Unfortunately, like many other wireless technologies, Bluetooth has been plagued by security threats, from inherent limitations and implementation vulnerabilities to weak configurations and risky end-user practices. Assessing the product security and adopting appropriate configuration and usage policies can help protect business assets and data from these Bluetooth dangers.
Making the best of Bluetooth security
Bluetooth specifications include basic link security measures. By default, most Bluetooth devices operate in unprotected "non-secure" mode. Two additional modes are defined: mode 3 secures the entire wireless link, while mode 2 leaves security up to each authorized application. For best results, use mode 3 to enforce link authentication and encryption for all Bluetooth traffic, and discourage or ban business use of devices that support only mode 1.
When link security is enabled, Bluetooth devices must complete an initial "bonding" exchange to derive pairwise link authentication and encryption keys. The user must give both devices the same PIN code, which is then mixed with a factory-defined unit key. But this pairing process can be compromised by use of weak or predictable PIN codes. To reduce risk, devices should be paired in a private location, using a long, random PIN code. Avoid default PIN codes, easily guessed PIN codes ("0000") and devices that do not support configurable PIN codes.
After bonding, paired Bluetooth devices associate to each other whenever they want to exchange data. As each connection is established, devices exchange challenge-response messages to demonstrate possession of the link key created during bonding. However, this authentication exchange is vulnerable to key-guessing, where a device repeatedly tries to authenticate by trial and error. Active attacks are discouraged by increasing the interval between attempts, but the Bluetooth specification does not enforce a maximum number of attempts. One-way authentication is also vulnerable to a man-in-the-middle attack. To reduce risk, always require authentication on both devices. Where possible, configure Bluetooth products so that users must accept incoming connection requests.
Depending on the negotiated encryption mode, an 8- to 128-bit encryption key can be used to scramble data sent over the link. For best results, avoid encryption mode 1 (no encryption), choosing either mode 2 (encrypt unicast but not broadcast traffic) or better yet mode 3 (encrypt all traffic). Because data that has been encrypted with a too-short key can be analyzed to decrypt captured traffic, both devices should be configured to require 128-bit encryption keys.
Further steps to make best use of these built-in Bluetooth measures include:
- Turn off Bluetooth interfaces when not in use, and disable Bluetooth's discovery feature, whereby each device announces itself to all nearby devices. These common-sense practices reduce the window of opportunity for Bluetooth attacks.
- Configure Bluetooth devices to use the lowest power that meets business needs. Class 3 devices transmit at 1 mW and cannot communicate beyond 10 meters, while class 1 devices transmit at 100 mW to reach up to 100 meters. Adjusting power does not eliminate outsider attack, but it can reduce that possibility.
- Because link keys are stored on paired Bluetooth devices, password protect both devices to prevent use of lost/stolen units. If possible, do not permanently store the pairing PIN code on Bluetooth devices.
Keeping an eye on Bluetooth
Numerous hacks have been created to use Bluetooth as a vector for attack -- particularly against phones and PDAs that use Bluetooth to pair with hands-free headsets. Many take advantage of programming flaws and poor implementation choices associated with the Bluetooth Object Exchange (OBEX) protocol. For example:
- BlueBug lets an attacker make calls on another Bluetooth phone.
- BlueDump cracks PIN codes by watching Bluetooth devices bond (pair).
- BlueJack lets an attacker add contacts to a Bluetooth device's phonebook.
- BlueSmack crashes a Bluetooth device by sending a "ping-of-death" message.
- BlueSnarf lets an attacker retrieve contact and calendar data from Bluetooth devices.
- BlueStab uses badly formatted names to crash a device during Bluetooth discovery.
To defend against such attacks, combine the good configuration choices and practices described above with Bluetooth product assessment, patching and security auditing.
Audit the airwaves inside your facility to locate all Bluetooth capable devices. For example, walk the halls with a portable Bluetooth scanner like AirDefense Inc.'s BlueWatch, AirMagnet Inc.'s BlueSweep, Berkeley Varitronics Systems Inc.'s Mantis Bluetooth, or Network Chemistry Inc.'s RFprotect BlueScanner. Bear in mind that you'll need to be within 10 meters to detect class 3 devices, and those that have discovery disabled will be harder to spot. Alternatively, enterprises with full-time Wi-Fi intrusion detection (IDS) or intrusion prevention systems (IPS) may detect Bluetooth as a non-descript source of Wi-Fi interference or by fingerprinting individual Bluetooth devices (e.g., Red-M Group Ltd.'s Red-Mobile, AirMagnet Spectrum Analyzer).
Inventory all discovered devices with Bluetooth interfaces, including hardware model, OS, and version. Then search Bluetooth vulnerability and exposure databases (e.g., Trifinite, WVE) to determine whether those devices harbor known issues. For example, Nokia Corp. and Sony Ericsson Mobile Communications AB have issued updates for Bluetooth-capable phones that are vulnerable to Bluesnarfing and BlueBugging. Apply available patches to correct those bugs and retire older devices for which critical patches are unavailable.
Finally, define security policies for all Bluetooth-capable devices that impact your business. This frequently includes handheld devices owned by employees. Here, user education can go a long way toward promoting safer use. Once they learn the potential impact on personal and corporate data, employees are more likely to voluntarily comply with defined policies. They may even welcome configuration assistance, so long as Bluetooth security does not inhibit authorized use. However, where security is truly important, compliance for Bluetooth and other security measures should be enforced through a centrally-administered device management system (e.g., Credant Technologies Inc.'s Mobile Guardian). After all, link security is part of a much bigger picture -- multi-layered defenses must work together to safeguard Bluetooth devices and their data.
About the author:
Lisa Phifer owns Core Competence Inc., a consulting firm specializing in network security and management technology. Lisa has been involved in the design, implementation and evaluation of data communications, internetworking, security and network management products for over 20 years. At Core Competence, she has advised large and small companies regarding security needs, product assessment and the use of emerging technologies and best practices. Before joining Core Competence, Lisa was a member of technical staff at Bell Communications Research where she won a president's award for her work on ATM network management.
SECURITY SCHOOL MENU
Messaging Security School: Home
Essential Practices for Securing Mobile Devices Lesson: Home
Essential Practices for Securing Mobile Devices: Webcast
Essential Practices for Securing Mobile Devices: Podcast
This was first published in November 2006