inquirycanlastmuchlongerthanthis(seeSec- of usability problems. We describe the implementa- tionVI). tion of our visual-tagbasedBluetoothmobileservice Bluetooth Device Discovery starts by performing framework in Section IV. Realistic usage scenarios, Inquiry and then contacts discovered devices to re- in which our device discovery technique offers sig- trieve their Device Names. After an inquiry phase, nificant advantages over the conventional Bluetooth paging is performed to establish a connection with Device Discovery model, are presented in Section V. eachofthediscovereddevices;NameDiscoveryitself A performance evaluation of our system running on then consists of a simple request/response protocol. Nokia36x0cameraphonesispresentedinSectionVI. All this adds to the latency a user experiences when Security issues surrounding the use of visual tags to theyselect“discoverBluetoothdevices”ontheirPDA encode device names are considered in Section VII. orphone. Related work is described in Section VIII. We con- clude and give directions for future work in Sec- II.B. Service Discovery tionIX. The Service Discovery Protocol (SDP) provides a II. A Bluetooth Primer mechanism for applications to discover which Blue- tooth services are provided by a remote device and Bluetooth is an open standard for low-power, short- to determine the attributes of those services. The at- range networking that is based on a frequency- tributes of a service include the type or class of ser- hopping spread-spectrum scheme in the 2.4 GHz vice offered and the mechanism or protocol informa- band [1]. This section serves to briefly outline the tion neededto accessthe service. To performservice parts of the Bluetooth specification that are relevant discovery,adeviceestablishesanL2CAPconnection1 totherestofthispaper. Readersalreadyfamiliarwith andusesthistotalktoaremotedevice’sSDPserver. the technical details of Bluetooth may wish to skip A client will typically perform a two-stage pro- straighttoSectionIII. cess to obtain service information. Firstly, a Ser- viceSearchRequestisissuedbytheclient,specifying II.A. Inquiry and Device Discovery whichclassesofserviceitisinterestedin(e.g.generic printingservices). TheclientsendstheServiceSearch The Bluetooth Baseband Specification [1] describes RequesttotheSDPserver,whichrespondsbyreturn- point-to-pointconnectionestablishmentasatwostep ing a list of service handles that identify the services procedure. Firstly, Inquiry is performed to discover available on the remote device that match the client’s other Bluetooth devices in the neighborhood. During service search request. Secondly, the client may per- this phase, the inquiring device learns its neighbors’ formaServiceAttributeTransactiontofindoutmore Bluetooth Device Addresses (BD ADDRs) and fre- about one of the available services. During this pro- quency synchronization information. Secondly, Pag- cess,theclientsendsaServiceAttributeRequestcon- ingisperformedtoestablishanactualconnectionwith taining a service handle and a list of the service at- (someof)thediscovereddevice(s). tributesrequested. TheSDPserverrespondswiththe Inquiry is an asymmetric process: a device wish- valuesofthoseattributes. ingtoperforminquiryenterstheInquirystate;devices waiting to be discovered must be in the Inquiry Scan 1L2CAPisBluetooth’sdatagram-basedLogicalLinkControl state. The inquiring device repeatedly sends packets andAdaptionProtocol. 2 MobileComputingandCommunicationsReview,Volume1,Number2 An example of a service attribute is the Protocol III.A. Context Awareness Descriptor List which identifies the communications Theusabilityissuesdescribedaboveallindicatealack protocols over which the service is running and pro- ofcontext-awarenessinthestandardBluetoothdevice vides protocol-specific parameters. A client uses this discovery model. There are a number of common informationtoconnecttoaservice. scenarioswhereauser knowsexactlywhichphysical Bluetooth device they want to connect to. However, III. Usability Issues Regarding De- they have no way to communicate this contextual in- vice/Service Discovery formationtothedevicesthemselves. Inthescenarioabove,forexample,Aliceisableto Having briefly introduced Bluetooth, we now con- pointtoBob’scameraphonebuthasnowayoftelling tinue by considering usability issues arising from its their own phone that “this is the physical device I devicediscoverymodel. Considerthefollowingcom- wouldliketoconnectto”. Instead,theconnectionhas monscenario: Alicewantstoshareapicturebytrans- to be established by means of the Bluetooth Device ferring a JPEG file from her cameraphone to Bob’s Name associated with Bob’s phone: a somewhat ar- cameraphone; Alice and Bob’s cameraphones have bitrary string of characters which the users may not notseeneachotherbefore. Inordertoaffectthistrans- know (despite being able to identify the physical de- ferAlicemustperformthefollowingactions: viceitself). Selectphoto: Use the menu system on her phone to III.B. Tag-Based Device Discovery selectthepicturetotransferviaBluetooth. Incontrast,byusingvisualtagstoidentifydevicesand DeviceDiscovery: WaitwhilstalistofBluetoothde- services,Alicecansimplypointtheircameraphoneat vicenamesappearsonthephone’sdisplay. Bob’s phoneand click in order to establisha connec- tion with it. In our framework Bob’s cameraphone DeviceSelection: Select the device name corre- has a tag attached to it: either physically printed on spondingtoBob’scameraphone. the device itself, or displayed on the device’s screen (perhaps as the default wallpaper). Then, to transfer From a usability perspective, this scenario high- the photo, Alice performs the following sequence of lights three significant issues. Firstly, the device dis- actions: covery phase takes a significant amount of time. In arealisticenvironmentitisnotuncommonfordevice Selectphoto: Asbefore,Aliceusesthemenusystem inquiry and name discovery to take in excess of 30 ontheirphonetoselectthepicturetotransfervia seconds (see Section VI). This delay is by far the Bluetooth. dominant time-cost for the whole transaction, dwarf- SelectPhysicalDevice: After selecting a picture to ingthetimetakingtotransferthesmallJPEGfile. transfer,Aliceaimstheircameraphoneatthetag Secondly, device selection requires Alice to know onBob’scameraphoneandpressestheselectbut- the device name of Bob’s phone. If Bob has not tonontheirphone’skeypad. thought carefully about giving his device a distin- The tag is decoded yielding the Device Address of guishablename(or,morelikely,hasleftthemanufac- Bob’s cameraphone. A Bluetooth connection is ini- turer’sdefaultdevicenameunchanged),Aliceislikely tiated immediately and the selected picture is trans- to see strings such as “My Phone” or “Nokia 3660”. ferred. ByencodingDeviceAddressesinvisualtags, In an environment with many Bluetooth-enabled de- weprovidetwosignificantbenefitstotheuser: vices it may be unclear which name corresponds to Bob’sphone. 1. The time taken to establish the connection and Thirdly,thelistofdevicenamesAlicehastochoose initiate the picture transfer is an order of mag- from may be long. Even if Alice knows the name of nitude faster than performing Device Discovery Bob’s phone it may take considerable time to scroll (seeSectionVI). through their device name list and select it. Even 2. The Bluetooth Device Name is abstracted from today, in crowded places such as train stations, it is theuser. common for device discovery to find as many as 10- 15 neighboring Bluetooth devices. As Bluetooth be- In many ways the use of visual tags in our system is comesmorewidelydeployed,thisproblemwillbeex- analogous to the use of hyperlinks in hypertext doc- acerbated. uments. Just as hyperlinks hide URLs from readers, MobileComputingandCommunicationsReview,Volume1,Number2 3 outside-inandinaclockwisedirection. Themostsig- nificant bit of data is located in the outer-most data ringofthesectorbelowthefirstbitofthesync-marker. Of the 63 bits of data encoded in each tag, 48 bits specifyaBluetoothDeviceAddress(BD ADDR)and theremaining15bitsareusedforapplication-specific purposes. Ourcirculartagsaredesignedtoworkwellwiththe low-resolutionfixed-focal-depthcamerasfoundonto- day’scameraphones. Crucially,theindividualbitsare Figure 1: [Left] A Visual Tag encoding a 48-bit largeenoughtobereliablydecodedfromdistancesat BD ADDR and 15 bits of application-specific data; which the camera’s lens gives a sharp image. In con- [Right]UsingthetagreaderonaNokia3650camera- trastwefoundthatfamiliarlinear(e.g.UPC)barcodes phone. are unsuitable for decoding on cameraphones: when the phone is positioned near to a linear barcode, the we use tags to hide device naming information from image is out of focus and cannot be decoded; at dis- users. Usingourtechnology, ausercanfocusonper- tances large enough to capture sharp images, the res- forming the task in hand—connecting two physical olutionisinsufficienttomakeoutindividualbars. devices to access a mobile service—rather than hav- ing to establish a connection via (arbitrarily chosen) IV.B. Tag Reader devicenames. WehaveimplementedtagreadingsoftwareforNokia Series 60 cameraphones. When running, the reader IV. System Architecture turns the cameraphone’s display into a viewfinder: a In this section we focus on technical details, describ- livevideofeedcontinuallycapturingframesfromthe ing our implementation of a tag-based service selec- phone’sembeddedcamera. Thephoneperformsreal- tion and connection establishment protocol. We start time image processing, locating and decoding tags bydescribingtheformatofthevisualtagsthemselves in every frame. Whenever a tag is visible in the (Section IV.A) and outlining the implementation of viewfinder and has been decoded successfully, it is ourphone-basedtagreadingsoftware(SectionIV.B). highlighted with a red cross-hair on the phone’s dis- InSectionIV.D,wedescribehowvisualtagsareused play (see Figure 1[right]). If multiple tags are de- tofacilitateBluetoothdeviceandserviceselection. tected in a single frame, the tag nearest the center of theviewfinderishighlightedwitharedcross-hair. We adoptstandardGUIterminology,sayingthatthehigh- IV.A. Tag Format lightedtaghasthefocus. Pressingtheselectbuttonon Initially based on TRIP [4] and SpotCodes [13], our the phone’s keypad indicates that the user wishes to visualtagsarecircularbarcodeswith4data-ringsand establisha connectionto the mobileservicespecified 21 sectors. A visual tag, large enough to be detected bythehighlightedtag. by our cameraphone tag reading software, is shown Thecameraphone-basedtagreadingsoftwareisim- in Figure 1[left]. Bits in the data rings are encoded plemented as a native Symbian-OS application, writ- by using a white block to indicate a value of 1 and a ten in C++. When running on Nokia Series 60 cam- blackblockto indicatea value 0. The outermostring eraphonesthetagreadingsoftwarerunsat15frames- contains a sync-marker (the bit pattern 11), used to per-secondwithverylowlatency. Wehavefoundthat specify the orientation of the tag, and a 5-bit check- ahighframerateandlowlatencyisessentialtousabil- sum which is used to detect decoding errors. The ity. Withoutthesepropertiesauserfindsitdifficultto checksum is encoded using the bit pattern 00 to rep- aimthecameraphoneataparticulartag. resenta0andthebitpattern10torepresenta1. This ensures that the sync marker is uniquely identifiable IV.C. Connection Establishment by preventing the bit pattern 11 from occurring any- where else in the outer ring. The checksum is en- Onceatagcontainingadevice’sBD ADDRhasbeen coded in a clockwise direction with the most signif- decoded by our tag recognition software, Bluetooth icantbitlocateddirectlyafterthesync-marker. Inthe connection establishment can be performed in the 3innerdata-rings,bitsareassignedtosectorsradially, usual way. For example, in the image-transfer sce- 4 MobileComputingandCommunicationsReview,Volume1,Number2 narioofSectionIII,thesendingphonewouldproceed Tag (BD_ADDR, FileID) as usual by: (i) connecting to the device specified by the BD ADDR (decoded from the tag); (ii) perform- Service Search Request ing service discovery to find the receiving phone’s OBEX server [1]; and (iii) connecting to the OBEX Web Service Attribute Camera- Server Transaction Phone server and sending the picture via an OBEX PUT. Thusweseethattag-baseddevicediscoveryisacom- HTTP-Get ponent that can be seamlessly slotted into existing HTTP-Response applications, replacing the standard Bluetooth device discoverymodelwhilstleavingtherestoftheapplica- Figure 2: A diagrammatic view of the data-transfers tion’sBluetoothinteractionsunchanged. involved in our tag-based content browsing applica- tion. IV.D. Tag-Based Content Selection server; secondly a Service Attribute Transaction is In Section I we hinted at a publicly accessible mo- used to retrieve the Protocol Descriptor List, provid- bileservicethatenablesuserstodownloadmusicclips ing the phone with the protocol and channel number onto their PDA or phone. In this section we consider over which the web-server is running. Our current howapplicationssuchasthismayberealizedinprac- implementation assumes that the web-server will be tice. runningoverBluetooth’sRFCOMMlayer(atransport The basic principle is that a single mobile service protocolwhichemulatesanRS232serialport)[1]. can expose multiple choices to a user by means of When the phone has established a Bluetooth con- multiple tags. In the case of the music downloadser- nectiontotheweb-serveritsendsanHTTP-GETmes- vice,forexample,theuserwouldbepresentedwitha sage, specifying the application-specificbits decoded numberoftags—oneforeachtrack. Theusersimply fromtheselectedtagaspartoftherequestedURL.In clicksonthetagcorrespondingtotheirpreferredtrack return, the web-server sends an HTTP-response con- anditisdownloadedontotheirphone. taining the requested file. The phone stores the re- Recall that, as well as encoding a 48-bit ceived file in the usual way and possiblyperformsan BD ADDR,ourvisualtagsalsohaveroomfor15-bits actiononit(e.g.executesit)dependingonthephone’s of application-specific data. To facilitate tag-based securitysettingsandthefile’sMIMEtype. content selection, we use these application-specific The complete transaction, from clicking on a tag bits to encode a unique identifier. In the case of the toreceivingtherequestedfileonthephone, isshown music download service, each tag encodes the same diagrammatically in Figure 2. Data transmitted vi- BD ADDR(sinceallthetracksareaccessedbymeans sually by means of a tag is indicated with a dashed of a connection to the same physical device). How- line; solid thin lines show Bluetooth Service Discov- ever, each track’s tag has a different bit pattern in ery (SDP over L2CAP); solid thick lines show the its application-specific data-block. Once a connec- content transfer itself (HTTP over RFCOMM). Note tion has been established to the device specified by that using HTTP to transfer files to the phone is by the decoded BD ADDR, the application-specific bits no means the only the option. We could, for exam- areusedtospecifywhichtracktodownload. ple,haveusedBluetooth’sObjectEXchange(OBEX) We have implemented a mobile phone applica- protocol[1]toequallygoodeffect. tion that facilitates tag-based content/service selec- tion. The application incorporates the tag reading V. Usage Scenarios softwareandbeginsbypromptinguserstoselectatag (as described in Section IV.B). Once a tag has been Inthissectionwedescribetworealisticusagescenar- selected the application extracts the BD ADDR and ios that highlight the advantages of using visual tags attempts to establish a Bluetooth connection with the toaccessBluetoothmobileservices. Theapplications mobileservice. describedhavebothbeenimplemented. The mobileserviceitself runs a simple HTTP dae- mon. Once the phone has connected to the remote V.A. Stock Querying device,itusesthestandardBluetoothServiceDiscov- eryProtocol(SDP)tolocateandconnecttotheHTTP Thesimplestockqueryingmobileserviceisdesigned server: first a Service Search Request is performed, for deployment in a large shop (e.g. a DIY store or yieldingtheservice-handlecorrespondingtotheweb- supermarket). Figure 3 shows the architecture of the MobileComputingandCommunicationsReview,Volume1,Number2 5 visualtag,theuserisabletocommunicatethiscontex- Stock DB Bluetooth-enabled tual information directly to their phone, saving them PC/server time (by eliminating slow Bluetooth Device Inquiry) hidden from user andmakingthesystemasawholemoreusable(since visible to user theuserissparedfromhavingtonavigateapotentially Java longlistofBluetoothDeviceNamesontheirphone’s Poster Phone applet Phone smalldisplay). Phone Tag V.B. Mobile-Game Vending Machine Figure3: Architectureof the stock-querymobileser- vice. The mobile-game vending machine allows users to browse a selection of Java games and download se- lected games onto their cameraphone. The vending system. On entry to the shop, the user sees a large machine consists of a Bluetooth-equipped PC con- poster advertising the mobile service. They run our nected to a flat panel LCD display. In a realistic tag-based content browser on their cameraphone and deployment, the PC would be hidden from the user click on the tag displayed on the poster. Using the withthedisplaymountedinaprominentpositionand connection establishment and content delivery mech- shieldedfromdamagebehindasheetofglass. anism described in Section IV.D, a Java applet2 is The LCD display shows a selection of animated downloaded to the phone (from a nearby Bluetooth- clips of mobile phone games with a tag next to each enabled web-server) and executed. The Java applet one. To select a game and download it onto their displays a combo-box on the phone’s display with phonetheuserrunsourtag-basedcontentbrowserand which a user can enter/select an item in the stock usestheircameraphonetoclickontheappropriatetag. database. On selecting an item, the applet displays The Bluetooth-equipped PC that runs the vending how many are currently in stock and the number of machineapplicationmaybeconnectedtotheInternet. theaisleinwhichtheproductislocated. This allows the company responsible for maintaining In our current implementation the Java applet is themachinetoconnectremotelyanddynamicallyup- self-contained, incorporating a snapshot of the stock datetheselectionofgamesoffered. database; with careful compression, thousands of Whilst the vending machine example raises the is- products can be stored in the applet. Every five sueofpayment,thisisnotsomethingwewanttodis- minutes or so, the PC recompiles a new applet con- cuss at length in this paper. There have been a great tainingup-to-dateinformationderivedfromthestock many proposals for secure mobile payment schemes, database. The main advantage of adopting this anyofwhichcouldbeintegratedintoourvendingma- mobile-agent approach is that once the Java applet chine application. The purpose of this case study is is downloaded onto the phone there is no need for twofold: firstly, it demonstratestheadvantagesofus- further network connectivity; queries are performed ing tags for content selection (as distinct from device entirely on the phone. This allows the user to walk selection); secondly, by using tags on an active dis- freelyaroundtheshop,performingproductquerieson play we make it very easy for the vending machine their phone without having to worry about remaining companytoupdatethemachinewiththelatestgames. withinBluetoothrangeofthemobileservice. To expand further on the first of these points, con- The benefit of our visual-tag technology in this siderdesigningamobile-gamevendingmachinewith- application is the speed and simplicity with which out using tags. In this case the user would have to (i) a Bluetooth connection may be established. If the connect to the service using the standard Bluetooth mobile service was accessed via the standard Blue- Device Discovery model (exposing the user to the is- toothdevicediscoverymodel(presumablybyprinting suesdescribedinSectionIII);and(ii)selectaspecific a Bluetooth Device Name on the poster and provid- gametodownload3. Thusweseethat,inthisscenario, ing instructions describing how to connect to it) the the tags offer a dual benefit. Not only do they elimi- userwouldbeexposedtotheissuesdescribedinSec- tionIII. Thekeyisthat,inthisscenario,auserknows 3There are a number of ways in which a user could select a exactly which service they want to connect to—that game. If a touchscreen is available, for example, a user could is, the one advertised on the poster. By clicking on a selectagamebypressingthescreenwiththeirfinger. Ifnoinput devicesareavailable,however,ausercouldselectfromalistof 2Javapedantsmaypointoutthat,technically,weshouldreally gametitlesdisplayedontheircameraphone’sscreen.Thissecond usetheterm“Midlet”here. scenarioisexploredfurtherinSectionVI. 6 MobileComputingandCommunicationsReview,Volume1,Number2 Task Completion Time Distribution: Bluetooth Only Task Completion Time Distribution: Visual Tags and Bluetooth 5 40 35 4 30 25 3 Frequency Frequency 20 2 15 10 1 5 0 0 0 5 10 15 20 25 30 35 40 45 50 0 5 10 15 20 25 30 35 40 45 50 Time (s) Time (s) Figure 4: [Left]: Distribution of times taken to complete experimental task using Bluetooth alone (50 trials); [Right]: Distributionoftimestakentocompleteexperimentaltaskusingvisualtags(50trials). Bothfiguresare histogramswithabin-sizeof1s. nate the time-consuming Bluetooth device discovery 01”) is displayed clearly on the poster so the user andselectionprocess,theyalsoprovidetheuserwith knowswhichofthediscovereddevicestoconnectto. an easy way to tell the vending machine which game To ensure that our experiment is a fair compari- theyrequire. son it is essential that we use “best known methods” forBluetoothDeviceDiscoveryinourtaglessservice browser. Forthisreasonweimplementedtheapplica- VI. Performance Evaluation tion directly on top of the cameraphone’s native OS, Symbian,andleveragedSymbian’sexistingBluetooth We compared the performance of our tag-based de- Device Discovery dialog. The Symbian dialog in- vice/service/content selection technique against the corporatesa numberof featuresdesignedspecifically standardBluetoothDeviceDiscoverymodel. Asatest to reduce the device discovery latency experienced applicationwedesignedtwoversionsofaBluetooth- by the user: (i) Name Discovery is performed to- basedactiveposterdesignedtodistributemobilecon- getherwithInquiry,withnamesbeingresolvedwhilst tent to a user’s cameraphone/PDA. The first version other BD ADDRs are still being discovered; (ii) de- ofthepostercontainssixtags,eachadvertisingadif- ferent piece of content4. Clicking on a tag initiates vice names are displayed on the phone’s screen as soonastheyarediscovered—ifthedevicetheuseris a Bluetooth connection and downloads the requested lookingforhappenstobefoundearlyoninthediscov- contentontotheuser’sdevice. eryproceduretheyhavetheoptiontoabortdevicedis- The second version of the poster does not make coveryimmediatelyandselecttheirrequireddevice. useofvisualtags;instead,itcontainsinstructionsex- plaininghowtoselectanddownloadcontentusingthe TheexperimentswereconductedusingNokia3650 standard Bluetooth Device Discovery model. To fa- and 3660 cameraphones and a Bluetooth-enabled cilitate interactionwith this poster we implementeda desktop PC (Linux 2.4.20-28.9 running the Bluez taglessversionofourmobileservice/contentbrowser. Bluetooth stack) to simulate the mobile service. Us- This application (i) performs standard Bluetooth De- ing both tag-based and tagless versions of the poster viceDiscovery,promptingtheusertoselectwhichde- eachpieceofcontentwasdownloaded50times. vicetheywanttoconnectto;(ii)connectstothespec- Inthecaseofthetag-basedposterwemeasured(i) ified device and queries it for a list of available ser- the time between running the tag-reading application vices/content;(iii)displaysthelistofservices/content and the user selecting the tag; (ii) the time to initi- on the phone’s display, prompting the user to select ateanL2CAPconnectionandperformservicediscov- one;and(iv)downloadstheselectedcontentfromthe ery(usingstandardBluetoothSDP);and(iii)thetime mobileserviceontotheuser’sdevice. Thenameofthe taken to establish an RFCOMM connection with the Bluetoothdeviceprovidingtheservice(“test-service- mobileservice(onceSDPhasrevealedthechannelon whichtoconnect). 4Forthepurposesoftheexperimentitdoesn’tmatterwhatthe Inthecaseofthetaglessposterwemeasured(i)the contentis.Inareal-lifedeploymentcontentmaybeJavaapplets, musicclips,HTMLpagesetc. timebetweenstartingBluetoothdevicediscoveryand MobileComputingandCommunicationsReview,Volume1,Number2 7 theuserselectingthecorrectdevicefromtheresulting list;(ii)thetimetakentoestablishanL2CAPconnec- tionandperformSDP;(iii)thetimetakentoestablish an RFCOMM connection; and (iv) the time taken to displaythelistofavailabledownloadsonthephone’s screenandfortheusertoselectone. Agroupoffourusersperformedthecontentdown- loads. Wemadesurethattheuserswerefamiliarwith bothBluetoothandtheUIoftheNokiacameraphones before starting the experiment. Between each run of theexperimentweperformedahardresetofthecam- eraphone. This ensured that no hBD ADDR, device namei pairs had been cached by the phone, simulat- ing the scenario where the devices had not seen each VisualTags BluetoothOnly otherbefore(asisoftenthecasewhenaccessingpub- x(cid:22)(s) (cid:27) (s) x(cid:22)(s) (cid:27) (s) lic mobile services). The experiments were all con- GetBD ADDR 0.56 0.19 13.57 8.21 ductedinanofficeenvironmentcontaining6discover- L2CAP/SDP 0.92 0.39 1.05 0.60 able Bluetooth devices (mobile phones and PCs) and RFCOMM 0.28 0.10 0.27 0.13 several 802.11-enabled PCs. We believe that this en- ListSelection 0.00 0.00 2.03 0.45 vironmentaccuratelymodelsplacesweremobileser- vices are likely to be deployed (e.g. airports, coffee Figure 5: Comparing the time breakdown of the sub- shops). tasks performed across the two systems. (The table In the remainder of this section we present the re- and graph present two different views of the same sults of our experiments, using them to evaluate our data.) framework against three separate criteria: speed, us- abilityandscalability. experience an average latency greater than this. The reasonsforthisdisparityaretwofold. Firstly,thespec- VI.A. Speed ification’s worst case latency is a theoretical result Figure4comparesthedistributionsofthetimestaken quotedassuminganerror-freeenvironment;secondly, to establish a Bluetooth connection using both our it does not include the time to perform name discov- visual-tag framework Fig. 4[Right] and the standard ery (required to display Bluetooth device names on BluetoothversionoftheservicebrowserFig.4[Left]. thephone’sscreen). It is clear to see that using visual tags to perform In contrast, the average time to click on a tag us- out-of-band device and service selection offers a sig- ing the cameraphone is very small: 0.56s (standard nificant benefit to users. With the tag-based content deviation0.19s). Thereasonthistimeissosmallcan browser users completed the task in an average of be explained by noting that the phone takes about 3s 1.77s (standard deviation 0.47s). Using the standard toloadandinitializeourservicebrowserapplications. Bluetooth version of the app the task was completed (Thissetuptime,deliberatelyexcludedfromourmea- in an average of 17.12s (with a standard deviation of surements,isthesameforboththetag-basedandtag- 8.6s). less versions of the software; indeed, all applications This result can be explained with reference to Fig- running on the phone incur similar start-up latency.) ure 5, which shows a breakdown of the individual Duringthis 3s setup delaythe user has ampletime to subtasks involved in performing the content down- aimthecameraattheirchosentag. Assoonasthetag- loadtask. Asexpected, themajordifferencebetween readerstartsup,thetagisimmediatelydetected(high- the two systems is in the time taken to retrieve the lightedwitharedcross-hair)andtheuserclicks5. BD ADDR of the mobile service: here the visual- To gauge the magnitude of this effect we ran an- tag based system, which retrieves its BD ADDR by other experiment in which users were instructed not decoding a tag, outperformed the standard Bluetooth to start aiming the cameraphone at a tag until the DeviceDiscoverymodelonaveragebyafactorof24. Recall that the Bluetooth specification quotes the 5We refer the interested reader to our downloadable imple- worstcaselatencyofinquirytimeas10.24s(seeSec- mentation [14] in case they would like to verify this result for tion II). In reality our experiments show that users themselves. 8 MobileComputingandCommunicationsReview,Volume1,Number2 application had initialised. Under these conditions VI.C. Scalability the average time taken to click on a tag (and for the The standard Bluetooth version of the application BD ADDR to be decoded) increasedto 1.5s. On this scales badly both as a function of the number of dis- basis we conclude that, even on devices with negli- coverable Bluetoothdevices in the neighborhoodand gable application initialisation delay, our results still also as a function of the number of options provided hold. byamobileservice. Increasingboththeseparameters Thetimestakenforthetwosystemstoestablishan leadstolongerlistsforuserstoselectfrom,increasing L2CAP connection are very similar. Given that, as the number of button presses required to make selec- partofInquiry,adevicelearnsclock-synchronization tionsandthusdecreasingtheusabilityofthesystem. informationfromdiscovereddevices[1],thisresultis Furthermore, increasing the number of Bluetooth surprising. OnewouldexpecttheBluetooth-onlyver- DevicesintheneighborhoodcausesDeviceDiscovery sion of the service browser to perform better in this timetoincreaseasO(n). Thisisnotduetotheinquiry respect(duetothefactthatitperformsInquiryimme- phaseitselfbuttothefactthatnamediscoverymustbe diately before connection establishment). It could be performedfor each of the BD ADDRs discovered by that the SymbianBluetoothstack does not use clock- inquiry. synchronizationinformationlearnedduringInquiryas efficiently as it could. However, since the time to es- VII. Security Issues tablish an L2CAP connection(in both cases) is small compared to the time to perform Device Discovery, Althoughsecurityisnotthemainthrustofthispaper, our main result (order of magnitude improvement in in this section we briefly consider the two main se- task completion time) continues to hold even if we curity issues arising from accessing mobile services drop the L2CAP connection time in the “Bluetooth usingvisualtagsandBluetooth. Only”caseto0. The other major difference between the two sys- VII.A. Authentication tems is that the tag-based version of the application doesnotrequiretheusertoselectthecontenttodown- Acommonconcernregardingtheusevisualtagstoes- load from a list. Recall that service selection is per- tablishconnectionstomobileservicesisthe“Man-in- formedbyclickingon1ofthe6differenttagsonthe the-Middleattack”. Inthisscenario,anattackersome- poster. The single tag click serves both to initiate the howreplacesavisualtagon(say)anactiveposterwith Bluetoothconnectionandspecifywhichcontentisre- anewtagthatpointstotheirmaliciousdevice. Users quested. that click on the tag will then unwittingly connect to themaliciousserviceratherthanthegenuineone. The Man-in-the-Middle attack is a well studied problem that must always be considered when de- VI.B. Usability veloping connection-establishment protocols. There has been a great deal of work on using digital sig- For the purposes of this section, we take the average natures for secure authentication, preventing Man-in- numberofbuttonpressesrequiredtocompletethetask the-Middle attacks [16]. We propose using similar as a crude measure of usability [17]. The tag-based schemes when establishing Bluetooth connections to system requires only one button press (to notify the mobile services. For example, on connection, a mo- systemthattherequiredtaghasbeenacquired). Once bile service could send a message containing a dec- a tag has been selected there is no further input re- laration of their identity and their public key. This quired from the user. In contrast, the standard Blue- message would be signed by a trusted party (e.g. tooth version of the application requires an average VeriSign). When the phone receives this message of10buttonpressestonavigatetwoseparatelistcon- from a mobile service, the signature would be veri- trols: one containing discovered Bluetooth Devices, fied on the phone (using the public key of the sign- the other containing a list of items that can be down- ing authority) and a message displayed on the phone loaded. screen displaying the name of the service provider— We have conducted an in-depth study of usabil- e.g. “This mobile service is provided by ServerCorp, ity issues surrounding visual tag-based applications. doyouwishtocontinue?”. Theusercouldthendecide This work has been written up in a separate publica- whether to continue to access the service, depend- tion[18]. ingonwhethertheytrustServerCorp. Thisisexactly MobileComputingandCommunicationsReview,Volume1,Number2 9 thesamemodelusedtoprovidesecureauthentication duplicated by RFID—a PC can generate tags on-the- foralle-commercetransactionsthattakeplaceonthe fly,dynamicallyupdatingthelistofservicesofferedto web. users (see Section V.B). Thirdly, our work considers bothBluetoothdevicediscoveryandserviceselection whereasHalletalconsideronlytheformer. VII.B. Privacy and Encryption At this point it is worth drawing one further com- There are a number of reasons why one may want a parisonbetweenRFIDtechnologyandvisualtagsthat user’sinteractionswithamobileservicetoremainpri- we believe to be important. Whereas RFID tags are vate. Consider,forexample,theissueofdownloading typicallysmallembeddeddeviceshiddenfromhuman paid content (e.g. the mobile-game vending machine view, optical tags are, by their very nature, visible exampleofSectionV.B). Inthisinstancethesuppliers to users. This raises an important question regard- of the vendingmachinewant to ensurethat an eaves- ing RFID-based device and service discovery: how dropperthathasnotpaidforthecontentcannotobtain does a user know to hold their mobile-device against agameforfreebysnoopinganothercustomer’sBlue- an (invisible) RFID tag? Clearly the RFID solution toothtransaction. also requires some kind of visual symbol or printed The obvious solution is to apply Bluetooth’s text in order to alert the user to the existence of the connection-level encryption [1]. If the system de- mobile service. In contrast, visual tags are a single signer does not feel that this is satisfactory we note technology serving the dual purposes of (i) encoding that there is a huge body of literature on session-key machine-readable data; and (ii) advertising the exis- establishment and encryption [16]. These standard tenceofmobileservicestoahumanusers. techniques can be applied to our HTTP/RFCOMM Woodings et al have proposed using IrDA to by- Bluetooth sessions. In a realistic environment, tried pass Bluetooth Device Discovery [19]. In their sys- and tested protocols such as HTTPS could be em- tem, an IrDA connection is established and used to ployed to provide both authentication and privacy transmit the BD ADDR of a remote device. Once guarantees. Mostoftoday’smobilephonesandPDAs the BD ADDR has been transferred, the IrDA con- alreadyhavebuilt-insupportforHTTPS. nection is closed and a Bluetooth connection is initi- ated. Woodingsshowsthattheresultingtimetakento establish a Bluetooth connection when using IrDA in VIII. Discussion and Related Work thisfashion,isseveraltimesfasterthanrelyingonthe standardBluetoothDeviceDiscoverymodel. Inmany We are not the first to realize that there are a num- ways, the comparison between our work and this re- ber of scenarios in which the Bluetooth Device Dis- searchissimilartothecomparisonbetweenourwork covery model is less than ideal. Motivated by a de- and RFID-based Bluetooth connection establishment siretoeliminatethetime-andpower-costsassociated procedureoutlinedabove. Firstly,wehaveshownthat with Bluetooth Device Discovery, Hall et al propose visual tags provide a convenient mechanism for both using RFID tags to “wake-up” a sleeping Bluetooth device discovery and service selection. Whilst IrDA radioandtransmitadevice’sBD ADDR[7]. Ourim- allows Bluetooth device discovery to be bypassed, plementation achieves the same time and power ben- it is unclear how the technology could also be used efits as Hall but also also offers a number of dis- for service selection. Secondly, as with RFID tags, tinct advantages. Firstly, since we rely entirely on somekindofvisualsymbolortextwouldberequired commodity hardware, our work is immediately ap- anyway to alert the user to the presence of a Blue- plicable: there is no need to augment existing de- vices with RFID readers6, instead our implementa- tooth/IrDAmobileservice. Thisissomethingthatvi- sualtagsprovideforfree. tion can be downloaded and immediately deployed on the hundreds of millions of cameraphones and The performance evaluation sections of both camera-enabledPDAsthathavealreadyshippedglob- Hall’s [7] and Woodings’ [19] papers are weak, re- ally. Secondly, the combination of visual tags on an lying on numbers taken directly from the Bluetooth active display provides a functionality that cannot be specification, combined with results derived by ex- perimentally testing subcomponents of the proposed 6Whilst some manufacturers are incorporatingRFID readers systems in isolation. To our knowledge, our paper is into mobile devices, there are currently no such products in the thefirstattempttoquantifythebenefitsofout-of-band consumer market space. Current offerings are targetted at spe- Bluetooth connection-establishment as measured by cific industrialapplications(e.g.ruggedizedphonesforfield en- gineers). realusersworkingwitharealend-to-endsystemsim- 10 MobileComputingandCommunicationsReview,Volume1,Number2