In any wireless networking setup, security is
a concern. Devices can easily grab radio waves
out of the air, so people who send sensitive information
over a wireless connection need to take precautions
to make sure those signals aren't intercepted.
Bluetooth technology is no different -- it's wireless
and therefore susceptible to spying and remote
access, just like WiFi is susceptible if the network
isn't secure. With Bluetooth, though, the automatic
nature of the connection, which is a huge benefit
in terms of time and effort, is also a benefit
to people looking to send you data without your
permission.
Bluetooth offers several security modes, and device
manufacturers determine which mode to include
in a Bluetooth-enabled gadget. In almost all cases,
Bluetooth users can establish "trusted devices"
that can exchange data without asking permission.
When any other device tries to establish a connection
to the user's gadget, the user has to decide to
allow it. Service-level security and device-level
security work together to protect Bluetooth devices
from unauthorized data transmission. Security
methods include authorization and identification
procedures that limit the use of Bluetooth services
to the registered user and require that users
make a conscious decision to open a file or accept
a data transfer. As long as these measures are
enabled on the user's phone or other device, unauthorized
access is unlikely. A user can also simply switch
his Bluetooth mode to "non-discoverable"
and avoid connecting with other Bluetooth devices
entirely. If a user makes use of the Bluetooth
network primarily for synching devices at home,
this might be a good way to avoid any chance of
a security breach while in public.
Still, early cell-phone virus writers have taken
advantage of Bluetooth's automated connection
process to send out infected files. However, since
most cell phones use a secure Bluetooth connection
that requires authorization and authentication
before accepting data from an unknown device,
the infected file typically doesn't get very far.
When the virus arrives in the user's cell phone,
the user has to agree to open it and then agree
to install it. This has, so far, stopped most
cell-phone viruses from doing much damage.
Other problems like "bluejacking," "bluebugging"
and "Car Whisperer" have turned up as
Bluetooth-specific security issues. Bluejacking
involves Bluetooth users sending a business card
(just a text message, really) to other Bluetooth
users within a 10-meter (32-foot) radius. If the
user doesn't realize what the message is, he might
allow the contact to be added to his address book,
and the contact can send him messages that might
be automatically opened because they're coming
from a known contact.
Bluebugging is more of a problem,
because it allows hackers to remotely access a
user's phone and use its features, including placing
calls and sending text messages, and the user
doesn't realize it's happening. The Car
Whisperer is a piece of software that allows
hackers to send audio to and receive audio from
a Bluetooth-enabled car stereo. Like a computer
security hole, these vulnerabilities are an inevitable
result of technological innovation, and device
manufacturers are releasing firmware upgrades
that address new problems as they arise.
What is bluejacking?
Bluejacking allows phone users to send business
cards anonymously using Bluetooth wireless technology.
Bluejacking does NOT involve the removal or alteration
of any data from the device. These business cards
often have a clever or flirtatious message rather
than the typical name and phone number. Bluejackers
often look for the receiving phone to ping or
the user to react. They then send another, more
personal message to that device. Once again, in
order to carry out a bluejacking, the sending
and receiving devices must be within 10 meters
of one another. Phone owners who receive bluejack
messages should refuse to add the contacts to
their address book. Devices that are set in non-discoverable
mode are not susceptible to bluejacking.
What is bluebugging?
Bluebugging allows skilled individuals to access
the mobile phone commands using Bluetooth wireless
technology without notifying or alerting the phone’s
user. This vulnerability allows the hacker to
initiate phone calls, send and receive text messages,
read and write phonebook contacts, eavesdrop on
phone conversations, and connect to the Internet.
As with all the attacks, without specialized equipment,
the hacker must be within a 10 meter range of
the phone. This is a separate vulnerability from
bluesnarfing and does not affect all of the same
phones as bluesnarfing.
What is Car Whisperer?
The car whisperer is a software tool developed
by security researchers to connect to and send
or receive audio to and from Bluetooth car-kits
with a specific implementation. An individual
using the tool could potentially remotely connect
to and communicate with a car from an unauthorized
remote device, sending audio to the speakers and
receiving audio from the microphone in the remote
device. Without specialized equipment, someone
using the tool must be within a 10 meter range
of the targeted car while running a laptop with
the car whisperer tool. The security researchers’
goal was to highlight an implementation weakness
in a select number of Bluetooth enabled car-kits
and pressure manufacturers to better secure Bluetooth
enabled devices.
Protecting your Bluetooth Devices
While Bluetooth
wireless technology is fundamentally secure, keeping
Bluetooth enabled devices secure is a team effort.
The Bluetooth SIG, manufacturers, and you, the
user, each has a role in ensuring the security
of your Bluetooth enabled devices. As a user of
Bluetooth enabled devices, you should understand
the basics of securely using a PDA, phone, etc.
that can connect wirelessly to other consumer
electronics.
Bluetooth
wireless technology has, from its inception, put
great emphasis on wireless security so that users
of this global standard can feel secure while
making their connections. The Bluetooth Special
Interest Group (SIG), made up of over 4000 member
manufacturers, has a Bluetooth security experts
group made up of engineers from its member companies,
which provide critical security information and
feedback that is taken into account as the Bluetooth
wireless specification evolves.
Downloading
Do not accept files transmitted via Bluetooth
wireless technology or any other technology from
unknown or suspicious entities. Mobile devices
are quickly gaining the processing power and connectivity
similar to those of personal computers, so you
should treat your mobile devices similar to how
you treat your computer. Do not download or install
unknown or suspicious software. If you cannot
trust where a file or program came from, do not
download or install it. If your device gives a
security warning during installation of recently
downloaded software, carefully consider if you
want to continue installation.
Visibility
Some Bluetooth enabled devices allow you to choose
whether or not your device is visible to other
devices. Do you have a phone vulnerable to bluesnarfing
or bluebugging? Does bluejacking annoy you? Are
you just generally concerned about whether your
device can be seen? If so, you can put your device
into a non-discoverable state (most devices have
this option) so that you are invisible to other
Bluetooth enabled devices. This will have no impact
on device functionality of paired devices and
you can continue to enjoy the benefits of Bluetooth
wireless technology. However, in order to receive
business contacts wirelessly via Bluetooth technology,
you will need to place your phone in discoverable
mode.
Keep the Bugs Out
Smart phone and PDA users are recommended to install
appropriate anti-virus software, much in the same
way they would on their computers, and keep the
anti-virus software updated. Many believe that
mobile devices like smart phones and PDAs are
the next frontier for viruses, worms and trojan
horses. Security firms like F-Secure, McAfee and
Symantec offer anti-virus software for smart phones
and PDAs.
Stay Up to Date
Similar to the security updates for your computer's
operating system that you download, you should
lookout for security patches from your phone's
manufacturer and take advantage of these fixes
to minimize your phone's vulnerability. Manufacturers
have released software updates for phones vulnerable
to the bluesnarf and bluebug attacks. For information
on how to obtain these fixes for your device contact
the manufacturer of your phone.
Pairing
Typically, when you have two Bluetooth enabled
personal devices, you establish a secure connection
between the two devices, this is referred to as
'pairing.' Pairing allows you full access on one
device to the shared services on the other device.
Do not pair with unknown devices - that will give
the unknown device access to all your services.
You may be required to enter in a PIN code in
the pairing process. If you have the option, you
should choose at minimum eight character alphanumeric
PIN codes and pair the devices in a private setting.
If you are asked in a message to enter in a PIN
code, but are not sure what device sent the message
— do not enter the PIN code, it could be
a disguised pairing request sent from an unknown,
malicious device. If your devices become unpaired
while you are in public, wait until you are in
a private, secure location before repairing your
devices if possible.
Managing your Bluetooth Devices
If one of your Bluetooth enabled devices is lost
or stolen, you should unpair that device with
all the devices to which it was previously paired.
To do that, you will have to delete the lost device
from the list of paired devices on your remaining
Bluetooth enabled electronics, computers, and
handhelds. If you fail to accomplish this, the
lost or stolen device will still be able to access
all the services of paired devices within range
