Bluetooth group downplays security risks

The Bluetooth Special Interest Group (SIG) has dismissed the security fears surrounding the technology, and said that any flaws...

The Bluetooth Special Interest Group (SIG) has dismissed the security fears surrounding the technology, and said that any flaws in it are limited to a small number of mobile phones.

Bluetooth is primarily a short-range wireless technology which operates in the same 2.4GHz frequency band as wireless Lans.

It is used as cordless replacement to connect a wide range of devices, such as mobile phones, to each other in a process known as "pairing" and can also serve as the link between a phone or handheld computer and Bluetooth wireless printers. 

Mike McCamon, marketing director of the Bluetooth SIG, said that Bluetooth device shipments have now hit one million a week and that any security problems with the wireless technology security problems are limited to a handful of phones manufactured by Nokia and Sony Ericsson. 

Those phones, which include Sony Ericsson R520m and T68i phones and Nokia's 6310, 6310i, 8910 and 8910i phones, are susceptible to a hacking technique known as "bluesnarfing", according to Nick Hunn, a Bluetooth security expert and sales managing director at TDK Systems Europe.

Flaws in these phones can allow hackers to access data such as information stored in address books or calendars, he said. 

Both Nokia and Sony Ericsson are developing patches for the older phones, while newer models will not be vulnerable to a bluesnarfing attack.

Any security threat from bluesnarfing is minimal and the technique can be easily prevented by setting Bluetooth on the phones to a "hidden" mode, Nokia said. That makes intrusion more difficult, "since the hacker will have to know or guess the Bluetooth address before establishing a connection". 

Hunn and McCamon agreed with Nokia's recommendations and said users should turn off a feature which allows one Bluetooth-equipped device to easily detect or "discover" another.

"Always make sure your devices are not discoverable," McCamon said. Every Bluetooth device has a name, which users can change, and he suggested that each user choose one that does not readily identify his device.

Concerned Bluetooth users should keep in mind that the easiest way to obtain data from a mobile phone is not through illicit Bluetooth access, but from phones that have been lost.

Hunn said police in the UK have received reports of 430,000 lost mobile phones in 2002, a potentially larger security problem than bluesnarfing. 

While McCamon emphasised that any security concerns with Bluetooth are largely restricted to phones, wireless security suppliers said the proliferation of the technology means that other devices - and even enterprise systems - could be susceptible to detection, sniffing and even hacking.

Joseph Dell, chief technology officer at Vigilar, an information security services firm, said users should view all Bluetooth devices as inherently insecure, since the majority are shipped with security turned off. He also believed that any Bluetooth device could serve as a back door into enterprise information systems. 

Dell recommended that companies secure all their Bluetooth devices and scan for unauthorised devices. 

Bob Brewin writes for Computerworld

Security threats raise concerns about Bluetooth >>


Read more on IT risk management