Bluetooth 'poses serious threat to business'

Thursday 29 March 2007 03:50

Businesses are at serious risk of criminal activity using theBluetoothwireless connectivity system. Financial adviserGrant Thorntonsays the widely used short-range system is a major threat to busineses.

Grant Thornton said key areas for concern include Bluetooth pairing attacks, where an attacker gains full access to memory content and becomes a trusted device.

There is also the threat of BlueSnarfing, where a hacker gains access to phonebook and calendar information and can divert calls to their own phone.

In addition, BlueBug attacks can allow an attacker full access to a device to initiate calls, including premium rate phone calls to a premium line they have set up themselves.

John Dunne, IT security manager with Grant Thornton's risk management services practice said, "Businesses are leaving themselves open to the possibilities of fraudulent activity, particularly as there are a number of very simple precautions that can be undertaken to ensure that the likelihood of an attack is minimised, such as disabling the Bluetooth signal on your device when it's not in use."

This is good operational practice anyway, as a left-on Bluetooth signal helps drain the device’s battery.

Dunne added, "Most devices have encryption settings but they can be easily cracked with tools and techniques that are readily available on the internet. Businesses need to think very carefully about the information they store on a phone or PDA.

"Take the example of Paris Hilton - her mobile phone contents ended up on the internet after a Bluesnarf attack on her phone.”

To help reduce the possibility of attacks, Grant Thornton says the Bluetooth signal must always be turned off once data synchronisation has been completed, the amount of sensitive data stored on mobile devices should be limited, and the device should be made anonymous by being given a nickname rather than the real name of the owner.

Firms can also install additional mobile encryption software designed for mobile devices, now available from a variety of internet security software firms.