[With an estimated 250 million Bluetooth-enabled devices currently in use, Bluetooth has become the target for hacking attacks. The last few months have seen the arrival of a mobile phone virus spread by Bluetooth, and the use of Bluesnarfing to get data off Bluetooth mobile phones. There are plenty of things you can do to reduce the risks of Bluetooth (see our own guide to safe Bluetoothing, and AirDefense's White Paper on the subject), but some - including Infoworld's Ephraim Schwartz -think it is time to is it time to call Bluetooth into question. - Editor]
The fact that Bluetooth is about as secure as the proverbial wide-open barn door should be of concern to everyone responsible for the safekeeping of corporate data. There is a Bluetooth security spec, but it's an option most manufacturers choose not to enable. Unless the manufacturer states somewhere on the box that security is enabled in its product, you have no way of knowing.
It would require much more work on both the manufacturer's and user's part to ensure that the Bluetooth device can share data only with your PC. Indeed, manufacturers often open everything up so it is discoverable by any device, a condition known as "promiscuous mode."
A device that authenticates to a Bluetooth cellphone can read any data that's on the handset, according to Richard Rushing, chief security officer at AirDefense, a company that provides Bluetooth-monitoring solution BlueWatch.
Even with security enabled, there are a number of problem areas. The security protocol, when invoked, sets up a key exchange in which the keys are transmitted through the air, making them vulnerable to interception.
Each device also has a Bluetooth pass code (also called a pairing number). But in many embedded devices, such as GPS receivers, that number is only four digits long and is hard-coded into the device. A headset or keyboard manufacturer's security code will be the same for all of that company's products, according to Trevor Fiatal, chief security officer of mobile solutions vendor Seven.
And perhaps this is why Martin Reynolds, a Gartner fellow, felt it necessary in February, to send out an alert warning enterprises to "disable Bluetooth unless there is compelling reason to activate it." (visit Gartner and search for "disable Bluetooth").
Because Bluetooth seems like such an innocuous technology - common wisdom says it can only travel about 10 feet - most IT managers have been ignoring it. But a Class 1 Bluetooth device, such as the USB Bluetooth dongle you might install on the back of your PC or notebook (this one, for example) has a range of 300 feet - about the same as Wi-Fi.
The threat scenarios are as varied as you can imagine. An attacker sitting within range of your Bluetooth keyboard might transmit a low-level jamming signal to break the connection, forcing you to reassociate the keyboard with your PC. When the security keys are transferred across the air and the hacker has intercepted the exchange, it would be trivial to record every keystroke sent from the keyboard to the PC.
In a wired environment you have two significant defenses. There's the physical barrier: The intruder must get inside the building. And then there's the logical barrier: your firewall. But a Bluetooth device can be accessed outside the building walls, and the potential for signal-bleeding means your firewall can't reliably protect your data.
The medium is also unobstructed. Therefore, a Bluetooth headset linked to a Bluetooth phone gives a hacker the ability to see everything being sent between the two devices. AirDefense's Rushing says it would be hard to establish a "no Bluetooth" policy; it's too late for that.
The bottom line: If handset manufacturers want to play in high tech, they'd better get their act together. Hard-coding authentication and pairing codes into a device just won't cut it. The very nature of high tech is built on modification and upgradeability - not a recall of, say, 100 million defective handsets.
What do you think? Is Schwartz right? Should we be scared of Bluetooth? Join our Forum and tell us what you think.