Improving Bluetooth Security
- Published on January 31, 2008
- Written by Mike McClain, Senior Web Designer & Site Manager
But Bluetooth isn’t just for mobile phones, PDAs and laptops. According to Bluetooth SIG, commercial vehicles are installing Bluetooth systems for driver communications, hands-free calling and data capture. Hospitals are employing the use of wireless pulse oximeters, which reduces the likelihood of a patient accidentally removing the pulse receiver.
Several companies are implementing Bluetooth technology into their IT environments, enabling enterprise-class applications to increase productivity and improve the bottom line. A bottling company in Australia has equipped field sales and marketing staff with Bluetooth-enabled laptops and mobile phones, allowing its employees to be connected to Internet, company network, e-mail, and client information anywhere, anytime. The laptops, connecting via Bluetooth wireless technology to the mobile phone’s GPRS data network, allow for the full function of a laptop computer with the mobility of using the GPRS network for connectivity. Compared to other wireless solutions, these laptops are not as constrained by local infrastructure; they are able to roam to a much larger area.
Now that it has gained significant deployment and is being used to power real-world business solutions, Bluetooth faces a problem common to all fast-emerging communications technologies: security.
The emergence of mobile threats has heightened mobile users’ and enterprises’ concerns regarding the maturity of the technology, especially its overall lack of comprehensive security. While some risks may be due to current implementations or the protocol design, there are steps that can be taken to reduce risk. All organizations should take a proactive approach to mitigate potential security breaches before it’s too late.
Bluetooth Attacks and Vulnerabilities: What’s Happening?
Hackers are using Bluetooth to attack mobile devices such as mobile phones, PDAs, laptops, and handsets. One example is Bluejacking, which exploits a Bluetooth device’s ability to “discover” other nearby devices in order to send unsolicited messages. Another is Bluesnarfing, which uses the same ability to access information stored on the device – such as a contact list – without the user’s knowledge. Other attacks include denial-of-service, eavesdropping, and use of a victim’s phone to send data or make calls. There have also been numerous instances of mobile viruses, worms, and Trojan horses in the past year. While none has done considerable damage, their rapid evolution presents obvious cause for concern.
Minimizing the Security Risks: Take Action!
Enterprises and mobile device users should recognize that Bluetooth comes in all shapes and sizes – security risks extend far beyond PDAs and smartphones. For example, some laptops ship with Bluetooth, potentially creating a back door into the enterprise when the laptop is connected to the LAN via Ethernet or WiFi.
CIOs and IT managers shouldn’t overlook how easy and inexpensive it is for employees to purchase accessories such as dongles in order to add Bluetooth functionality to a wide range of company-approved devices, including handsets, laptops and PDAs. These add-ons are similar to rogue access points in WiFi in the sense that they quietly create vulnerabilities in a network that appears to be secure.
CIOs and IT managers should take the following minimum precautions against Bluetooth-enabled attacks:
- Immediately identify any company-issued Bluetooth devices and alert users of known vulnerabilities. Enterprises should keep a list of their inventory of company-provided devices, as well as issue an alert to employees who were reimbursed for purchasing their own devices. Finally, check with your device suppliers about emerging Bluetooth vulnerabilities that haven’t yet been publicized. By the time you read about it in an IT trade magazine or on the Internet, it may be too late.
- Educate employees. Bluesnarfing and Bluejacking exploit naiveté as much as they exploit Bluetooth’s security flaws. Enterprises are well advised to create comprehensive guidelines – in plain English – that identify the risks and penalties for using Bluetooth devices, even those that are company-approved. For example, employees must understand that devices can be vulnerable even when not in “discoverable” or “visible” mode.
- Use caution when “pairing” devices. The dependence on PINs to create the encrypted connection between devices is the only known significant vulnerability in the Bluetooth specification. Short PINs can be relatively easily discovered if an attacker is able to monitor and record the pairing process (this attack only works if the attacker is “sniffing” the link when devices are paired). To prevent PIN compromise, users should do the following: use longer PINs when pairing; do not pair devices in public places; and be suspicious if previously paired devices unexpectedly request a new pairing (there is a new attack that attempts to force repairing for the purpose of observing the exchange).
- Strengthen company IT policies to address Bluetooth. Bluetooth PDAs sell for as little as $100, increasing the chances that employees will buy them on their own and bring them to work. Enterprises should treat unauthorized Bluetooth PDAs, handsets and accessories like rogue access points: if employees understand the risks and vulnerabilities associated with Bluetooth usage, then they must accept accountability for opening back doors into the enterprise with unauthorized devices. Employees should be required to register their personal devices with IT departments to raise the level of accountability and to ensure adequate tracking of devices connecting to the enterprise.
- Look for products with control over Bluetooth. Many PDAs feature a switch that lets users turn wireless – including Bluetooth and WiFi – on and off rather than wading through menus or the system tray. If wireless can be shut off with just the flick of a switch, employees are more likely to comply with company security policies. Company policy should require that Bluetooth be shut off when not in use. Like WEP and WiFi, even when basic security measures aren’t iron-clad, they’re still better than no security at all.
- Consider tools for identifying and mitigating security risks. IT managers can scan their networks for attached devices, including PDAs. They can also remotely disable Bluetooth in company devices. The latter may be necessary because although security risks can be reduced by shutting off the discoverable mode in Bluetooth, some attacks can bypass those protections.
Brian Hernacki is an architect at Symantec Research Labs where he works to develop future technologies. Hernacki has more than 10 years of experience with computer security and enterprise software development. He has conducted research and commercial product development in a number of security areas including intrusion detection and analysis techniques, honeypots, and wireless and mobile technologies. Hernacki graduated from the University of Michigan with a degree in computer engineering.
"Appeared in DRJ's Winter 2006 Issue"