What’s Happening: Hackers are using Bluetooth to attack mobile devices such as PDAs and handsets. One example is Bluejacking, which exploits a Bluetooth device’s ability to “discover” other nearby devices in order to send unsolicited messages. Another is Bluesnarfing, which uses the same ability to access information stored on the device – such as a contact list – without the user’s knowledge.
Our Conclusions: Enterprises should view Bluejacking and Bluesnarfing as shots across their bow. It’s foolish to dismiss them as minor security flaws, which ignores what they really are: back doors to the enterprise. We believe that the next wave of attacks will focus on corporate LANs by targeting Bluetooth PDAs and smartphones that are synced with PCs behind the firewall. The damage could include spreading a virus that infects other PCs on the LAN, or gaining access to proprietary information stored on network servers.
Action: Enterprises should recognize that because Bluetooth comes in all shapes and sizes, the security risks extend far beyond PDAs and smartphones. For example, some laptops ship with Bluetooth, potentially creating a back door into the enterprise when the laptop is connected to the LAN via Ethernet or Wi-Fi.
CIOs and IT managers shouldn’t overlook how easy and inexpensive it is for employees to purchase accessories such as dongles in order to add Bluetooth functionality to a wide range of company-approved devices, including handsets, laptops and PDAs. These add-ons are similar to rogue access points in Wi-Fi in the sense that they quietly create vulnerabilities in a network that appears to be secure.
CIOs and IT managers are strongly urged to take the following minimum precautions against Bluetooth-enabled attacks:
1. Immediately identify any company Bluetooth devices with known vulnerability. At least 16 handset models are known to be vulnerable to Bluetooth attacks. Enterprises should compare this list to their inventory of company-provided devices, as well as issue an alert to employees who were reimbursed for purchasing their own devices. Finally, check with your device suppliers about emerging Bluetooth vulnerabilities that haven’t yet been publicized. By the time you read about it in an IT trade magazine or on the Internet, it may be too late.
2. Strengthen company IT policies to address Bluetooth. Bluetooth PDAs sell for as little as $100, increasing the chances that employees will buy them on their own and bring them to work. Enterprises should treat unauthorized Bluetooth PDAs, handsets and accessories like rogue access points: An employee who opens a back door should be kicked out the front door.
3. Educate employees. Bluesnarfing and Bluejacking exploit naïveté as much as they exploit Bluetooth’s security flaws. Enterprises are well advised to create comprehensive guidelines – in plain English – that identify the risks and penalties for using Bluetooth devices, even those that are company-approved. For example, employees must understand that devices can be vulnerable even when not in “discoverable” or “visible” mode because some attacks can override that setting.
4. Consider tools for identifying and mitigating security risks. One example is Trust Digital’s Trust Enterprise Secure, which scans the network for attached devices, including PDAs. Another is Bluefire Security Technologies’ Mobile Firewall Plus, which lets IT managers remotely disable Bluetooth in company devices. The latter may be necessary because although security risks can be reduced by shutting off the discoverable mode in Bluetooth, some attacks can bypass those features.
5. Look for products with one-touch control over Bluetooth. Many PDAs feature a switch that lets users turn wireless – including Bluetooth and Wi-Fi – on and off rather than wading through menus or the system tray. If wireless can be shut off with just the flick of a switch, employees are more likely to comply with company security policies. Company policy should require that Bluetooth be shut off when not in use, and if the device’s design makes compliance difficult or impossible, it should be barred from the enterprise. Like WEP in Wi-Fi, even when basic security measures aren’t iron-clad, they’re still better than no security at all.
Discussion: Bluetooth attacks pre-date mobile viruses, which began appearing in mid-June, but they haven’t attracted the attention they deserve. We believe that Bluetooth attacks eventually will rival mobile viruses in frequency and damage. One reason is that as Bluetooth chipset prices fall, the technology will become standard in mid-range and low-end devices – the types that employees won’t hesitate to buy on their own and bring to work. But there’s no grace period: Bluetooth already is common in the high-end PDAs and smartphones aimed at business users, effectively seeding the market for Bluetooth attacks on the enterprise.
Enterprises are well advised to recognize that Bluetooth attacks are not limited in range. In at least one test using high-gain antennas, a file was transferred between two Bluetooth devices more than 1 km apart. Enterprises should recognize that the financial impact of Bluetooth attacks isn’t limited to lost productivity and resources spent fixing the problem. For example, Bluesnarfing can be used to hijack a smartphone into accessing SMS services that are then billed to the user’s account.