The Bluetooth Special Interest Group (SIG) has dismissed
the security fears surrounding the technology, and said that any
flaws in it are limited to a small number of mobile
phones.
Bluetooth is primarily a short-range wireless technology which
operates in the same 2.4GHz frequency band as wireless Lans.
It is used as cordless replacement to connect a wide range of
devices, such as mobile phones, to each other in a process known as
"pairing" and can also serve as the link between a phone or
handheld computer and Bluetooth wireless printers.
Mike McCamon, marketing director of the Bluetooth SIG, said that
Bluetooth device shipments have now hit one million a week and that
any security problems with the wireless technology security
problems are limited to a handful of phones manufactured by Nokia
and Sony Ericsson.
Those phones, which include Sony Ericsson R520m and T68i phones
and Nokia's 6310, 6310i, 8910 and 8910i phones, are susceptible to
a hacking technique known as "bluesnarfing", according to Nick
Hunn, a Bluetooth security expert and sales managing director at
TDK Systems Europe.
Flaws in these phones can allow hackers to access data such as
information stored in address books or calendars, he said.
Both Nokia and Sony Ericsson are developing patches for the
older phones, while newer models will not be vulnerable to a
bluesnarfing attack.
Any security threat from bluesnarfing is minimal and the
technique can be easily prevented by setting Bluetooth on the
phones to a "hidden" mode, Nokia said. That makes intrusion more
difficult, "since the hacker will have to know or guess the
Bluetooth address before establishing a connection".
Hunn and McCamon agreed with Nokia's recommendations and said
users should turn off a feature which allows one Bluetooth-equipped
device to easily detect or "discover" another.
"Always make sure your devices are not discoverable," McCamon
said. Every Bluetooth device has a name, which users can change,
and he suggested that each user choose one that does not readily
identify his device.
Concerned Bluetooth users should keep in mind that the easiest
way to obtain data from a mobile phone is not through illicit
Bluetooth access, but from phones that have been lost.
Hunn said police in the UK have received reports of 430,000 lost
mobile phones in 2002, a potentially larger security problem than
bluesnarfing.
While McCamon emphasised that any security concerns with
Bluetooth are largely restricted to phones, wireless security
suppliers said the proliferation of the technology means that other
devices - and even enterprise systems - could be susceptible to
detection, sniffing and even hacking.
Joseph Dell, chief technology officer at Vigilar, an information
security services firm, said users should view all Bluetooth
devices as inherently insecure, since the majority are shipped with
security turned off. He also believed that any Bluetooth device
could serve as a back door into enterprise information
systems.
Dell recommended that companies secure all their Bluetooth
devices and scan for unauthorised devices.
Bob Brewin writes for Computerworld
Security threats raise concerns about Bluetooth >>