Potential security risks posed by the Bluetooth wireless
technology are prompting some IT managers to rein in use of
Bluetooth-equipped mobile phones and PCs on their
networks.
Michael Ciarochi, a network security manager at mortgage lender
HomeBanc, discovered that Bluetooth radios were included in laptop
PCs which were being configured by an IT engineer for delivery to
HomeBanc's mobile workers. The radios, which operate in the same
2.4GHz band as 802.11b WLans, were turned on as a factory default
setting.
The possibility of opening a wireless back door into data stored
on the PCs had the Bluetooth radios turned off before the systems
went into use was a concern, he said. He added that he expected to
have to secure Bluetooth by "locking it down" on devices, the same
approach he took with HomeBanc's WLans.
Emmett Hawkins, chief technology officer at managed network
services supplier Leapfrog Services, is also concerned about
Bluetooth security risks. He planned to use a tool called
Bluewatch from AirDefense to scan every device on his network and
employees' mobile phones for the presence of the wireless
technology, then decide which devices should be allowed to run
Bluetooth and access the network at Leapfrog.
Cracks in Bluetooth's security capabilities first came to light
in February, when UK researchers said they had developed a
tool which could exploit a flaw in some phones to connect to other
devices without going through the normal pairing process. Once the
connection was established, the tool could download data such as
address books and personal calendars.
The Bluetooth Special Interest Group (SIG) said that Bluetooth
users need to "understand the realities of the situation [and] know
how to protect themselves".
Patches are available for the phones that are at risk of being
attacked, said a spokesman for the Bluetooth SIG. He added that the
group will detail initiatives it has under way to make Bluetooth
more secure.
Only a relatively small number of phones from Nokia and Sony
Ericsson are susceptible to bluesnarfing. Despite the existing
concerns, Bluetooth "is more secure than any other wireless
technology" because of the short transmission range of most devices
and its 128-bit encryption capabilities.
Bluetooth security concerns will continue to grow as devices
that use the technology proliferate, said Chris Kozup, an analyst
at Meta Group. Bluetooth-equipped mobile phones can be a
particularly vexing problem for IT managers because many are bought
by individual employees, making them harder to manage than
corporate assets such as laptop PCs, he said.
Bluejacking involves sending unsolicited text messages to other
Bluetooth users.
Karl Feilder, president and chief executive officer of Red-M, a
supplier of wireless security tools, described bluejacking as "an
annoyance" that can be defeated by turning off the phone function
on devices, which needs to be on to allow the exchange of such
messages.
Few IT managers are even aware of Bluetooth's widespread use,
Feilder said. Worldwide shipments of mobile phones and other
devices that use the technology exceeded one million units a week
last year, according to the Bluetooth SIG.
He estimated that as many as two billion Bluetooth-equipped
devices could be in use by next year.
Many Bluetooth products are short-range devices that can
transmit across distances of only about 30ft. But Jay Chaudhary,
chairman of AirDefense, said a large number of laptop PCs include
longer-range Bluetooth radios that can work at distances of up to
300ft. That could make them more vulnerable to attacks, he
said.
AirDefense's Bluewatch detection tool costs $295 for use on a
laptop PC. Red-M also offers a Bluetooth detection system that is
based on radio frequency sensors deployed throughout a company's
offices, with costs for an installation running between $50,000 and
$250,000.
Bob Brewin writes for Computerworld