Bluetooth is not a dental condition

The long view of security strategies for your network.

Technical jargon can sometimes cause confusion or amusement among non-technical friends; for example, it still amuses my wife to hear that I am going to the Vermont InfraGard meeting – she persists in claiming that it sounds like a brand of deodorant.

Bluetooth technology “is a short-range communications technology intended to replace the cables connecting portable and/or fixed devices while maintaining high levels of security. The key features of Bluetooth technology are robustness, low power, and low cost. The Bluetooth specification defines a uniform structure for a wide range of devices to connect and communicate with each other.” 

Computer scientists Karen Scarfone of the Computer Security Division of the Information Technology Laboratory at the National Institute of Standards and Technology (NIST) has collaborated with John Padgette, an associate at Booz Allen Hamilton to write a new (September 2008) Special Publication entitled “Guide to Bluetooth Security” (NIST SP800-121), which summarizes the security issues and provides recommendations for protecting sensitive information carried via these wireless systems.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Technical jargon can sometimes cause confusion or amusement among non-technical friends; for example, it still amuses my wife to hear that I am going to the Vermont InfraGard meeting – she persists in claiming that it sounds like a brand of deodorant.

Bluetooth technology “is a short-range communications technology intended to replace the cables connecting portable and/or fixed devices while maintaining high levels of security. The key features of Bluetooth technology are robustness, low power, and low cost. The Bluetooth specification defines a uniform structure for a wide range of devices to connect and communicate with each other.” 

Computer scientists Karen Scarfone of the Computer Security Division of the Information Technology Laboratory at the National Institute of Standards and Technology (NIST) has collaborated with John Padgette, an associate at Booz Allen Hamilton to write a new (September 2008) Special Publication entitled “Guide to Bluetooth Security” (NIST SP800-121), which summarizes the security issues and provides recommendations for protecting sensitive information carried via these wireless systems.

The brief (43-page) document provides an overview of the technology. The diagrams in section 2 are excellent and indeed, the entire publication can serve instructors well for courses on data communications and network security.

The recommendations, which are discussed in detail, are as follows (I am quoting directly from the Executive Summary):

• Organizations should use the strongest Bluetooth security mode available for their Bluetooth devices.

The Bluetooth specifications define four security modes, and each version of Bluetooth supports some, but not all, of these modes. The modes vary primarily by how well they protect Bluetooth communications from potential attack. Security Mode 3 is considered the strongest mode because it requires authentication and encryption to be established before the Bluetooth physical link is completely established. Security Modes 2 and 4 also use authentication and encryption, but only after the Bluetooth physical link has already been fully established and logical channels partially established. Security Mode 1 provides no security functionality. The available modes vary based on the Bluetooth specification versions of both devices, so organizations should choose the most secure mode available for each case.

• Organizations using Bluetooth technology should address Bluetooth technology in their security policies and change default settings of Bluetooth devices to reflect the policies.

A security policy that defines requirements for Bluetooth security is the foundation for all other Bluetooth-related countermeasures. The policy should include a list of approved uses for Bluetooth, a list of the types of information that may be transferred over Bluetooth networks, and requirements for selecting and using Bluetooth personal identification numbers (PIN). After establishing Bluetooth security policy, organizations should ensure that Bluetooth devices’ default settings are reviewed and changed as needed so that they comply with the security policy requirements. For example, a typical requirement is that unneeded Bluetooth profiles and services be disabled to reduce the number vulnerabilities that attackers could attempt to exploit. When available, a centralized security policy management approach should be used to ensure device configurations are compliant.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.