Managing Bluetooth at work: Part 1

Click here to read part 2 of this feature.

Bluetooth wireless technology was invented in 1994, and launched on the world as a commercial and consumer application in 1999.

Treated by many at the time as just another clever idea that probably wouldn't last, it has become hugely successful and pervasive. Over one billion Bluetooth-enabled appliances have been shipped to date globally.

Its popularity is based on the way it allows a range of devices to communicate with each other over short distances, and connect to the Internet, without the need for wires, cables or connectors. It made its name with mobile phones, but now reaches, often unseen, into many corners of business, home and public life.

Bluetooth radios are built into the products of over 3,000 companies, from the phone and PC vendors you'd expect to niches like car manufacturing and sewage plant construction.

"Bluetooth growth rates have been phenomenal," says Scott Bibaud, vice president of communications with chipset vendor Broadcom. "I consider it to be the most successful and popular wireless technology ever launched."

In the first of a two part guide to getting the most out of Bluetooth in the enterprise, we look at an important consideration for many organisations - security. In the second part we'll consider the operational side to maximising the technology's potential.

Security

Although popular and successful, Bluetooth technology has always posed a security challenge, both perceived and real, to users of devices and managers of the networks they attach to.

"People have been asking us questions about Bluetooth security from its launch in 1999," says Stephen Evans, managing director of Brainboxes, a developer of Bluetooth-based solutions for a variety of industrial and public sector applications.

But what dangers does it really pose? How easy is it for someone with malicious intent to gain access to data on a Bluetooth-enabled device? Is it more or less vulnerable than other wireless technologies?

We'll consider Bluetooth security in two parts. First, we'll assess the risk. Then we'll suggest ways of dealing with it.

The risk

Bluetooth security is often in the news. Security consultants Thierry Zoller and Kevin Finistere made headlines in October when they demonstrated a Windows-based hacking tool called BTCrack. They claimed it can get past Bluetooth wireless security measures pretty much in real-time.

They say that BTCrack is the kind of tool that allows potential hackers to seek out a user's Bluetooth PIN, the code that creates a link between two devices, as well as the 128-bit 'link key', which between them give anyone the way in to potentially valuable and sensitive user data.

There's a lot that users can do to help prevent this sort of problem, say Zoller and Finistere. But alarmingly they revealed just how much users are part of the problem - unaware often that they are broadcasting Bluetooth signals, in fact occasionally unaware that their device even has a Bluetooth radio onboard.

It's a trap that security professionals can fall into themselves, never mind ordinary civilians. In June of this year, anti-virus company Kaspersky Lab did research in London over three days, finding in the process 2,000 Bluetooth-enabled devices in 'visible to all' mode, the setting a hacker needs to attack the device. Around half of these unsecured devices were discovered at InfoSecurity 2006, an event you'd expect to be attended by some of the most security conscious people in the country.

The Bluetooth security issue naturally doesn't stop at hacking. A virus likewise could use such openness as displayed at InfoSec to spread between any or all unsecured devices within range.

Mobile viruses have been a real risk since 2004 when the Cabir smart phone worm was released on the world. Cabir spreads between Symbian-based mobile phones using Bluetooth. Considered 'very low risk' at the time, Cabir at the very least shows that poorly secured devices can, in certain circumstances, be used to propagate malware.

The worry is that it's only a matter of time before attackers find better and better ways of adapting standard Internet-based viruses, currently far more prevalent than their mobile counterparts, so that they attack mobile phones through wireless connections like Bluetooth.

So-called Bluesnarfing - where such a connection is used to pilfer mobile data like calendars, phone books and messages - is already a reality, albeit more talked about than happening. It depends on a device being 'discoverable' to other Bluetooth devices within range.

The more benign practice of Bluejacking involves pranksters sending unwanted material to a device. It may be annoying, but in most cases isn't illegal.

How to protect

Using the 2.4GHz radio band, Bluetooth connects two or more devices up to 100m apart using the 'pairing' process whereby devices familiarize themselves with each other. Now in Version 2.0, the technology offers data rates of 3Mb/sec.

Among its built-in security features that users can enable, Bluetooth offers authentication, encryption and quality of service (QoS) control.

Bluetooth's most basic security mechanism is the user-controlled ability to switch between 'discoverable' mode, in other words visible to other devices, or 'non-discoverable' mode. A non-discoverable device will not appear on the list of nearby devices when another device conducts a search process - unless, that is, it's already been paired with the searching device before, in which case its familiar Bluetooth MAC address will give it away.

Although devices can freely communicate with any other Bluetooth devices, potentially sensitive operations like swapping of data files or accessing voice gateways, usually involve authentication during the pairing process where identical PIN codes and passkeys are needed for both devices.

"I see Bluetooth as one of the more secure wireless technologies," says Bibaud. "The shorter range the connection is over, the better the security."

In the last few years, he says, attacks on Bluetooth, like Bluejacking, have been multiplying. "It's still something the user needs to respond to when sent a business card," he says. "If they respond and accept, then they get a file on their device."

With hackers using social engineering techniques to get users to lower their guard, it's very much the human angle where the issue most resides, not the relatively well protected technology itself, says Bibaud. The mobile industry itself is not above creating problems too with poor design and implementation, he accuses.

"If Bluetooth is implemented incorrectly by the developer of the application, or the maker of the device, then you get security problems," he says.

"There are companies dedicated to trying to break into Bluetooth devices, which is helpful when trying to figure out what hackers might do. But if I was an IT manager, it wouldn't be so worried about Bluetooth - I'd spend more time worrying about things like firewalls and web security, as that's where people are really likely to get through to your network."

How much you need to do in any case as a user organisation to protect against Bluetooth threats depends on what your business is, says Evans.

"It depends what application you're talking about how concerned you'll be about security. Our products form a key part of traffic management applications, for example. Traffic lights are of course important, but not often hacked. You can in any case configure devices in such situations to only expect one other device to connect to them. The same applies to the medical arena, with patient monitoring."

When planning how to protect your Bluetooth devices, don't just look out. Some of the threat may be closer to home. Research from network management company Prefix IT shows that Bluetooth is a favourite way for employees to steal corporate data. It revealed that many staff are happily lifting data and sales leads by this means without even considering it stealing.

"In 10 seconds staff can download 10 Mbs of data to a device - that's the equivalent of 20,000 customer records," said Graeme Pitts-Drake, UK chief executive of network management vendor Prefix. "UK managers are living in dreamland if they think that theft doesn't happen in their organisation, it's a fact of business life today."

To conclude, a warning to Bluetooth users from security consultants Thierry Zoller and Kevin Finistere mentioned at the beginning of this article. Their 'things to remember' are as follows:

Don't accept every file you are being send, just click 'no'

Disable Bluetooth if not required

Pair in 'secure' places

Hold your Bluetooth vendor accountable for vulnerabilities

Click here to read part 2 of this feature.