Security threats raise concerns about Bluetooth

Potential security risks posed by the Bluetooth wireless technology are prompting some IT managers to rein in use of...

Potential security risks posed by the Bluetooth wireless technology are prompting some IT managers to rein in use of Bluetooth-equipped mobile phones and PCs on their networks.

Michael Ciarochi, a network security manager at mortgage lender HomeBanc, discovered that Bluetooth radios were included in laptop PCs which were being configured by an IT engineer for delivery to HomeBanc's mobile workers. The radios, which operate in the same 2.4GHz band as 802.11b WLans, were turned on as a factory default setting.

The possibility of opening a wireless back door into data stored on the PCs had the Bluetooth radios turned off before the systems went into use was a concern, he said. He added that he expected to have to secure Bluetooth by "locking it down" on devices, the same approach he took with HomeBanc's WLans.

Emmett Hawkins, chief technology officer at managed network services supplier Leapfrog Services, is also concerned about Bluetooth security risks.  He planned to use a tool called Bluewatch from AirDefense to scan every device on his network and employees' mobile phones for the presence of the wireless technology, then decide which devices should be allowed to run Bluetooth and access the network at Leapfrog.

Cracks in Bluetooth's security capabilities first came to light in February, when UK researchers said they had developed a tool which could exploit a flaw in some phones to connect to other devices without going through the normal pairing process. Once the connection was established, the tool could download data such as address books and personal calendars.

The Bluetooth Special Interest Group (SIG) said that Bluetooth users need to "understand the realities of the situation [and] know how to protect themselves".

Patches are available for the phones that are at risk of being attacked, said a spokesman for the Bluetooth SIG. He added that the group will detail initiatives it has under way to make Bluetooth more secure.

Only a relatively small number of phones from Nokia and Sony Ericsson are susceptible to bluesnarfing. Despite the existing concerns, Bluetooth "is more secure than any other wireless technology" because of the short transmission range of most devices and its 128-bit encryption capabilities.

Bluetooth security concerns will continue to grow as devices that use the technology proliferate, said Chris Kozup, an analyst at Meta Group. Bluetooth-equipped mobile phones can be a particularly vexing problem for IT managers because many are bought by individual employees, making them harder to manage than corporate assets such as laptop PCs, he said.

Bluejacking involves sending unsolicited text messages to other Bluetooth users.

Karl Feilder, president and chief executive officer of Red-M, a supplier of wireless security tools, described bluejacking as "an annoyance" that can be defeated by turning off the phone function on devices, which needs to be on to allow the exchange of such messages.

Few IT managers are even aware of Bluetooth's widespread use, Feilder said. Worldwide shipments of mobile phones and other devices that use the technology exceeded one million units a week last year, according to the Bluetooth SIG.

He estimated that as many as two billion Bluetooth-equipped devices could be in use by next year.

Many Bluetooth products are short-range devices that can transmit across distances of only about 30ft. But Jay Chaudhary, chairman of AirDefense, said a large number of laptop PCs include longer-range Bluetooth radios that can work at distances of up to 300ft. That could make them more vulnerable to attacks, he said.

AirDefense's Bluewatch detection tool costs $295 for use on a laptop PC. Red-M also offers a Bluetooth detection system that is based on radio frequency sensors deployed throughout a company's offices, with costs for an installation running between $50,000 and $250,000.

Bob Brewin writes for Computerworld

Read more on IT risk management