Home > Learning guide: The five steps of baseline Bluetooth security
Step-by-Step Guide:
EMAIL THIS LICENSING & REPRINTS

Learning guide: The five steps of baseline Bluetooth security

04 May 2005 | SearchSecurity.com

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   

Today over 3 million devices with Bluetooth ship every week, including computers, wireless car kits, PDAs and mobiles phones. And thanks to a range of vulnerabilities and exploits, extracting information from devices running Bluetooth can be relatively simple.

As with all networking technologies, the mere presence of Bluetooth on a device introduces security risks, especially when the end user is unaware of Bluetooth's presence, or of how to secure the technology. So, how can you protect your network from a Bluetooth hack? Here are five steps for securing Bluetooth devices in the enterprise.


FIVE BLUETOOTH SECURITY BASICS

 Step 1: Bluetooth vulnerability lingo
 Step 2: How to disable Bluetooth
 Step 3: Authentication and encryption options
 Step 4: Acceptable use
 Step 5: User education

Step 1: Know Bluetooth vulnerability lingo
Bluetooth has spawned a number of terms that highlight Bluetooth vulnerabilities. Being aware of these threats is the first step in keeping handhelds secure and avoiding a Bluetooth hack. The following are the terms you should know:

Bluejacking means anonymously sending an electronic business card or photo to another Bluetooth user. This enables an attack called "bluesnarfing," which allows an attacker to access the address book, contact information, e-mail and text messages on another user's mobile phone. Phone manufacturers released a patch when this threat was announced, but it has not been determined if Bluetooth-enabled PCs are vulnerable.
For more information:
In this tip, Lisa Phifer reviews today's options for achieving secure remote access from Windows mobile smartphones.
 
Learn if your enterprise be concerned with the Apple iPhone's automatic connection to Wi-Fi networks.

Security threats expert Ed Skoudis examines iPhone-specific attacks and reveals how organizations can limit their exposure.

War nibbling is a take-off on war driving. Instead of cruising for open 802.11 networks, nibbling refers to finding unsecured or unpatched Bluetooth connections.

Bluesniping was recently coined by security researchers who used a highly directional antenna and a laptop running inexpensive software to establish connections with Bluetooth-enabled devices from over a half-mile away. Although the research wasn't malicious, attackers could use this technique to steal information from a distance, without leaving any signs of the attack.

Step 2: How to disable Bluetooth
Most Bluetooth-enabled devices ship with the technology fully active. As soon as these devices are powered on, they broadcast their Bluetooth device name, making their presence known (or discoverable) for others who might want to connect. Whether it's a smartphone or a laptop, this capability makes Bluetooth an attractive target for hackers.

To address this problem, disable a device's "discoverable" setting. An attacker can still force a discovery, but deactivating discoverability makes this somewhat more difficult. (The Bluetooth Special Internet Group says it will address the vulnerability in a new specification -- to be released in 2006.) Also, if your company creates its own client builds -- disk images -- for its PCs, set Bluetooth to be deactivated by default.

Of course, when two Bluetooth devices create a trusted relationship -- known as pairing -- at least one of them must be discoverable. However, device pairing is an infrequent activity, so it's best to keep the functionality deactivated whenever possible.

Step 3: Preventing Bluetooth viruses with authentication and encryption
PCs can be configured to share files and to give Bluetooth users access to a shared directory. Use this feature cautiously, and set the PC software to prompt the user when it receives files or address book information. Without proper settings, another Bluetooth user could send files that automatically execute on the receiving computer, opening the door to virus and worm infections, or Trojan executables. Before creating a trusted relationship, one Bluetooth device can require another to authenticate -- via a PIN -- and also use encryption while transferring all information. Make this a requirement for all handheld devices that connect to your network, or store sensitive corporate information.

Step 4: Acceptable use of Bluetooth phones, PDAs and software
As with so many types of security, user education is a must, and even more so with Bluetooth devices because most organizations don't issue smartphones or PDAs to employees; individuals buy their own. While this may lower costs for the company, it means securing them is a purely voluntary act on the part of the end user.

However, as John Pironti, a security consultant at Blue Bell, Penn.-based Unisys, notes, "Organizations can still create security policies covering the acceptable use of any device used to store or access corporate information." So create a concise policy that covers any Bluetooth-enabled device.

Step 5: Educating end users on Bluetooth security
Beyond corporate secrets, users' personal information -- so often stored in plain text on a PDA or phone -- is also at risk. Use this as the hook to get them interested in keeping it protected. Consider posting and promoting "now that you've bought your device" campaigns on the company intranet. For example, organizations can give users intranet-based tools or checklists for configuring their smartphones or PDAs setting up access to corporate information, or pairing their Bluetooth-enabled device to a headset or other peripheral. Along the way, walk users through the process of implementing whatever you've articulated in the security policy. For example, show them how to create a 10-digit password, since shorter passwords aren't very effective. (A four-digit password can be intercepted and cracked in less than a second.)

Also, it's important to caution users to never leave a device in discoverable mode, to deactivate Bluetooth when possible, and to never blindly hit the "accept" button when their device receives a file or electronic business card, since what they're accepting might be a virus or Trojan code.


ABOUT THE AUTHOR:
Mathew Schwartz is a freelance writer, editor, and photographer based in Paris, France. He regularly contributes information security and corporate compliance stories to Enterprise Systems, Information Security magazine, and IT Compliance Now. His work also appears in numerous other publications, including the Times of London and Wired News. Other recent work includes a 235-page usability report on the world's top 10 intranets, coauthored for the Nielsen Norman Group. Corporate writing clients have included life-insurance firm SBLI, and Intel.


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


RELATED CONTENT
Handheld and Mobile Device Security
Should enterprises implement a mandatory iPhone VPN?
Should iPhone email be sent without SSL encryption?
Employee-owned handhelds: Security and network policy considerations
How secure is a mobile phone platform that has an open source framework?
Defining mobile device security concerns
Is the mobile malware threat overblown?
Secure remote access: Closing the Windows Mobile Smartphone loophole
iPhone security in the enterprise: Mitigating the risks
Should the enterprise be concerned with the Apple iPhone's automatic connection to Wi-Fi networks?
Apple iPhone SDK could increase security threats
Handheld and Mobile Device Security Research

Wireless Protocols and Standards
What are the dangers of using radio frequency identification (RFID) tags?
Lessons learned from TJX: Best practices for enterprise wireless encryption
Should the enterprise be concerned with the Apple iPhone's automatic connection to Wi-Fi networks?
TJX should have had stronger Wi-Fi encryption, say Canadian officials
Wi-Fi simplicity edging out Wi-Fi security
Do WEP weaknesses call for an upgrade to WPA2 encryption?
VeriSign, AirMagnet team up for wireless IPS
TJX breach tied to Wi-Fi exploits
WEP crack demonstrates need for WPA2
What is the harm in removing a credit card's RFID chip?

Wireless Access Control
Lessons learned from TJX: Best practices for enterprise wireless encryption
Should the enterprise be concerned with the Apple iPhone's automatic connection to Wi-Fi networks?
Is it possible to identify a fake wireless access point?
How 'evil twins' and multipots seek to bypass enterprise Wi-Fi defenses
Wi-Fi simplicity edging out Wi-Fi security
Should an enterprise network be regularly checked for rogue access points?
Aruba bolsters mobile suite with security acquisition
Cafe Wi-Fi
VeriSign, AirMagnet team up for wireless IPS
Check Point promises more VoIP security, fewer slowdowns
Wireless Access Control Research

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
evil twin  (SearchSecurity.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary


TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineWebcastsWhite PapersLearningAdviceTopicsEventsAbout Us

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy
  TechTarget - The IT Media ROI Experts