This article is also available as a TechRepublic download.
The rapid spread of personal productivity devices is growing unabated and with it an ever increasing growth in the presence of Bluetooth enabled devices. Like any popular technology, Bluetooth is becoming a target of opportunity for crackers. Any single business might have hundreds or thousands of Bluetooth enabled cell phones, smartphones, PDA's, keyboards, and mice in the workplace. This growing number of wireless devices is increasing the potential for information asset compromise.
How Bluetooth works
Bluetooth is a wireless network technology defined by the IEEE 802.15 standard. Using frequency hopping to reduce interference, it operates in the 2.4 MHz band. Throughput over a Bluetooth connection is dependent on the version implemented by the device manufacturer. Maximum data rates range from 1 Mbps to 3 Mbps. Actual data rates typically fall well below these thresholds.
Initially developed in 1994 by Ericsson, Bluetooth has become the technology of choice for creating small personal networks without the need for cables. See Figure A. Â
|Small personal network|
Bluetooth personal area networks, also known as piconets, consist of one master and up to 7 active slave devices. A Bluetooth piconet is depicted in Figure B. An additional 255 devices can be connected to the master as long as they are in park mode.
|A Bluetooth piconet|
Within a piconet, each slave is attached to the master via a physical channel. Each of these channels is divided into slots. Packets traveling between the master and the slave are placed into these slots. Physical channels are not created between slaves. All packet transfers are managed by the master device. The master sequentially polls each device to see if it requires service. The master is also responsible for synchronizing all devices to ensure consistent timing.
A device can join a piconet in one of two ways. First, a Bluetooth device can enter an inquiry state to discover other Bluetooth devices. Within this inquiry, information is provided about the types of services needed. Bluetooth devices offering one or more of the requested services, and that are within the broadcast range, will respond if in discovery mode. The process used to establish a channel between one or more of the responding devices depends on the security mode used.
In the second way, a master searches for devices within range. If one is discovered, it is automatically added to the piconet in accordance with security measures in place on one or both of the devices.
The distance over which two devices can establish a channel depends on their power classes. Table A shows the three classes and the potential connectivity range of each. Classes 1 and 2 are the most common.
Finally, two or more piconets can potentially connect to create a scatternet, as shown in Figure C.
Bluetooth devices easily connect to each other. This was the intent when the specification was developed. Consequently, many device vendors implement Bluetooth in a manner that provides for easy connectivity while exposing the information assets of individuals and organizations to greater risk.
The Bluetooth standard specifies three Security Modes, as shown in Table 2.
Devices configured with Mode 1 security employ no security mechanisms. This type of connection should never be used to share sensitive information. Mode 2 security is the most flexible of the three. Once two devices establish a physical channel, business policies can be applied to applications and services to dictate the level of security required.
Not all applications or services have to use the same level of security. For example, a healthcare organization might deploy an application that shares patient information between Bluetooth devices. In such cases authentication, encryption, and authorization measures should be used. Authentication allows a device to disallow a connection and encryption protects the data traveling over an established channel. However, these same devices might share public information (i.e. business cards) that does not require secure data transfer.
The ability to use Bluetooth security measures only when necessary might help to enhance the user experience by optimizing performance. It can also limit connected devices to a subset of the services available. The use of authorization enables a service-providing device to allow a connected device to access some services but not others based on the service access rules in place.
Mode 3 security is the most secure but lacks the flexibility of Mode 2. When establishing a channel using Mode 3 restrictions, authentication and encryption negotiation begins before the establishment of the channel is complete. All information flowing between the devices is encrypted. Authorization is not required because it is typically assumed that two devices connected over a Mode 3 enabled channel should be able to access all available data and services available in each device.
Mode 2 and 3 security levels are implemented through a process known as pairing. The details of secure Bluetooth pairing are outside the scope of this article, but you can find more information on this topic in NIST SP 800-48.
Although security is available for Bluetooth, many smartphone, cell phone, and other device vendors choose to use Mode 1 security. In addition a large number of devices are set to discovery/visible-to-all mode, which enables them to respond to all service inquiries. This allows users to quickly experience the benefits of using a piconet without the hassles of worrying about security configurations.
In a June 2006 article entitled "Bluetooth: London 2006", Alexander Gostev described the results of research conducted by Kaspersky Lab on the actual vulnerability of Bluetooth devices in public places. The Kaspersky team visited InfoSecurity 2006 in London with the purpose of detecting as many Bluetooth devices as possible.
According to Gostev, they detected more than 1000 Bluetooth devices in visible-to-all mode. In other words, these 1000 devices were ready and waiting for any other device to establish a connection. Lacking any other mechanisms to prevent unwanted access, they were exposed to data leakage or the rapid spread of malware. Devices detected included the following:
- Cell phones
- Laptop computers
- Cordless phones
- Desktop computers
- Other uncategorized devices
Failing to turn off discover/visible-to-all mode or to implement at least Mode 2 level security might expose an organization's information in the following ways:
- Sensitive data is available for browsing
- An attacker can use a compromised telephone to make calls
- DoS attacks can be launched against the compromised device
- Address lists can be downloaded
- Malware can be installed for later infection of other devices, including network attached systems
- An attacker can install malware with the intent to gain ongoing control of the device
Protecting Bluetooth networks
There are a variety of ways for an organization to protect its Bluetooth devices from compromise. As with all security challenges the first step is to educate the workforce. Every employee should know about the right way and the wrong way to use Bluetooth. Also, policies should be in place that govern the use of business-owned and privately-owned wireless devices. At a minimum the policies should address the following:
- Configure devices so that the user has to approve any connection request
- Turn off Bluetooth when not in use
- Do not operate Bluetooth devices in Mode 1; ensure discovery mode is enabled only when necessary to pair trusted devices
- Trusted devices should be paired in safe environments out of the reach of malicious elements
- Minimize the range of devices to the shortest reasonable distance
- Consider installing anti-virus and personal firewall software on each Bluetooth device
Bluetooth is a great addition to the business productivity toolbox. However, it must be understood by the technical team and its deployment should be closely managed. Failure to purchase devices that support the right security measures, or to minimize exposure due to unmanaged device discovery, puts your enterprise data at risk.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.