Bluetooth’s sprawl heightens security concerns

Michael Ciarochi used to see Bluetooth as just a convenient way to hook up a keyboard to a laptop or PDA at HomeBanc Mortgage, where he’s senior WAN/security engineer. That was until he got a shipment of new laptops as part of a planned technology upgrade. Much to his surprise, each system came with a built-in Bluetooth radio, creating what he says amounted to a hidden window into any sensitive or confidential data that might be stored on the laptops’ hard drives.

Michael Ciarochi used to see Bluetooth as just a convenient way to hook up a keyboard to a laptop or PDA at HomeBanc Mortgage, where he’s senior WAN/security engineer.

That was until he got a shipment of new laptops as part of a planned technology upgrade. Much to his surprise, each system came with a built-in Bluetooth radio, creating what he says amounted to a hidden window into any sensitive or confidential data that might be stored on the laptops’ hard drives.

“I disabled each Bluetooth radio,” he says. But Ciarochi is still not completely at ease. “That doesn’t mean the users can’t re-enable it,” he says.

Discuss in our Bluetooth-security forum.

Ciarochi’s experience is becoming more typical in corporate America. As GSM cellular networks expand in the U.S., more and more cell phones are appearing with Bluetooth radios to link them with headsets and handhelds. More laptops are shipping with Bluetooth built in so that end users can quickly send a file to a Bluetooth printer or PDA. And even as this is happening, many end users have little real understanding of Bluetooth, such as that its maximum range can vary between 30 and 300 feet.

Trivial but troubling

A number of basically trivial but still troubling Bluetooth exploits prompted the Bluetooth Special Interest Group, a vendor group, last week to hold a teleconference on security. The speakers stressed that the wireless specification has a well-thought-out security architecture. They said that the most-reported incidents, known by names such as Bluejacking and Bluesnarfing, are mainly annoyances and that users can take simple steps to protect their devices and data.

In Bluejacking, a user swaps a short message for the contents of a business card and then sends it to any nearby open Bluetooth device. Bluesnarfing is more serious: You can steal a file of phone contacts or calendar data from another device. But snarfing exploits a flaw not in the Bluetooth specification but in some earlier vendor implementations of it, according to Nick Hunn, a managing director with PDK Systems Europe and a participant in the teleconference.

There is a chance of pulling information from a handset. But it requires a laptop, scripts and familiarity with the Bluetooth specification. “The likelihood of anyone doing this is probably remote,” he says.

Designed for security

Bluetooth’s creators designed it with security in mind, says Michael McCamon, the special interest group’s marketing director. It supports authentication, 128-bit encryption and additional higher-level security protocols that can run over the connection. Devices can be discoverable or invisible: In discovery mode, sometimes called promiscuous mode, the device is visible to any other Bluetooth device within range.

Promiscuous can be seductive, users say. Karl Feilder, CEO of Red-M, which offers wireless LAN and Bluetooth-monitoring systems, has a BMW equipped with Bluetooth. “When I move in range of my car, as long as my cell phone is on and Bluetooth is in promiscuous mode, my car will answer my phone,” he says. “But when I get out of my car, and don’t switch off my phone, then anyone can connect to me.”

Conversely, McCamon says, when promiscuous is shut off, another device can’t connect to his.

Similarly, pairing can be active or inactive on a device. When active, pairing lets two devices – such as a Bluetooth PC and printer – permanently remember each other. If pairing is shut off, that association, which McCamom say takes about 30 seconds, can’t take place.

And these characteristics are the basis for the special interest group’s recommendations. Keep discovery switched off and do pairings only in private locations. If you want to be discovered, use a Bluetooth identifying name that doesn’t advertise the kind of device you have. Don’t act on Bluetooth messages if you don’t know the source.

More ominous

But some with growing experience in Bluetooth point to more ominous potential problems.

Bluesniff  is a proof-of-concept Bluetooth war-driving tool, designed to scan and identify devices. “Like Netstumbler for 802.11 wireless networks, Bluesniff helps hackers identify all Bluetooth networks,” says Joseph Dell, CTO for Vigilar, an Atlanta information security firm. “Since most are deployed with security disabled, it is easy for a hacker to compromise the integrity and security of a Bluetooth device.”

Dell has been using AirDefense’s just-announced BlueWatch to monitor cell phones, some printers and sometimes ad hoc Bluetooth networks in Vigilar’s offices and elsewhere in the building. Recently, a visiting vendor was giving Vigilar staff a presentation, with Bluetooth enabled on his laptop. A Vigilar engineer, using BlueWatch, noticed some anomalies, indicating an attempt to connect to the laptop. The group found a client, waiting downstairs, who was trying to make the connection.

AirDefense co-founder Jay Chaudhry tells the story of how his own chief security officer demonstrated how it was possible with a Bluetooth cell phone to use someone else’s Bluetooth cell phone to actually make a call.

There’s no easy solution. As with so much in wireless security, educating users is a key step.

“We need to make users more aware of yet another potential vulnerability,” HomeBanc’s Ciarochi says. “They have to make sure they take care of their wireless connection.”