eKit: Essential HP Solutions for Your Data Center Data protection and disaster recovery tools help keep data secure and available under the worst of circumstances. Download this eKit and get: eBook: Guide to Storage Networking eBook: Storage Networking 2, Configuration and Planning Whitepaper: Storage Management Costs in the Enterprise: A Comparison of Mid-Range Array Solutions Whitepaper: Virtualization - It's Not Just for Enterprises Anymore Whitepaper: Continuous Real-time Data Protection and Disaster Recovery Click Here!

XML/RSS feeds EarthWeb IT Management news and headlines CIO Update headlines See more EarthWeb Network RSS feeds FREE Tech Newsletters Instant Messaging Planet HTML CIO Update CodeGuru Update Enterprise Networking Planet Practically Networked HTML Enterprise Storage Forum HTML Optically Networked HTML Intranet Journal Update Datamation IT Management Careers Datamation IT Management Update Developer.com Update Gamelan Java Update Goodies to Go Javascript Weekly HTML JARS Java Update OpenSource Update SysOpt Tech Notes Grid Computing Planet HTML E-Security Planet HTML Virtual Dr. Text

Related Articles •Hacking for Dollars •The Rise of the Business Worm •IT Governance: The Solution to IT Anarchy, Part II •IT Governance: The Solution to IT Anarchy, Part III

Special Reports • ITIL v3: Bridging the Gap Between IT and Business • Outsourcing’s Seven-Year Itch • The Productivity of Technology is in Jeopardy • Offshore Considerations for Infrastructure Management • Disaster Waiting to Happen • Friday’s Top 5 • Top 10 Money Savers for 2008 • Understanding the 10 Fundamentals of Any Business • 8 Great Training Tips from the Canadian Army • Enterprise Architecture and SOA: Two Tribes More Special Reports

IT Focus Tech Focus: Security Cybersecurity: Laws Only Go So Far Mozilla Firefox vs. Internet Explorer: Which is Safer? Is Your Blog Leaking Trade Secrets? The Las Vegas Counterfeiting Story: Is Your Privacy Worth More Than a Poker Chip? Stopping Spammers at The Point of Sale

Today on EarthWebNews.com • All Talk, Little Action on 'Net Neutrality Front? • Compliance Issues Still Bedevil IT • Is CNET The Right Fit For CBS? • Enterprise Spending On Virtualization To Rise • Novell Readies Silverlight Clone for Linux More EarthWebNews.com

Involved in the development of applications and other technical solutions? Get the real-time news, articles, and learning tools you need to succeed. Visit Internet.com/Developer.

Bluetooth: Plugging the Latest Enterprise Security Loophole

By Brian Hernacki

October 14, 2005: Bluetooth is everywhere today and needs to be secured just like the mini WiFi hub it is, writes CIO Update guest columnist Brian Hernacki of Symantec.

Now that Bluetooth has gained significant deployment and is being used to power real-world business solutions, it faces a problem common to all fast-emerging communications technologies: security.

According to the Bluetooth Special Interest Group (SIG), Bluetooth weekly shipments passed the five million unit mark in Q2 ’05, up from three million in Q3 ’04.

Most of this growth has been in the mobile phone and PDA markets; in fact, 20% of mobile phones now ship with Bluetooth. In high-end business phones, the penetration rate is even greater, and by 2006, the majority of business-class phones will include Bluetooth.

But Bluetooth isn’t just for mobile phones, PDAs and laptops. According to Bluetooth SIG, commercial vehicles are installing Bluetooth systems for driver communications, hands free calling and data capture. Hospitals are employing the use of wireless pulse oximeters, which reduces the likelihood of a patient accidentally removing the pulse receiver, and the list of adopters keeps growing.

The emergence of mobile threats has heightened mobile users’ and enterprises concerns regarding the maturity of the technology, especially its overall lack of comprehensive security.

While some risks may be due to current implementations or the protocol design, there are steps that can be taken to reduce risk. All organizations should take a proactive approach to mitigate potential security breaches before it’s too late.

Minimizing the Risks

Hackers are using Bluetooth to attack mobile devices. One example is Bluejacking, which exploits a Bluetooth device's ability to "discover" other nearby devices in order to send unsolicited messages. Another is Bluesnarfing, which uses the same ability to access information stored on the device, such as a contact list, without the user's knowledge.

Other attacks include denial-of-service, eavesdropping, and use of a victim’s phone to send data or make calls. There have also been numerous instances of mobile viruses, worms and Trojans in the past year. While none has done considerable damage, their rapid evolution presents obvious cause for concern.

Enterprises and mobile device users should recognize that Bluetooth comes in all shapes and sizes and, therefore, security risks extend far beyond PDAs and smart phones. For example, some laptops ship with Bluetooth, potentially creating a back door into the enterprise when the laptop is connected to the LAN via Ethernet or WiFi.

CIOs and IT managers shouldn't overlook how easy and inexpensive it is for employees to purchase accessories such as dongles (USB device to connect a PC or laptop to a Bluetooth mobile phone) in order to add Bluetooth functionality to a wide range of company-approved devices, including handsets, laptops and PDAs.

These add-ons are similar to rogue access points in WiFi in the sense that they quietly create vulnerabilities in a network that appears to be secure.

The Least You Can Do

CIOs and IT managers should take the following minimum precautions against Bluetooth-enabled attacks:

Immediately identify any company-issued Bluetooth devices and alert users of known vulnerabilities. Enterprises should keep a list of their inventory of company-provided devices, as well as issue an alert to employees who were reimbursed for purchasing their own devices.

Finally, check with your device suppliers about emerging Bluetooth vulnerabilities that haven't yet been publicized. By the time you read about it in an IT trade magazine or on the Internet, it may be too late.

Educate employees. Bluesnarfing and Bluejacking exploit naiveté as much as they exploit Bluetooth's security flaws. Enterprises are well advised to create comprehensive guidelines—in plain English—that identify the risks and penalties for using Bluetooth devices, even those that are company-approved. For example, employees must understand that devices can be vulnerable even when not in "discoverable" or "visible" mode.

Use caution when “pairing” devices. The dependence on PINs to create the encrypted connection between devices is the only known significant vulnerability in the Bluetooth specification. Short PINs can be relatively easily discovered if an attacker is able to monitor and record the pairing process (this attack only works if the attacker is “sniffing” the link when devices are paired).

To prevent PIN compromise, users should do the following: use longer PINs when pairing; do not pair devices in public places; and be suspicious if previously paired devices unexpectedly request a new pairing (there is a new attack that attempts to force repairing for the purpose of observing the exchange).

Strengthen company IT policies to address Bluetooth. Bluetooth PDAs sell for as little as $100, increasing the chances that employees will buy them on their own and bring them to work.

Enterprises should treat unauthorized Bluetooth PDAs, handsets and accessories like rogue access points: if employees understand the risks and vulnerabilities associated with Bluetooth usage, then they must accept accountability for opening back doors into the enterprise with unauthorized devices.

Employees should be required to register their personal devices with IT departments to raise the level of accountability and to ensure adequate tracking of devices connecting to the enterprise.

Look for products with control over Bluetooth. Many PDAs feature a switch that lets users turn wireless, including Bluetooth and WiFi, on and off rather than wading through menus or the system tray.

If wireless can be shut off with just the flick of a switch, employees are more likely to comply with company security policies. Company policy should require that Bluetooth be shut off when not in use. Like WEP and WiFi, even when basic security measures aren't iron-clad, they're still better than no security at all.

Consider tools for identifying and mitigating security risks. IT managers can scan their networks for attached devices, including PDAs. They can also remotely disable Bluetooth in company devices. The latter may be necessary because although security risks can be reduced by shutting off the discoverable mode in Bluetooth, some attacks can bypass those protections.

Brian Hernacki is an architect at Symantec Research Labs where he works to develop future technologies. Prior to Symantec, Hernacki was chief scientist at Recourse Technologies and a senior engineer at Netscape Communications.

Tools:

Add www.cioupddate.com to your favorites Add www.cioupddate.com to your browser search box IE 7 | Firefox 2.0 | Firefox 1.5.x Receive news via our XML/RSS feed

• Return to CIO Update Index
• Return to www.cioupdate.com Homepage