Chasing away your wireless blues

While Wi-Fi security has been grabbing headlines, Bluetooth has been creeping quietly into corporate networks. Today, Bluetooth interfaces are common on many office devices, including laptops, PDAs, cellphones, and headsets. Bluetooth can also be found in printers, keyboards, cameras, broadband routers, and access points. According to AirDefense, Bluetooth-capable devices will top one billion by 2006. In fact, unsecured Bluetooth interfaces may already be putting your business assets at risk today.

Why you should care

[TABLE]

Companies may not really care if an employee's wireless headset or keyboard gets BlueSmacked or BlueStabbed. But they should care if an executive's PDA gets BlueSnarfed or BlueSpooofed. They should care if Bluetooth is used to infect employee laptops or rack up company telephone charges. And they should care whenever any unauthorized link is used to circumvent corporate security policies – for example, using Bluetooth to exchange unsecured data between peers in an office where Wi-Fi Ad Hoc is forbidden and 802.11i security is required on the corporate WLAN.

What you can do about it

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Hackers and Threats to your Mobile Enterprise Mobile security threats Securing corporate data on your laptops iPhone hacking: Lessons from the front line Trends in mobile computing Traditional security threats coming soon to mobile device near you Prevent mobile malware: Learn how to protect your enterprise and devices On-device defenses for mobile malware Is malware coming to a smartphone near you? New challenges in mobile device discovery Mobile security – Understanding and controlling risks Bluetooth Boosting business productivity with Bluetooth Interop 2007: Mobile highlights A Bluetooth update Wireless options for PDAs and smartphones Wireless adapters for PDAs and smartphones Securing Bluetooth Near-field communications: The next small thing Nokia's Wibree vs. Bluetooth as PAN of choice "Mobile Computing," Chapter 4: Emerging technologies Palm Treo 700p 3G smartphone Bluetooth Research Mobile Security Mobile security threats Two-factor authentication: Mobile security at your fingertips Securing your Windows Mobile devices In-the-cloud defenses for mobile malware On-device defenses for mobile malware Is malware coming to a smartphone near you? Protecting data on your BlackBerry Defining your mobile security policy Government regulations and mobile security policies Symbian: Protect your data, not just your device

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bluesnarfing  (SearchMobileComputing.com) drive-by spamming  (SearchMobileComputing.com) mobile phone virus  (SearchMobileComputing.com) SMiShing  (SearchMobileComputing.com) war driving  (SearchMobileComputing.com) warchalking  (SearchMobileComputing.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ures, in accordance with corporate security policies. For example, you might require encryption for all file transfers conducted over Bluetooth. Or you may require PIN-based authentication for all Bluetooth connections, no matter what service is used. You may also want to educate employees about safe Bluetooth practices, including how to avoid unsolicited service discovery and improper pairing.

Security capabilities do vary across Bluetooth products. Employees may own devices that are missing security patches or cannot comply with company-defined policies. In that case, you must decide how to deal with out-of-spec Bluetooth devices. Do you confiscate them? Instruct the device owner to disable Bluetooth at your office? Forbid employees from carrying corporate data on vulnerable devices? You'll need to answer such questions to enforce your company's Bluetooth security policy.

Enforcing those decisions

For example, BlueScanner and BlueSweep are free tools that run on Windows XP SP2. To use either, you'll need a Bluetooth adapter, running Microsoft's Bluetooth driver. These tools actively poll for other Bluetooth devices and query the services that each supports. Reported details may include the discovered device's name and address, manufacturer, type, class, advertised services (e.g., serial port, dialup networking, file transfer, fax, headset), and active connections with other Bluetooth devices.

Distance varies by adapter, and you'll only discover active Bluetooth devices, within range, that respond to polling (i.e., you won't find disabled devices, or devices with discovery turned off). Sampling a large office this way is labor intensive, so decide what you're really trying to accomplish and devote effort accordingly. To find "hidden" Bluetooth devices (i.e., those that won't respond to polls), you'll need to invest in a spectrum analyzer (e.g., BVS Mantis Bluetooth) or a Bluetooth traffic analyzer (e.g., Frontline Bluetooth Protocol Analyzer). For full-time distributed Bluetooth monitoring, consider a Wireless IDS with Bluetooth-capable sensors (e.g., Red-Alert Pro).

Conclusion

To learn more about Bluetooth security standards, attacks, and vulnerability testing, visit http://www.bluetooth.org or http://trifinite.org.