Worried about security
issues? Who isn’t? Automatically
sign up for our free Security Solutions newsletter
, delivered each Friday,
and get hands-on advice for locking down your systems.

In a recent article, I discussed additional
security measures that organizations can implement
to secure mobile devices,
such as PDAs. However, it’s important that companies realize that mobile
computing isn’t restricted to PDAs and wireless laptops. In fact, another form
of wireless device could be inside your network right now, and you’re probably
unaware of it. I’m talking about Bluetooth-enabled devices.

Bluetooth devices operate on the unlicensed 2.4-GHz ISM band
of frequencies. By design, Bluetooth can operate in this noisy environment by
frequency-hopping to avoid interference from other signals after transmitting
or receiving a packet of information.

While Bluetooth has
been around for a few years, the technology is beginning to come into its own.
More and more vendors are embedding Bluetooth technology into a
multitude of different mobile devices. Wireless phones and headsets are the
most popular devices, but you can also find Bluetooth technology in printers,
PDAs, and laptops.

Understand the security threats

Most security administrators couldn’t tell you if any
Bluetooth-enabled devices exist on their networks or if any users access their
networks using Bluetooth-enabled devices. And as cell phone viruses
become more prevalent
, this could pose problems to organizations’ overall

In fact, Bluetooth technology is vulnerable to a number of
different attack methods:

  • Bluesnarfing—stealing data stored
    on a Bluetooth-enabled device
  • Bluejacking—sending anonymous
    messages to a Bluetooth-enabled device
  • Bluebugging—forcing a Bluetooth-enabled
    cell phone to place a call

As Bluetooth technology becomes increasingly prevalent, the
possibility of it interacting with your organization’s network also grows. And that
means there’s no better time to devise a method to control how this technology
affects your network.

Create a policy

Bluetooth technology has almost no practical business
application, and it’s not a technology officially supported by most IT
departments. However, organizations can’t ignore the fact that it exists.

Companies must accept that Bluetooth technology is out there
and has the potential to interact with their networks. It’s important to be
proactive; don’t wait for a Bluetooth-related security event to occur.

Instead, develop a company policy that discusses the use of
Bluetooth-enabled devices and defines how these devices can interact with the network.
Until the company decides to support Bluetooth-enabled devices, this policy
should define your corporate strategy regarding the technology.

To begin, the policy should address three main areas:

  • Support: Bluetooth-enabled devices
    are not a supported technology, and no one should connect them to the
    corporate network.
  • Data: No one is allowed to store
    any company data on any Bluetooth-enabled device—specifically, passwords
    and usernames.
  • Repercussions: Discuss in detail the
    penalties for violating this policy.

Scan for devices

After you’ve created and distributed the policy, I recommend
performing a wireless sweep to determine whether Bluetooth is active around
your physical security boundaries. Red-M
sells an excellent
product called Red-Alert PRO
, an intelligent wireless probe that scans for
the presence of all 41 channels of 802.11a, 802.11b, and 802.11g, as well as Bluetooth

By scanning for Bluetooth-enabled devices, you can
continually update the risk profile for your network. In addition, you can
better determine when to expend additional resources to address the security
vulnerabilities of this fast-growing technology.

Final thoughts

Bluetooth devices are becoming more prevalent in the
corporate culture. While they may not be large repositories of important
corporate data, they still pose some security risks. Either incorporate these
devices into your organization’s security architecture, or ban their presence
altogether. If you can’t secure it, it doesn’t need to touch or interact with
your network.

For more information about Bluetooth security and
vulnerabilities, I recommend The Bunker Web site,
which maintains an excellent repository of Bluetooth security issues and
vulnerable devices.

Mike Mullins has
served as a database administrator and assistant network administrator for the
U.S. Secret Service. He is a network security administrator for the Defense
Information Systems Agency.