Improving Bluetooth Security: What IT Managers and Mobile Device Users Can Do

By Brian Hernacki, Symantec Corporation

Bluetooth wireless technology is becoming ubiquitous. According to the Bluetooth Special Interest Group (SIG), Bluetooth weekly shipments passed the 5 million unit mark in Q2 ’05, up from 3 million in Q3 ’04. Most of this growth has been in the mobile phone and PDA markets; in fact, 20 percent of mobile phones now ship with Bluetooth. In high-end business phones, the penetration rate is even higher, and by 2006, the majority of business-class phones will include Bluetooth.

But Bluetooth isn’t just for mobile phones, PDAs and laptops. According to Bluetooth SIG, commercial vehicles are installing Bluetooth systems for driver communications, hands free calling and data capture. Hospitals are employing the use of wireless pulse oximeters, which reduces the likelihood of a patient accidentally removing the pulse receiver. Bluetooth is rapidly replacing traditional and unwieldy interconnects between devices.

Several companies are utilizing Bluetooth technology into their IT environments, enabling enterprise-class applications to increase productivity and improve the bottom line.  A bottling company in Australia has equipped field sales and marketing staff with Bluetooth-enabled laptops and mobile phones, allowing its employees to be connected to Internet, company network, e-mail and client information anywhere, anytime. The laptops, connecting via Bluetooth wireless technology to the mobile phone's GPRS data network, allow for the full function of a laptop computer with the mobility of the GPRS network for connectivity. Compared to other wireless solutions, such as 802.11, these laptops are not as constrained by local infrastructure—they are able to roam to a much larger area.

Now that it has gained significant deployment and is being used to power real-world business solutions, Bluetooth faces a problem common to all fast-emerging communications technologies: security.

The emergence of a variety of mobile threats has heightened mobile users’ and enterprises’ concerns regarding the maturity of the technology, especially its overall lack of comprehensive security. While some risks may be due to current implementations or the protocol design, there are steps that can be taken to reduce risk. Organizations must take a more active approach to securing Bluetooth in their environment. First, information security staff must educate themselves about the risks. Second, they must determine how they will manage these risks and define a policy. Third, they must educate users. Fourth, they must take active steps to ensure all Bluetooth devices are managed within their environment. Finally, they must make ongoing audits to ensure their environment remains in compliance with their policy.

Bluetooth Attacks and Vulnerabilities: What's happening?

Hackers are using Bluetooth to attack mobile devices such as mobile phones, PDAs, laptops and handsets. There are a number of different types of attacks. The most common are those that attempt to steal data. Others focus on service disruption, malware distribution and other traditional approaches.

One example is Bluejacking, which exploits a Bluetooth device's ability to "discover" other nearby devices in order to send unsolicited messages.  The unsolicited message is then displayed on the victim’s device potentially causing confusion or at least annoyance. While often used for amusement purposes, this technique can also be used to send the equivalent of spam.

Another example is Bluesnarfing, in which the attacker can connect to a device, without the device owner being notified, and access local data. Such local data can include potentially valuable information like address books and calendars. It has even been shown to be possible to connect to such devices despite the use of the so-called “hidden” mode.

A third example is called the Bluebug Attack. In this case, attackers are able to create a serial connection to the victim’s device and use it to control data services on the device. This allows them to connect to data services, send and receive messages, and initiate phone calls.

There are many other methods that implement a variety of denial-of-service attacks and even some that could allow an attack to eavesdrop on private conversations. There have also been numerous instances of mobile viruses, worms and Trojan horses in the past year. While none has done damage like some of the major PC malware, their rapid evolution presents obvious cause for concern. The malware is getting smarter and more numerous. If mobile malware trends are examined over the past year or so, we can clearly see examples of this. Prior to Cabir, released June 2004 as a “proof of concept,” we saw little to no mobile malware affecting smartphones. Between November 2004 and February 2005, we began to see small numbers of new malware. Then in the spring of 2005 we began to see numerous variants of Cabir. Some of the “variants” were different enough to be classified as new types. Most important was how they differed. Worms such as Commwarror and Mabir made significant improvements in their propagation algorithms. They were more efficient at spreading and took more efforts to deceive their targets and to evade detection.

It is no great leap to see that as mobile devices grow more ubiquitous, and as they are used to access more valuable information, they provide an attractive target for attackers.

Minimizing the Security Risks: Take Action!

Enterprises and mobile device users should recognize that Bluetooth comes in all shapes and sizes – security risks extend far beyond PDAs and smartphones. For example, some laptops ship with Bluetooth, potentially creating a back door into the enterprise when the laptop is connected to the LAN via Ethernet or WiFi.

CIOs and IT managers shouldn't overlook how easy and inexpensive it is for employees to purchase dongles to easily add Bluetooth functionality to a wide range of company-approved devices, including handsets, laptops and PDAs. These add-ons are similar to rogue access points in WiFi in the sense that they quietly create additional entry points – wireless entry points – to an otherwise secured network. Some administrators believe that the standard Bluetooth range of 30 feet provides a limitation that eases their security concerns; however, it has already been demonstrated that for less than five hundred dollars, an attacker can easily construct a long-range transmitter that can reach up to one mile. These facts potentially make Bluetooth devices a much larger risk in that they do not receive as much security attention as WiFi, but can potentially be very numerous.

CIOs and IT managers should take the following minimum precautions against Bluetooth-enabled attacks:

Immediately identify any company-issued Bluetooth devices and alert users of known vulnerabilities. Enterprises should keep a list of their inventory of company-provided devices; ideally, this list would also include any personal devices, such as PDAs or smartphones that are used as part of the workplace. The list can then be used to disseminate information to employees, alerting them to new vulnerabilities and distributing recommendations or policies on use and configurations of such devices. Finally, check with your device suppliers about emerging Bluetooth vulnerabilities that haven't yet been publicized. By the time you read about it in an IT trade magazine or on the Internet, it may be too late. There are many detailed articles on Bluetooth security issues available (http://www.securityfocus.com/infocus/1830 ). The Bluetooth Special Interest Group (http://www.bluetooth.com and http://www.bluetooth.org ) also maintain sites that contain a variety of Bluetooth information, including security topics (http://www.bluetooth.com/help/security.asp ).

Educate employees. Bluesnarfing and Bluejacking exploit naiveté as much as they exploit Bluetooth's security flaws. Enterprises are well advised to create comprehensive guidelines – in plain English – that identify the risks and penalties for using Bluetooth devices. For example, employees must understand that devices can be vulnerable even when they’re not in "discoverable" or "visible" mode. While education is tightly coupled with defining local policy and identifying those who need to be educated, it often requires a distinct, concerted effort.

Use caution when “pairing” devices. The dependence on PINs to create the encrypted connection between devices is the only known significant vulnerability in the Bluetooth specification. Short PINs can be relatively easy to discover if an attacker is able to monitor and record the pairing process (this attack only works if the attacker is “sniffing” the link when devices are paired). There are several steps which can be taken to prevent PIN compromise. First, users should take care to use longer PINs when pairing – a four- digit pin is too short. Users should employ PINs at least eight digits long. And they should not pair devices in public places, as they are more prone to interception. They should be very suspicious if previously paired devices unexpectedly request a new pairing –there is a new attack that attempts to force re-pairing for the purpose of observing the exchange. In this attack, the attacker sends a forged message to the target device, pretending to be a known device and claiming to have forgotten the PIN. This causes the target device to attempt to re-pair, now in view of the attacker. If the attacker is able to view the pairing, he can crack the PIN exchange and determine the PIN that will be used. If this occurs, users should refrain from re-pairing until they have relocated to a more secure environment.

Strengthen company IT policies to address Bluetooth. Bluetooth PDAs sell for as little as $100, increasing the chances that employees will buy them on their own and bring them to work. Enterprises should treat unauthorized Bluetooth PDAs, handsets and accessories like rogue access points; if employees understand the risks and vulnerabilities associated with Bluetooth usage, then they must accept accountability for opening back doors into the enterprise with unauthorized devices. Employees should be required to register any personal devices used for work purposes – including smartphones that might synchronize with company-owned desktop computers – with IT departments, to raise the level of accountability and to ensure adequate tracking of devices connecting to the enterprise. While this may seem extreme and difficult to implement, it is an important step in securing the environment.

Look for products with control over Bluetooth. Many PDAs feature a switch that lets users turn wireless – including Bluetooth and WiFi – on and off rather than wading through menus or the system tray. If wireless can be shut off with just the flick of a switch, employees are more likely to comply with company security policies. Company policy should require that Bluetooth be shut off when not in use.

Consider tools for identifying and mitigating security risks. IT managers can deploy tools to both scan their environments for use of Bluetooth technologies, as well as monitor managed endpoints for such device connections. In some environments they may also be able to remotely disable Bluetooth in company devices. This may be necessary because although security risks can be reduced by shutting off the discoverable mode in Bluetooth, some attacks can bypass those protections. As with most IT policies, auditing and reinforcement are a key step.

In some environments an outright ban, or even severe limitations of Bluetooth use may seem too extreme. There are certainly environments that need or significantly benefit from Bluetooth, and will use it despite the security risks. In these cases, the organization must make all attempts to minimize the risk and be very clearly informed on what risk remains. Again, in some ways this is similar to the use of other wireless technologies such as WiFi. Additional security technologies such as firewalls, VPNs, anti-virus, and access control technologies can often be used to supplement the environment to further reduce the risk.

Author Bio