Managing Bluetooth Security - INFORMATION SECURITY AND RISK MANAGEMENT - Information Security Management Handbook, Sixth Edition (2012)

Information Security Management Handbook, Sixth Edition (2012)

DOMAIN 3: INFORMATION SECURITY AND RISK MANAGEMENT

Security Management Planning

Chapter 12. Managing Bluetooth Security

E. Eugene Schultz, Matthew W. A. Pemble, and Wendy Goucher

Mobile computing technology has been one of the true revolutions of the early twenty-first century. One of the most popular technologies within the mobile computing arena is Bluetooth technology, which allows different devices to connect to one other without complications such as having to manually synchronize them with each other. Like any other type of mobile technology, Bluetooth has a number of inherent security vulnerabilities that give rise to risks, some of which are potentially serious. This chapter explains the numerous vulnerabilities and risks in connection with Bluetooth technology and recommends control measures that can substantially reduce the level of associated risk. At the same time, however, some of Bluetooth’s built-in features combined with a limited range of Bluetooth-specific technology controls are significant barriers to achieving desired risk levels. Administrative controls are thus in many respects the most effective in controlling Bluetooth-related security risk.

Introduction

The mobile computing revolution has been underway for years. People everywhere are using smartphones, personal digital assistants (PDAs), laptop computers, removable storage media, and you name it. Mobile computing offers numerous, well-known benefits to the point that it is being used just as much in business as in personal contexts. Information security managers have, in recent years, experienced considerable progress in understanding the vulnerabilities and risks involved in mobile computing and also to some degree being able to mitigate these risks using a combination of technical, administrative, and physical controls. However, one wireless protocol, the Bluetooth protocol, has some characteristics and functions that are different from other wireless protocols. These differences require that vulnerabilities, risks, and security controls in Bluetooth environments be separately analyzed and understood. This chapter focuses on Bluetooth security from the perspective of an information security manager who is trying to achieve acceptable levels of risk in mobile computing environments, but now realizes that Bluetooth has its own idiosyncrasies from a risk management perspective.

About Bluetooth Technology

Before analyzing Bluetooth security issues, it is necessary to first understand what Bluetooth is, the functionality it delivers, and the advantages of this functionality. These issues are covered in this section.

What Is Bluetooth?

Bluetooth is a proprietary standard for open wireless technology when information is transmitted over short distances via short-wavelength radio. Initially, it was developed by telecommunication vendor Ericsson as a wireless alternative to RS-232 data cabling. A group called the Wireless Personal Area Network (WPAN) Working Group that includes companies such as IBM, Nokia, Toshiba, and Ericsson furthered its development. Part of the IEEE 802.15 specification, Bluetooth is currently managed by the Bluetooth Special Interest Group. It is used to connect multiple devices simply and without an extensive synchronization process. Bluetooth technology is very widely used, as evidenced by the estimate that by 2008, there were over 1 billion Bluetooth devices being used around the world.

Bluetooth Functionality

Bluetooth provides both wireless LAN connectivity and short-range wireless connectivity to applications that were at first designed to work only in connection with conventional (wired) networks. It creates PANs. Bluetooth is built into many smartphones, e.g., iPhones, but is by no means exclusively for mobile devices. It works just as well with fixed devices and also for communications between fixed and mobile devices.

Every Bluetooth wireless link (a “pairing”) is created within the boundary of a piconet in which up to eight devices use the identical physical channel. Every piconet has one “master;” every other device within the same piconet is called a “slave.” To join a piconet, a Bluetooth device must be “discoverable,” i.e., it must reveal some information about itself to others within the same physical vicinity. The most critical information that must be revealed is the device’s address, which is called the “BD_ADDR.” The device must also obtain information (including each BD_ADDR) about the other devices. Discoverability can be configured such that a Bluetooth device is in:

1. Nondiscoverable mode—A device will not respond to other devices’ attempts to discover the device in question.

2. Limited discoverable mode—A device is discoverable for only a narrow time period, during temporary circumstances, or only while a specific event occurs.

3. General discoverable mode—A device is continuously discoverable.

When Bluetooth devices discover each other, they create a shared initialization key, which is in turn used to generate a shared symmetric encryption key known as the “link key.” A PIN between 8 and 128 bits long, the PIN length, and a random number are used to create an initialization key for each device. The unit key (a built-in key for each device) is XORed* with the initialization key to produce the link key for each device pair. This step is sometimes preceded by generation of a random number used to encrypt the initialization key. Both devices store the link key for use in further communications between them.

Advantages of Using Bluetooth Technology

The main reason that Bluetooth technology is currently so popular is that it can be used to connect just about any device to just about any other, e.g., a PDA to a mobile phone. For example, in the states within the United States, in which driving and holding a mobile phone to carry on conversation simultaneously is illegal, a Bluetooth device with a wireless connection to a mobile phone can enable a user to be able to both speak on and listen to the mobile phone because the Bluetooth device serves as an intermediary device. Bluetooth is also extremely flexible and versatile; it can create ad-hoc networks supporting up to eight devices. Internet access is another purpose for which these devices are so frequently used. And Bluetooth functionality is not limited to handheld devices, either. Bluetooth can also be used to synchronize desktop machines.

Disadvantages of Using Bluetooth Technology

Less than 10 years ago, Bluetooth was not very popular due to some inherent limitations, several of which were substantial. One is that earlier versions of this technology had a line-of-sight requirement, such that if a solid object such as a tree were directly in the transmission path of two devices, communication failures would occur. More recent Bluetooth implementations are not subject to this problem. One of the most significant disadvantages of Bluetooth today is its relatively short range—only about 300 feet in many implementations (and even less in some implementations*). Many implementations are thus not suitable as a long-range communication technology.

Despite the deliberately low nominal range of the majority of Bluetooth implementations, there are commercially available implementations that have a significantly longer range. These implementations exceed what is known as the Class 1 power settings and, additionally, provide high gain and/or directional antenna. Devices from manufacturers such Aircable or Balutek have the proven ability to interoperate at ranges as great as a mile.

The high tolerance for latency within the Bluetooth specification also allows connections to be established at much longer ranges than 300 feet, even with lower-powered devices.

Additionally, Bluetooth has always been slow. In theory, Bluetooth has a maximum bandwidth of only 1 Mbps, but the actual bandwidth is almost always lower because of Bluetooth’s forward error correction functionality. Furthermore, Bluetooth operates within the 2.45 GHz frequency range, a range also used by a number of other wireless devices (including baby monitors), something that can potentially cause interference. To lessen its susceptibility to interference problems, Bluetooth uses the Frequency Hopping Spread Spectrum (FHSS) transmission type. Finally, as discussed in greater detail shortly, a number of security vulnerabilities in Bluetooth have been identified over the years, and some types of attacks are almost impossible to prevent or stop.

Bluetooth Security Risks

In this section of this chapter, security risks inherent in Bluetooth technology will be described.

Generic Mobile Computing Vulnerabilities

The majority of Bluetooth devices have the same or extremely similar vulnerabilities that generic mobile computing devices typically have. One of the most widely exploited vulnerabilities in the mobile computing arena is unauthorized capture of wireless transmissions. If the transmissions are encrypted, the encryption is often not sufficiently strong to prevent even simple cryptanalytic attacks. Also, denial-of-service (DoS) attacks against mobile computing devices and wireless networks are easy to perpetrate and difficult to defend against. Low power radio frequency (RF) communications are highly susceptible to interference, either deliberate or accidental, as well as general RF noise from nontuned devices. All an attacker must do is to send a stronger signal at the same frequency as the targeted wireless connection. Additionally, size restrictions and form factor in mobile computing devices almost invariably compromise the user interface. For example, a typical Bluetooth earpiece may have just one multipurpose control and one indicator. For some devices, additional control and monitoring may be provided by a driver downloaded to the connected computer, but where the connection is to a mobile phone or similarly restricted device, this is unlikely. Furthermore, like many consumer devices, software, and firmware, updates for known vulnerabilities are often not available or are available only long after exploits for these vulnerabilities have been “in the wild.” Even if updates are available, they are only rarely downloaded and installed in mobile computing devices. Vulnerabilities are thus likely to persist more so than in conventional computing systems. The small physical size, a common design feature (and also a constraint) in mobile devices, also substantially increases the chance that these devices will be lost or misplaced.

Bluetooth-Specific Vulnerabilities

There are more vulnerabilities specific to Bluetooth devices than one might expect. These vulnerabilities are discussed in the following section.

Interception of Transmissions

Simple RF interception, using directional antenna, can occur wherever “line of sight” between the sending and receiving points in Bluetooth transmissions can be established. Long-range attacks (“blue-sniping” attacks) against Bluetooth devices have been publicly demonstrated with low-cost equipment at ranges of over half a mile. When considering the use of Bluetooth for security or other sensitive applications, it is thus necessary to consider much longer ranges for the outer range of interception of transmissions than one might think.

Passwords and PINs

PINs used in Bluetooth authentication are generally between 4 and 16 characters long. Shorter PINs can easily be guessed* or brute-forced if conventional bad login limit lockouts are not built into the devices, and the fact that they are only a maximum of four characters long in some Bluetooth implementations makes these devices unusually vulnerable. Furthermore, in some of these devices, PINs are fixed and thus unchangeable by their users. PIN guessing can thus enable perpetrators to impersonate the identity of Bluetooth devices, enabling perpetrators to make long-distance calls billed to the account of legitimate users as well as to gain unauthorized access to call lists, phone books, photos, and other information. PIN spoofing can also be used for similar purposes. And if a Bluetooth device falls into the hands of an attacker, the attacker can gain access to the same types of information, often by gleaning PINs from memory and/or the device’s hard drive.

Malicious Code

Malicious code such as viruses and worms can and do infect Bluetooth devices and then spread themselves to others. The now infamous/Cabir/Caribe/SymbOS virus that infected so many mobile phones at the Helsinki Games several years ago is one of the best examples of viruses that are capable of infecting Bluetooth and well as other wireless devices. And the fact that relatively few Bluetooth users run antimalware tools on their devices significantly increases the probability of malware infections.

Denial-of-Service

Bluetooth devices are extremely susceptible to DoS attacks, as are wireless devices and networks in general. All an attacker needs to do is to jam the frequency (2.4 GHz) that Bluetooth devices use. And the previously mentioned fact that Bluetooth devices share this frequency with IEEE 802.11b and 11g networks as well as microwave ovens and baby-monitoring devices is a further DoS-related issue.

Discovery-Related Vulnerabilities

The Bluetooth discovery process is potentially the point of greatest exposure to attacks. Bluetooth devices have a variety of keys such as link keys, master keys, and others. During the Bluetooth authentication process, a simple type of challenge–response process is used in which information used to create keys is exchanged between Bluetooth devices. Because Bluetooth authentication is not based on user identities and encryption is not in place during the initial stages of this process, an attacker in the immediate physical vicinity can initiate a “man-in-the-middle” attack by listening to and capturing credentials and information being exchanged. The perpetrator must first get a copy of the link key used between two paired Bluetooth devices. Once the perpetrator has this key, s/he can set up a link with one of these devices by impersonating the identity of the other. The device with which a link has been created will behave as if it is linked to the device for which the identity has been impersonated. This also makes possible decrypting encrypted information sent between devices.

Unauthorized Access to Bluetooth Devices Using Bluetooth Hacking Tools

A surprising number of Bluetooth hacking tools exist that allow computer criminals to do everything from sniff keys used in authentication to insert information into transmissions between devices. These tools will be covered in the next section of this chapter.

Exposure of Individuals’ Physical Location

A perpetrator can discover the physical location of someone who is using one of these devices. Built-in global positioning systems (GPSs) are handy for Bluetooth users who need to know where they are, but anyone who can intercept Bluetooth transmissions can also discover the physical location.

Cryptanalytic Attacks

One of the most potentially straightforward kind of attacks is a cryptanalysis attack against the encrypted content that is transmitted between paired Bluetooth devices. Bluetooth uses the Eo encryption algorithm for safeguarding the data in motion. Because Eo is a stream cipher, it is potentially vulnerable to a variety of cryptanalysis methods developed against stream cipher algorithms. For example, it is possible to recover the initial value used in generating stream cipher keys by solving sets of nonlinear equations over finite fields. If the sets of equations are next transformed into linear versions, the resulting number of linear independent equations becomes sufficiently small to solve for unknowns using brute-force methods. However, Bluetooth’s encryption algorithm differs just enough from other stream cipher algorithms that it is not very vulnerable to these types of attacks.

Another cryptoanalytic attack targets the Bluetooth challenge–response protocol, which is based on an algorithm called E1. E1 is in turn based on a block cipher called SAFER+. A flaw in SAFER+ key scheduling allows the number of potential keys to be reduced, thereby making a brute-force attack against the remaining keyspace feasible.

Bluetooth Hacker Tools

An abundance of attack tools against Bluetooth devices greatly simplify attacking these devices. Bluescanner is one of the most widely used tools of this nature. Bluescanner discovers these devices, their names, and their addresses as well as what kind they are (keyboard, mouse, phone, computer, and so forth) and any advertised services. This tool can also be used to record the time of discovery and additional contextual information regarding the devices that are targeted for reconnaissance activity. One of the advantages perpetrators who use this tool have is that they can record these kinds of information without having to authenticate to targeted devices.

Bluesnarf is another attack tool that can be used for reconnaissance purposes. Although it has somewhat less functionality than does Bluescanner, it can download phonebooks and other information stored on Bluetooth devices. One advantage of Bluesnarf is that it works covertly—Bluetooth users do not notice that reconnaissance activity is occurring.

Btcrack enables a perpetrator to make phone calls on another phone with charges billed to whoever owns the other phone. Additionally, Btcrack cracks Bluetooth PINs and tries to reconstruct both the pass and the link keys, which are obtained during the pairing process in discovery mode.

BlueSniff finds discoverable and hidden Bluetooth devices. One of the primary advantages of using BlueSniff is that it has an extremely intuitive graphical user interface (GUI).

BlueBug attempts to gain unauthorized entry to phone books, call lists, and other personal information in remote Bluetooth devices during discovery mode.

Security Risks

How do the known Bluetooth vulnerabilities and exploit methods translate to security risks? This question is addressed in this section of this chapter.

Unauthorized Access to Sensitive/Proprietary Information

Bluetooth devices are used with a variety of mobile computing devices. The technology has largely replaced earlier infrared (IrDA) and radio technologies for wireless peripherals such as mice or keyboards for laptop and desktop computers. The extensive use of e-mail enabled devices and ever-increasing storage capabilities of mobile computers mean that paired access, where the computer’s Bluetooth application offers a file access service (as all major operating systems do), can allow an attacker to potentially gain access to any of the information stored on the device. It is possible to disable Bluetooth file sharing on some, but not all, mobile computing devices, but everyday users are not likely to do so.

The risk of the attacker decrypting a Bluetooth transmission is also always present. Successful decryption could also result in compromise of personally identifiable information (PII) in motion as well as of intellectual property (IP). But an attacker may not have to decrypt anything. Versions of the Bluetooth protocol before V2.1 do not require encryption, so devices communicating with a Bluetooth V2.0 or earlier (or forced to fall back to that protocol) may be transmitting in cleartext.

Still another data confidentiality risk scenario results from Bluetooth accessories generally failing to offer granular access controls. If an attacker manages to pair with a Bluetooth device, therefore, the attacker will have open access to the device’s functionality and, if the device has a data storage capability, access to all of the information stored on the device. For modern devices that support multiple pairings (known as “multi-point” pairings), there is also the potential for data in transit from the legitimate client to be exposed, although this is partially mitigated by a special “round-robin” time-division multiplex mechanism within a piconet.

Unauthorized File Integrity Modification

Bluetooth service models do not always differentiate between read and write capabilities for file sharing. Therefore, an attacker with paired access may be able to modify the files if the underlying file system security inadequately differentiates between the logged-in and remote users, or inadequately enforces granularity between read and write accesses. The former is particularly common in smartphones and PDAs, which generally only support a single-user access model and do not provide controllable file-system security.

Unauthorized Long-Distance Phone Calls

One of the earliest attacks against Bluetooth-enabled mobile phones was the ability to peer with the phone and then to use it to make unauthorized calls. The use of fixed (and known) PINs for many Bluetooth handsets, as well as the ability of an attacker to control the information delivered by their Bluetooth device as part of the pairing process, allows them to mimic, to the human user, a currently paired device. This then allows the attacker to make phones calls, including to premium rate lines, a common “cashing out” mechanism for telephone attacks.

Location Discovery

Many devices now provide location information through GPS, cell-tower triangulation, Wi-Fi hotspot detection, or other means. These data are often exchangeable via Bluetooth: an attacker may be able to access this information, either by pairing or by interception.

Additionally, Bluetooth-enabled devices transmit radio information that contains their unique “BD_ADDR” code, similar to the MAC address for an IP network device. This portion of the information is transmitted in cleartext, even if the data portion of each packet is encrypted. A sophisticated attacker can thus passively determine the location of a specific active device by triangulation or relative amplitude measurement.

Loss of Availability

Availability-related risk is the final risk considered here. This means that if Bluetooth is used to transmit critical information, the likelihood of temporary disruptions to access must be factored into safety and/or business cases. Also, a sophisticated attacker can launch “man-in-the-middle” attacks to interfere with the pairing process, potentially affecting even more modern pairing schemes. However, current Bluetooth attack methods require special RF equipment, thus greatly reducing the feasibility of launching such attacks.

Control Measures

Despite all the vulnerabilities and risks in connection with Bluetooth functionality, numerous proven control measures exist. This section of this chapter describes some of the most frequently used of these measures.

Policy

Policy is the anchor of an information security practice. Bluetooth usage restrictions and required configurations and procedures should, like any other area or issue, be addressed in policy (and ultimately in standards that are derived from policy provisions), regardless of whether Bluetooth devices are owned by an individual or an organization. Critical policy issues include the following:

Ownership of Bluetooth devices, especially when devices contain an organization’s data,* as discussed previously in this chapter

Acceptable use: An organization’s acceptable use policy (AUP) must state what kinds of user actions are and are not allowed. Are users allowed to use their own Bluetooth devices to conduct company business? Are they allowed to store sensitive and/or proprietary data on Bluetooth devices? Are they allowed to loan their devices to other employees and nonemployees? Users should also be informed that they may not download pornographic, pirated, and hateful information onto any Bluetooth device.

When and where Bluetooth connections are permitted? The open nature of the Bluetooth RF component means that risks of deliberate or inadvertent compromise, of data or availability, are much more likely in a crowded radio environment. The use of Bluetooth in these cases should in general thus be prohibited. By contrast, Bluetooth use within a controlled environment, such as a car, or within the workplace (where both some degree of approved access to the data and a general reluctance to interfere with colleagues’ work can be assumed) should in most cases be permitted.

Approval of devices: Another alternative is to approve Bluetooth devices on a per case basis. The approval criterion might be evidence of sufficient technical controls that adequately protect Bluetooth access and other functions.

Use in connection with sensitive data at rest and in motion. Bluetooth was not by any means designed as a channel of secure communication or storage. Permission to use Bluetooth in connection with access to sensitive data (government classified, credit card information, PII, and so on) and other business-related purposes must thus by default be denied and allowed only on a per-case basis.

Physical security: Policy must forbid leaving mobile devices in any place in which the probability of theft is higher than usual (e.g., on a desk in a public library). In the case of devices on which IP or PII is stored, additional controls (e.g., remote wipe software) may be appropriate if available. What users must do in case they lose or misplace their Bluetooth device should also be described.

Standards

Standards should cover required configurations for Bluetooth devices, the required frequency of patching and backups, and other critical technical prescriptions for these devices. Standards should also state the kind of encryption that must be used to protect the data stored on Bluetooth devices and any password and/or PIN requirements (e.g., the minimum length of PINs).

Technology Controls

There are several areas in which technological controls can be used to mitigate Bluetooth-related security risk. First, ensuring that all authorized devices are compatible with the latest Bluetooth standards is essential. Many of the particular security weaknesses discovered exist at the protocol level rather than being an artifact of specific flawed implementations. Information security managers and auditors may have to ensure that Bluetooth devices have software or firmware patched at the most modern update levels. The monetary cost and amount of time and labor involved with such an effort may or may not be justifiable, depending upon an organization’s risk appetite level and availability of resources.*

Secondly, an increasing variety of security tools such as endpoint firewalls and antivirus and antimalware software that protect Bluetooth devices are slowly but surely becoming available. Although many of these are rather generic to mobile devices, these tools can mitigate risks such as unauthorized access to devices and the information stored on them and malicious code infections rather effectively. More specialized security tools similar to products designed to control risks associated with the use of USB and removable media devices are available, but they are not universally available for all operating systems and for all low-end Bluetooth devices. Use of technology that provides at least some level of access control may be somewhat deceptive, however. The previously mentioned BD_ADDR code is the primary method of identifying devices in discovery mode, so even if sound security technology is implemented in Bluetooth devices, any attacker who is able to monitor the pairing process is likely to be able to impersonate a target device, thereby bypassing security technology.

Procedural Controls

Procedural controls are also necessary. Information security managers should, e.g., consider extending their current vulnerability scanning efforts by also scanning for unauthorized Bluetooth devices. Many network/domain administration and vulnerability scanning tool plug-ins can find these devices, regardless of whether they are active at the time of scanning. Scanning in sensitive locations, such as areas within buildings where servers that store IP and/or PII are physically located, can prove exceptionally beneficial. Procedures should also specify how and how often updates must be tested and installed. And information security managers should strongly consider creating and maintaining an inventory of discovered devices and, if possible, comparing this inventory with a list of registered devices.

Evaluation of Controls

The widespread use of Bluetooth technology is a relatively new trend, and controls invariably lag behind technology advancements. Bluetooth controls are no exception. Bluntly put, technology controls currently available for Bluetooth devices are not all that adequate in that they leave residual risk levels that many organizations find unacceptable. And information security managers do not currently have the range of choices concerning Bluetooth technical controls that they have in other areas, such as in network security. Additionally, technical controls in the Bluetooth arena have so far not been able to help overcome problems such as fixed defaults, e.g., fixed PINs and passwords in some Bluetooth devices.

Information security managers should also realize that technical controls generally work on the master device. Accordingly, authorized accessories, which among other things may provide access to stored information, are likely to be readily connectable to and thus openly accessible by unauthorized master devices. Given the limited audit logging capabilities of most accessories, this type of access is unlikely to be detectable even if the accessory is subsequently connected back to the authorized device.

Controls can be technical, administrative, or physical, or a combination of all three, so information security managers can supplement technical controls with other types, of which administrative controls (discussed earlier in this chapter) are the most useful in the Bluetooth arena.

The widely used mantra, “Plan, Do, Check, Act,” dictates that organizations must incorporate evaluation and review into operational cycles. Controls are only effective when they are systematically evaluated and tested and, when appropriate, modified or replaced. This is especially true in the Bluetooth arena, where technical controls currently do not generally adequately deliver what organizations need for risk mitigation. Information security managers should thus continually examine the current generation of controls for Bluetooth devices to determine if changes in technology products have been made such that reconfiguring or upgrading them can more effectively reduce residual risk, and if so, to ensure that appropriate changes are made. In addition, new controls will emerge in time, and as they do, information security managers and others will have potentially new risk mitigation solutions to evaluate, test, and possibly implement.

Management Strategies and Issues

Bluetooth, as a generic “wireless technology” and one that is primarily used to support mobile computing and communications, needs to be an integral part of the organizational policy and controls within this area of business support. When formal certification of information security management or information assurance (ISO/IEC 27001, PCI-DSS, SAS-70, and so on) is required, the controls for Bluetooth-related risks must be incorporated into wider RF or wireless security policies, as well as being specifically highlighted in user guidance for mobile computing in general.

Integration of Bluetooth into any existing technical controls environment is a more difficult issue. As mentioned previously, in most organizations users typically own and use more advanced and capable devices than an organization is likely to issue to them. There will thus be significant pressure either for an organization to provide equivalent functionality or to allow the use of personal devices. The much more difficult scenario from a security management viewpoint is when there is a mixture of personally and organization-owned Bluetooth devices.

Integrating Bluetooth into an Overall Mobile Device Security Risk Management Strategy

There may be important appropriate technology controls incorporated into managing devices that use Bluetooth technology. Technology controls need to for the most part be incorporated into system administration, but technology controls go only so far in mitigating risk in the Bluetooth environment. Security training and education (covered soon) in addition to previously covered security policy and standards provisions are in many ways more effective (especially cost-effective) as Bluetooth security controls than are technology controls.

Mobile technology is proliferating to the point that technical staff now typically suspect but do not know for sure that there are more devices (including personal devices) being used than those that are registered with an organization. If employees cannot be persuaded to register their devices with a central system, they must assume greater responsibility for updating the devices’ software. One very advantageous and uncommon feature of Bluetooth security is the incentive for ordinary users to keep their devices as secure as possible by installing updates—improved performance, especially with smartphone updates. When users are prompted to update their Bluetooth devices, they thus tend to view the update process as advantageous independently of security considerations.

But not all Bluetooth users update their devices, despite the advantages. Procedures for IT staff members to systematically locate and update Bluetooth devices must thus be developed and followed. As previously discussed, organizations should keep a record of all the types and instances of Bluetooth-enabled devices, using a status update and notification system if possible. Doing this allows the technical support team to test and monitor the availability of updates, so that they can notify both users and their line managers when new updates are ready to be installed. This also means that if users are absent from work for a significant time period, part of their return-to-work procedure can be having IT staff update their Bluetooth as well as other devices.

The Role of Training and Awareness

Security training and awareness are one of the most singly important elements in securing the Bluetooth environment. Security awareness, if carefully developed from “first contact” with a staff member, can lead to more effective understanding of and compliance with policies, standards, and procedures. Ensuring that all Bluetooth users are fully aware of organizational restrictions (e.g., that certain types of information may not be stored on Bluetooth devices) on the use of Bluetooth is essential. Users must become familiar with and sign off on AUP provisions concerning Bluetooth usage. Users must be educated concerning any approval processes for using the technology and also the types of controls that must be in place. Additionally, they must also be educated concerning the dangers of using Bluetooth devices in public places and must be instructed to avoid this context of use. Finally, they must be informed of the ramifications of noncompliance.

As staff work when they travel, they often use Bluetooth earpieces while talking on their mobile phones. Although these employees may understand some of the risks associated with mobile phones, they are unlikely to realize that more risks are present because of their use of Bluetooth earpieces. Security training and awareness efforts must thus attempt to help users understand and counter Bluetooth-specific risks. More and more organizations are sending text messages with a “security tip of the week” to mobile device users, something that is likely to work better than herding users into an auditorium to hear a blasé lecture about mobile device security once a year.

Enforcement of Policy, Standards, and Procedures

Enforcement of Bluetooth security-related policy, standards, and procedures is generally an extremely difficult task. Random “spot-checks” on Bluetooth devices’ configuration and update status can be conducted as employees enter and leave the building in which they work. These “spot-checks” can also be useful in identifying whether nonauthorized Bluetooth devices are being used at work. But there is a significant downside—employees are likely to view such “spot-checks” as an invasion of privacy, an indication of distrust of employees by employers, and a waste of their time. Alternatively, IT staff members can inspect Bluetooth devices while troubleshooting them. Auditors, who in particular need to come up to speed regarding Bluetooth security issues, should also focus in part on Bluetooth security whenever IT audits are performed.

Because there is no bulletproof method of enforcement in the Bluetooth environment, the best way to enforce policy, standards, and procedures in the Bluetooth environment is to create a voluntary compliance program—a “soft shoe” approach. One way to implement such a program is to create and distribute Bluetooth security compliance checklists to employees. Employees can then be required to complete and return checklists within a specified period of time. True/false items such as “I use Bluetooth only when I am in non-public, non-crowded places,” “I update my Bluetooth device no less than once a month,” and “I make sure that no company proprietary information is stored on my Bluetooth device” might appear in the checklist. If an employee indicates that s/he is not conforming to policy, standards, and/or procedures, someone from information security or IT can assist that person in achieving compliance.

Conclusion

Just when information security managers thought things were getting out of control in the mobile computing arena, Bluetooth popularity started to soar, and this trend has continued until now. Bluetooth device functionality and transmission range are growing rapidly, and there is no end in sight. Some degree of risk mitigation for Bluetooth technology is possible, but the level of residual risk is likely to be excessively high for organizations such as financial institutes that typically have low risk appetites. Technology controls can help in reducing security risk in Bluetooth environments, but built-in features such as discovery pairing and the limited length of PINs and passwords in some devices result in vulnerabilities that available technology cannot really remediate very well at this point in time. The fact that so many widely available and easy-to-use exploit tools for Bluetooth technology exist only exacerbates this dilemma. Fortunately, most Bluetooth devices in use today have a limited transmission distance; attackers are thus generally unable to launch successful remote attacks against these devices.

Selection of appropriate Bluetooth controls will vary significantly, depending on the culture and risk appetite of each particular organization, but all things considered, administrative controls such as a requirement for approval of use, location, and/or data sensitive-based restrictions on use, and training and awareness are likely to be most effective. Training and awareness efforts in connection with a voluntary compliance approach provide particularly promising benefits in the wild, unruly world of Bluetooth technology.

About the Authors

E. Eugene Schultz, PhD, CISM, CISSP, GSLC, is the chief technology officer at Emagined Security, an information security consultancy based in San Carlos, California. He is the author/coauthor of five books, one on UNIX security, another on Internet security, a third on Windows NT/2000 security, a fourth on incident response, and the latest on intrusion detection and prevention. He has also written over 120 published papers. He was the editor-in-chief of Computers and Security from 2002 to 2007 and is currently an associate editor of Computers and Security and Network Security. He is also a certified SANS instructor, senior SANS analyst, member of the SANS NewsBites editorial board, coauthor of the 2005 and 2006 Certified Information Security Manager preparation materials, and is on the technical advisory board of three companies. He has previously managed an information security practice as well as a national incident response team. He has also been a professor of computer science at several universities and is retired from the University of California. He has received the NASA Technical Excellence Award, the Department of Energy Excellence Award, the ISACA John Kuyers Best Speaker/Best Conference Contributor Award, the Vanguard Conference Top Gun Award (for best presenter) twice, the Vanguard Chairman’s Award, and the National Information Systems Security Conference Best Paper Award. Named a distinguished fellow of the Information Systems Security Association (ISSA), Gene has also received the ISSA Hall of Fame award as well as the ISSA’s Professional Achievement and Honor Roll awards. While at Lawrence Livermore National Laboratory, he founded and managed the U.S. Department of Energy’s Computer Incident Advisory Capability (CIAC). He is also a cofounder of FIRST, the Forum of Incident Response and Security Teams. Dr. Schultz has provided expert testimony before committees within the U.S. Senate and House of Representatives on various security-related issues and has served as an expert witness in legal cases.

Matthew W. A. Pemble, Eur Ing, has been technical director of Idrach Ltd., since its founding in 1997, having previously worked for the U.K. government (as a regular and reservist military officer and as a civilian consultant), an international banking group, and several testing and security consultancies. Perhaps, recently, best known for his contributions to security testing, incident management, and counter-fraud strategies, Matthew also has considerable experience in policy-based security, security architectures, and ISO/IEC 27001. Historically, he was one of the first people to qualify as a penetration test team leader under the U.K. government “CHECK” scheme and was also one of the original BS7799 (now ISO/IEC 27001) c:cure Auditors. An experienced technical and journal author, he has been lead contributor to many customer publications, including user and technical manuals, and is one of the lead authors on the forthcoming ENISA publication “How to shop safely online.” His work has been published in numerous trade and academic journals, including Computer Fraud and Security, the International Journal of Digital Evidence,Information Security Bulletin, and Network Security. Additionally, he is a visiting lecturer of digital forensics at the Universities of Glasgow and Strathclyde and a regular speaker at national and international conferences. Matthew is a chartered and European registered engineer, a fellow of the British Computer Society, a founder member of the Institute for Information Security Professionals, and a member of the Institute of Engineering & Technology.

Wendy Goucher is a security consultant working mainly in the human controls and policy areas, helping to improve the interface between organizations security requirements and the actual behavior patterns of staff, customers, and passersby. In this role, she brings the communication skills and managerial insight gained from a background in psychology and sociology and her first career as lecturer in both university and various colleges of higher education. She has also completed her Ph.D. in information security at the University of Glasgow, where she has been investigating the operational risks of mobile working. Wendy is an active member of the Security Culture Project Team for ISACA and an ENISA taskforce that seeks to bring security awareness into the home. Since moving into the information security arena, she has gained experience working with clients in the public sector, government contractors, and the finance sector, principally in compliance preparation and security awareness. She is a member of the Scottish Centre of Excellence in Cybercrime and Security Project, based at Napier University, and is an active member of the Cybercrime and Forensics program at the Scottish Universities’ Insight Institute. Wendy also writes a monthly column for Computer Fraud and Security.

* XOR is exclusive or a logical operation on bit values. If the initial bit value is the same as the bit value of the key (e.g., 0 and 0, or 1 and 1), the result is 0. If the bit values are different (e.g., 0 and 1), the result is 1.

* The range for the commonest Class 2 devices is just 33 feet.

* Many Bluetooth devices come with well-known default PINs such as 0000 or 1234, something that greatly simplifies the task of guessing PINs.

* For example, telephone contact lists and date/time records for calls, stored on the Bluetooth hands-free equipment in an executive’s or salesperson’s car, may have significant commercial or legal value to a competitor.

* It is especially difficult to justify the cost, time, and labor involved if Bluetooth devices have low levels of functionality and are only rarely connected to public networks.