Chasing away your wireless blues

While Wi-Fi security has been grabbing headlines, Bluetooth has been creeping quietly into corporate networks -- often under IT's security radar. Given increasing deployment and broader usage, Bluetooth really deserves more attention and in this tip, Lisa Phifer opens your eyes to the potential threats Bluetooth poses.

While Wi-Fi security has been grabbing headlines, Bluetooth has been creeping quietly into corporate networks.

Today, Bluetooth interfaces are common on many office devices, including laptops, PDAs, cellphones, and headsets. Bluetooth can also be found in printers, keyboards, cameras, broadband routers, and access points. According to AirDefense, Bluetooth-capable devices will top one billion by 2006. In fact, unsecured Bluetooth interfaces may already be putting your business assets at risk today.

Why you should care

Bluetooth is a cable replacement technology, designed to connect paired devices within 10 meters of each other. Given limited range and application, many incorrectly discount Bluetooth as a serious business threat. But new Bluetooth devices can reach up to 100 meters, using internal antennas. Most are promiscuous by default, responding to pages, service discovery probes, and connect requests from anyone. And many harbor security programming flaws associated with the Bluetooth Object Exchange (OBEX) protocol. This has fostered development of new attacks that exploit Bluetooth, such as:

BlueBug Issuing AT commands to place calls using another Bluetooth device
BlueDump Watching Bluetooth pairing, using that info to crack a Bluetooth PIN
BlueJacking Adding a new contact to a Bluetooth device's phonebook
BlueRogue Using unauthorized Bluetooth devices, especially Access Points
BlueSmack Sending an L2CAP ping-of-death to crash a Bluetooth device
BlueSnarfing Grabbing contact and calendar lists from Bluetooth PDAs and phones device
BlueSniffing Scanning an address range to find nearby Bluetooth devices
BlueSpooof Masquerading as another Bluetooth device by using its BT address
BlueStab Using bad names to crash devices engaged in Bluetooth discovery address
Bluetooone Using external 2.4 GHz antenna to extend Bluetooth attack range
Cabir Used Bluetooth to propagate a Symbian OS proof-of-concept worm

Companies may not really care if an employee's wireless headset or keyboard gets BlueSmacked or BlueStabbed. But they should care if an executive's PDA gets BlueSnarfed or BlueSpooofed. They should care if Bluetooth is used to infect employee laptops or rack up company telephone charges. And they should care whenever any unauthorized link is used to circumvent corporate security policies – for example, using Bluetooth to exchange unsecured data between peers in an office where Wi-Fi Ad Hoc is forbidden and 802.11i security is required on the corporate WLAN.

What you can do about it

Bluetooth standards define optional security measures that can authenticate paired devices and encrypt the data exchanged between them. Companies should require that all Bluetooth-capable devices carried by employees employ such measures, in accordance with corporate security policies. For example, you might require encryption for all file transfers conducted over Bluetooth. Or you may require PIN-based authentication for all Bluetooth connections, no matter what service is used. You may also want to educate employees about safe Bluetooth practices, including how to avoid unsolicited service discovery and improper pairing.

Security capabilities do vary across Bluetooth products. Employees may own devices that are missing security patches or cannot comply with company-defined policies. In that case, you must decide how to deal with out-of-spec Bluetooth devices. Do you confiscate them? Instruct the device owner to disable Bluetooth at your office? Forbid employees from carrying corporate data on vulnerable devices? You'll need to answer such questions to enforce your company's Bluetooth security policy.

Enforcing those decisions

Periodically scan your offices to find legitimate-but-misconfigured Bluetooth devices and unknown Bluetooth rogues. In a small office, this might be done by walking around with an off-the-shelf Bluetooth adapter, operating in discovery mode. But spotting more than a few devices this way would be tedious and error-prone. A more rigorous and systematic approach is to use a portable Bluetooth scanner like Network Chemistry BlueScanner, AirMagnet BlueSweep, or AirDefense BlueWatch.
More information

Read more of Lisa Phifer's Wireless Advisor columns  

Learn more about Bluetooth

For example, BlueScanner and BlueSweep are free tools that run on Windows XP SP2. To use either, you'll need a Bluetooth adapter, running Microsoft's Bluetooth driver. These tools actively poll for other Bluetooth devices and query the services that each supports. Reported details may include the discovered device's name and address, manufacturer, type, class, advertised services (e.g., serial port, dialup networking, file transfer, fax, headset), and active connections with other Bluetooth devices.

Distance varies by adapter, and you'll only discover active Bluetooth devices, within range, that respond to polling (i.e., you won't find disabled devices, or devices with discovery turned off). Sampling a large office this way is labor intensive, so decide what you're really trying to accomplish and devote effort accordingly. To find "hidden" Bluetooth devices (i.e., those that won't respond to polls), you'll need to invest in a spectrum analyzer (e.g., BVS Mantis Bluetooth) or a Bluetooth traffic analyzer (e.g., Frontline Bluetooth Protocol Analyzer). For full-time distributed Bluetooth monitoring, consider a Wireless IDS with Bluetooth-capable sensors (e.g., Red-Alert Pro).

Conclusion

Bluetooth has been flying under IT security radar for quite some time. Given increasing deployment and broader usage, Bluetooth really deserves more attention. Scanning your office for Bluetooth devices and exposed services may yield surprising results. But assessing those vulnerabilities can help you take steps to reduce Bluetooth risk.

To learn more about Bluetooth security standards, attacks, and vulnerability testing, visit http://www.bluetooth.org or http://trifinite.org.


About the author Lisa Phifer is vice president of Core Competence Inc., a consulting firm specializing in network security and management technology. Phifer has been involved in the design, implementation, and evaluation of data communications, internetworking, security, and network management products for nearly 20 years. She teaches about wireless LANs and virtual private networking at industry conferences and has written extensively about network infrastructure and security technologies for numerous publications. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.
This was first published in December 2005

Dig deeper on Bluetooth

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchConsumerization

SearchNetworking

SearchTelecom

SearchUnifiedCommunications

SearchSecurity

Close