In the face of two recent Bluetooth vulnerabilities -- bluesnarfing and a backdoor attack -- security managers must reexamine their company's Bluetooth deployments. Its short-range wireless technology -- available in newer computers, PDAs and mobile phones -- is intended to replace physical cables. The attacks exploit, wirelessly, security weaknesses in some Bluetooth-enabled mobile phones.
A snarf attack, able to quietly steal calendar and phone book information, could be especially dangerous since most Bluetooth devices ship with the wireless technology active.
Security consultancy A.L. Digital's chief security officer, Adam Laurie, discovered the snarf attack while testing phones for his own company's deployment. Since then, he's created software to log the vulnerable Bluetooth devices walking past his office in Chiswick, a London suburb; it sees 40 a day.
"I suspect if you went into a much more densely populated area, like London, you'd have a much higher number of machines," he says, adding that practical attack range, using a laptop with a Class 1 Bluetooth dongle, would be 100 feet.
An automated attack tool, snarfing everything in range, could be especially dangerous, says security researcher Mark Rowe at U.K.-based Pentest. "For example, outside a politician's house."
Unless users are watching their mobile device while it's bluesnarfed they won't know data's been purloined. Experts recommend immediately deactivating Bluetooth on unpatched phones
Don't, however, discard all things Bluetooth. "This is not a problem with the Bluetooth specification; it is a problem with certain manufacturers' handsets," says Anders Edlund, marketing director of the Bluetooth Special Interest Group (SIG). SIG released the Bluetooth standard; it's up to manufacturers to implement it.
Some, however, fault SIG for not requiring more security. "The Bluetooth specification details the implementation of a secure link but doesn't require it," according to a report by Gartner analysts Martin Reynolds and Michael Gomez.
At risk, of course, is sensitive corporate information. For example, in August a former Morgan Stanley vice president sold his old Blackberry on eBay. Only, as the buyer reported, he neglected to password-protect or erase 200 sensitive corporate e-mails, plus corporate directories, all of which competitors would have loved.
Of course, outright theft is still much more likely than a snarf attack. Research firm International Data Corp. says hundreds of thousands of mobile phones are reported missing every year.
Experts recommend three ways any company using Bluetooth can better secure itself. First, Gartner says, "disable Bluetooth unless there is a compelling reason to activate it." That means enlisting IT to build PCs and configure devices with Bluetooth deactivated, educating users to -- at least -- deactivate Bluetooth when not in use and keep it off in questionable areas.
For all mobile devices, remember "strong crypto is your friend," says Laurie. Give users password vaults -- software to encrypt information -- for the PINs and passwords users inevitably store on devices. Also mandate password access for every device, SIM or memory card. Then check to ensure users comply.