Bluetooth: Plugging the Latest Enterprise Security Loophole
According to the Bluetooth Special Interest Group (SIG), Bluetooth weekly shipments passed the five million unit mark in Q2 05, up from three million in Q3 04.
Most of this growth has been in the mobile phone and PDA markets; in fact, 20% of mobile phones now ship with Bluetooth. In high-end business phones, the penetration rate is even greater, and by 2006, the majority of business-class phones will include Bluetooth.
But Bluetooth isnt just for mobile phones, PDAs and laptops. According to Bluetooth SIG, commercial vehicles are installing Bluetooth systems for driver communications, hands free calling and data capture. Hospitals are employing the use of wireless pulse oximeters, which reduces the likelihood of a patient accidentally removing the pulse receiver, and the list of adopters keeps growing.
The emergence of mobile threats has heightened mobile users and enterprises concerns regarding the maturity of the technology, especially its overall lack of comprehensive security.
While some risks may be due to current implementations or the protocol design, there are steps that can be taken to reduce risk. All organizations should take a proactive approach to mitigate potential security breaches before its too late.
Minimizing the Risks
Hackers are using Bluetooth to attack mobile devices. One example is Bluejacking, which exploits a Bluetooth device's ability to "discover" other nearby devices in order to send unsolicited messages. Another is Bluesnarfing, which uses the same ability to access information stored on the device, such as a contact list, without the user's knowledge.
Other attacks include denial-of-service, eavesdropping, and use of a victims phone to send data or make calls. There have also been numerous instances of mobile viruses, worms and Trojans in the past year. While none has done considerable damage, their rapid evolution presents obvious cause for concern.
Enterprises and mobile device users should recognize that Bluetooth comes in all shapes and sizes and, therefore, security risks extend far beyond PDAs and smart phones. For example, some laptops ship with Bluetooth, potentially creating a back door into the enterprise when the laptop is connected to the LAN via Ethernet or WiFi.
CIOs and IT managers shouldn't overlook how easy and inexpensive it is for employees to purchase accessories such as dongles (USB device to connect a PC or laptop to a Bluetooth mobile phone) in order to add Bluetooth functionality to a wide range of company-approved devices, including handsets, laptops and PDAs.
These add-ons are similar to rogue access points in WiFi in the sense that they quietly create vulnerabilities in a network that appears to be secure.
The Least You Can Do
CIOs and IT managers should take the following minimum precautions against Bluetooth-enabled attacks:
Immediately identify any company-issued Bluetooth devices and alert users of known vulnerabilities. Enterprises should keep a list of their inventory of company-provided devices, as well as issue an alert to employees who were reimbursed for purchasing their own devices.
Finally, check with your device suppliers about emerging Bluetooth vulnerabilities that haven't yet been publicized. By the time you read about it in an IT trade magazine or on the Internet, it may be too late.
Educate employees. Bluesnarfing and Bluejacking exploit naiveté as much as they exploit Bluetooth's security flaws. Enterprises are well advised to create comprehensive guidelinesin plain Englishthat identify the risks and penalties for using Bluetooth devices, even those that are company-approved. For example, employees must understand that devices can be vulnerable even when not in "discoverable" or "visible" mode.
Use caution when pairing devices. The dependence on PINs to create the encrypted connection between devices is the only known significant vulnerability in the Bluetooth specification. Short PINs can be relatively easily discovered if an attacker is able to monitor and record the pairing process (this attack only works if the attacker is sniffing the link when devices are paired).
To prevent PIN compromise, users should do the following: use longer PINs when pairing; do not pair devices in public places; and be suspicious if previously paired devices unexpectedly request a new pairing (there is a new attack that attempts to force repairing for the purpose of observing the exchange).
Strengthen company IT policies to address Bluetooth. Bluetooth PDAs sell for as little as $100, increasing the chances that employees will buy them on their own and bring them to work.
Enterprises should treat unauthorized Bluetooth PDAs, handsets and accessories like rogue access points: if employees understand the risks and vulnerabilities associated with Bluetooth usage, then they must accept accountability for opening back doors into the enterprise with unauthorized devices.
Employees should be required to register their personal devices with IT departments to raise the level of accountability and to ensure adequate tracking of devices connecting to the enterprise.
Look for products with control over Bluetooth. Many PDAs feature a switch that lets users turn wireless, including Bluetooth and WiFi, on and off rather than wading through menus or the system tray.
If wireless can be shut off with just the flick of a switch, employees are more likely to comply with company security policies. Company policy should require that Bluetooth be shut off when not in use. Like WEP and WiFi, even when basic security measures aren't iron-clad, they're still better than no security at all.
Consider tools for identifying and mitigating security risks. IT managers can scan their networks for attached devices, including PDAs. They can also remotely disable Bluetooth in company devices. The latter may be necessary because although security risks can be reduced by shutting off the discoverable mode in Bluetooth, some attacks can bypass those protections.
Brian Hernacki is an architect at Symantec Research Labs where he works to develop future technologies. Prior to Symantec, Hernacki was chief scientist at Recourse Technologies and a senior engineer at Netscape Communications.