Today over 3 million devices with Bluetooth ship every week, including computers, wireless car kits, PDAs and mobiles phones. And thanks to a range of vulnerabilities and exploits, extracting information from devices running Bluetooth can be relatively simple.
As with all networking technologies, the mere presence of Bluetooth on a device introduces security risks, especially when the end user is unaware of Bluetooth's presence, or of how to secure the technology. So, how can you protect your network from a Bluetooth hack? Here are five steps for securing Bluetooth devices in the enterprise.
FIVE BLUETOOTH SECURITY BASICS
Step 1: Bluetooth vulnerability lingo
Step 2: How to disable Bluetooth
Step 3: Authentication and encryption options
Step 4: Acceptable use
Step 5: User education
Step 1: Know Bluetooth vulnerability lingo
Bluetooth has spawned a number of terms that highlight Bluetooth vulnerabilities. Being aware of these threats is the first step in keeping handhelds secure and avoiding a Bluetooth hack. The following are the terms you should know:
Bluejacking means anonymously sending an electronic business card or photo to another Bluetooth user. This enables an attack called "bluesnarfing," which allows an attacker to access the address book, contact information, e-mail and text messages on another user's mobile phone. Phone manufacturers released a patch when this threat was announced, but it has not been determined if Bluetooth-enabled PCs are vulnerable.
War nibbling is a take-off on war driving. Instead of cruising for open 802.11 networks, nibbling refers to finding unsecured or unpatched Bluetooth connections.
Bluesniping was recently coined by security researchers who used a highly directional antenna and a laptop running inexpensive software to establish connections with Bluetooth-enabled devices from over a half-mile away. Although the research wasn't malicious, attackers could use this technique to steal information from a distance, without leaving any signs of the attack.
Step 2: How to disable Bluetooth
Most Bluetooth-enabled devices ship with the technology fully active. As soon as these devices are powered on, they broadcast their Bluetooth device name, making their presence known (or discoverable) for others who might want to connect. Whether it's a smartphone or a laptop, this capability makes Bluetooth an attractive target for hackers.
To address this problem, disable a device's "discoverable" setting. An attacker can still force a discovery, but deactivating discoverability makes this somewhat more difficult. (The Bluetooth Special Internet Group says it will address the vulnerability in a new specification -- to be released in 2006.) Also, if your company creates its own client builds -- disk images -- for its PCs, set Bluetooth to be deactivated by default.
Of course, when two Bluetooth devices create a trusted relationship -- known as pairing -- at least one of them must be discoverable. However, device pairing is an infrequent activity, so it's best to keep the functionality deactivated whenever possible.
Step 3: Preventing Bluetooth viruses with authentication and encryption
PCs can be configured to share files and to give Bluetooth users access to a shared directory. Use this feature cautiously, and set the PC software to prompt the user when it receives files or address book information. Without proper settings, another Bluetooth user could send files that automatically execute on the receiving computer, opening the door to virus and worm infections, or Trojan executables. Before creating a trusted relationship, one Bluetooth device can require another to authenticate -- via a PIN -- and also use encryption while transferring all information. Make this a requirement for all handheld devices that connect to your network, or store sensitive corporate information.
Step 4: Acceptable use of Bluetooth phones, PDAs and software
As with so many types of security, user education is a must, and even more so with Bluetooth devices because most organizations don't issue smartphones or PDAs to employees; individuals buy their own. While this may lower costs for the company, it means securing them is a purely voluntary act on the part of the end user.
However, as John Pironti, a security consultant at Blue Bell, Penn.-based Unisys, notes, "Organizations can still create security policies covering the acceptable use of any device used to store or access corporate information." So create a concise policy that covers any Bluetooth-enabled device.
Step 5: Educating end users on Bluetooth security
Beyond corporate secrets, users' personal information -- so often stored in plain text on a PDA or phone -- is also at risk. Use this as the hook to get them interested in keeping it protected. Consider posting and promoting "now that you've bought your device" campaigns on the company intranet. For example, organizations can give users intranet-based tools or checklists for configuring their smartphones or PDAs setting up access to corporate information, or pairing their Bluetooth-enabled device to a headset or other peripheral. Along the way, walk users through the process of implementing whatever you've articulated in the security policy. For example, show them how to create a 10-digit password, since shorter passwords aren't very effective. (A four-digit password can be intercepted and cracked in less than a second.)
Also, it's important to caution users to never leave a device in discoverable mode, to
deactivate Bluetooth when possible, and to never blindly hit the "accept" button when their device
receives a file or electronic business card, since what they're accepting might be a virus or
ABOUT THE AUTHOR:
|Mathew Schwartz is a freelance writer, editor, and photographer based in Paris, France. He regularly contributes information security and corporate compliance stories to Enterprise Systems, Information Security magazine, and IT Compliance Now. His work also appears in numerous other publications, including the Times of London and Wired News. Other recent work includes a 235-page usability report on the world's top 10 intranets, coauthored for the Nielsen Norman Group. Corporate writing clients have included life-insurance firm SBLI, and Intel.|
This was first published in May 2005