While Wi-Fi security has been grabbing headlines, Bluetooth has been creeping quietly into corporate networks. Today, Bluetooth interfaces are common on many office devices, including laptops, PDAs, cellphones, and headsets. Bluetooth can also be found in printers, keyboards, cameras, broadband routers, and access points. According to AirDefense, Bluetooth-capable devices will top one billion by 2006. In fact, unsecured Bluetooth interfaces may already be putting your business assets at risk today.
Why you should careBluetooth is a cable replacement technology, designed to connect paired devices within 10 meters of each other. Given limited range and application, many incorrectly discount Bluetooth as a serious business threat. But new Bluetooth devices can reach up to 100 meters, using internal antennas. Most are promiscuous by default, responding to pages, service discovery probes, and connect requests from anyone. And many harbor security programming flaws associated with the Bluetooth Object Exchange (OBEX) protocol. This has fostered development of new attacks that exploit Bluetooth, such as:
|BlueBug||Issuing AT commands to place calls using another Bluetooth device|
|BlueDump||Watching Bluetooth pairing, using that info to crack a Bluetooth PIN|
|BlueJacking||Adding a new contact to a Bluetooth device's phonebook|
|BlueRogue||Using unauthorized Bluetooth devices, especially Access Points|
|BlueSmack||Sending an L2CAP ping-of-death to crash a Bluetooth device|
|BlueSnarfing||Grabbing contact and calendar lists from Bluetooth PDAs and phones device|
|BlueSniffing||Scanning an address range to find nearby Bluetooth devices|
|BlueSpooof||Masquerading as another Bluetooth device by using its BT address|
|BlueStab||Using bad names to crash devices engaged in Bluetooth discovery address|
|Bluetooone||Using external 2.4 GHz antenna to extend Bluetooth attack range|
|Cabir||Used Bluetooth to propagate a Symbian OS proof-of-concept worm|
Companies may not really care if an employee's wireless headset or keyboard gets BlueSmacked or BlueStabbed. But they should care if an executive's PDA gets BlueSnarfed or BlueSpooofed. They should care if Bluetooth is used to infect employee laptops or rack up company telephone charges. And they should care whenever any unauthorized link is used to circumvent corporate security policies – for example, using Bluetooth to exchange unsecured data between peers in an office where Wi-Fi Ad Hoc is forbidden and 802.11i security is required on the corporate WLAN.
What you can do about itBluetooth standards define optional security measures that can authenticate paired devices and encrypt the data exchanged between them. Companies should require that all Bluetooth-capable devices carried by employees employ such measures, in accordance with corporate security policies. For example, you might require encryption for all file transfers conducted over Bluetooth. Or you may require PIN-based authentication for all Bluetooth connections, no matter what service is used. You may also want to educate employees about safe Bluetooth practices, including how to avoid unsolicited service discovery and improper pairing.
Security capabilities do vary across Bluetooth products. Employees may own devices that are missing security patches or cannot comply with company-defined policies. In that case, you must decide how to deal with out-of-spec Bluetooth devices. Do you confiscate them? Instruct the device owner to disable Bluetooth at your office? Forbid employees from carrying corporate data on vulnerable devices? You'll need to answer such questions to enforce your company's Bluetooth security policy.
Enforcing those decisionsPeriodically scan your offices to find legitimate-but-misconfigured Bluetooth devices and unknown Bluetooth rogues. In a small office, this might be done by walking around with an off-the-shelf Bluetooth adapter, operating in discovery mode. But spotting more than a few devices this way would be tedious and error-prone. A more rigorous and systematic approach is to use a portable Bluetooth scanner like Network Chemistry BlueScanner, AirMagnet BlueSweep, or AirDefense BlueWatch.
For example, BlueScanner and BlueSweep are free tools that run on Windows XP SP2. To use either, you'll need a Bluetooth adapter, running Microsoft's Bluetooth driver. These tools actively poll for other Bluetooth devices and query the services that each supports. Reported details may include the discovered device's name and address, manufacturer, type, class, advertised services (e.g., serial port, dialup networking, file transfer, fax, headset), and active connections with other Bluetooth devices.
Distance varies by adapter, and you'll only discover active Bluetooth devices, within range, that respond to polling (i.e., you won't find disabled devices, or devices with discovery turned off). Sampling a large office this way is labor intensive, so decide what you're really trying to accomplish and devote effort accordingly. To find "hidden" Bluetooth devices (i.e., those that won't respond to polls), you'll need to invest in a spectrum analyzer (e.g., BVS Mantis Bluetooth) or a Bluetooth traffic analyzer (e.g., Frontline Bluetooth Protocol Analyzer). For full-time distributed Bluetooth monitoring, consider a Wireless IDS with Bluetooth-capable sensors (e.g., Red-Alert Pro).
ConclusionBluetooth has been flying under IT security radar for quite some time. Given increasing deployment and broader usage, Bluetooth really deserves more attention. Scanning your office for Bluetooth devices and exposed services may yield surprising results. But assessing those vulnerabilities can help you take steps to reduce Bluetooth risk.
This was first published in December 2005