Does your security policy address Bluetooth technology?

Bluetooth-enabled devices are becoming more prevalent in the corporate culture. While they may not be large repositories of important corporate data, they still pose some security risks. Mike Mullins discusses how your organization can protect itself from these potential threats.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

In a recent article, I discussed additional security measures that organizations can implement to secure mobile devices, such as PDAs. However, it's important that companies realize that mobile computing isn't restricted to PDAs and wireless laptops. In fact, another form of wireless device could be inside your network right now, and you're probably unaware of it. I'm talking about Bluetooth-enabled devices.

Bluetooth devices operate on the unlicensed 2.4-GHz ISM band of frequencies. By design, Bluetooth can operate in this noisy environment by frequency-hopping to avoid interference from other signals after transmitting or receiving a packet of information.

While Bluetooth has been around for a few years, the technology is beginning to come into its own. More and more vendors are embedding Bluetooth technology into a multitude of different mobile devices. Wireless phones and headsets are the most popular devices, but you can also find Bluetooth technology in printers, PDAs, and laptops.

Understand the security threats

Most security administrators couldn't tell you if any Bluetooth-enabled devices exist on their networks or if any users access their networks using Bluetooth-enabled devices. And as cell phone viruses become more prevalent, this could pose problems to organizations' overall security.

In fact, Bluetooth technology is vulnerable to a number of different attack methods:

  • Bluesnarfing—stealing data stored on a Bluetooth-enabled device
  • Bluejacking—sending anonymous messages to a Bluetooth-enabled device
  • Bluebugging—forcing a Bluetooth-enabled cell phone to place a call

As Bluetooth technology becomes increasingly prevalent, the possibility of it interacting with your organization's network also grows. And that means there's no better time to devise a method to control how this technology affects your network.

Create a policy

Bluetooth technology has almost no practical business application, and it's not a technology officially supported by most IT departments. However, organizations can't ignore the fact that it exists.

Companies must accept that Bluetooth technology is out there and has the potential to interact with their networks. It's important to be proactive; don't wait for a Bluetooth-related security event to occur.

Instead, develop a company policy that discusses the use of Bluetooth-enabled devices and defines how these devices can interact with the network. Until the company decides to support Bluetooth-enabled devices, this policy should define your corporate strategy regarding the technology.

To begin, the policy should address three main areas:

  • Support: Bluetooth-enabled devices are not a supported technology, and no one should connect them to the corporate network.
  • Data: No one is allowed to store any company data on any Bluetooth-enabled device—specifically, passwords and usernames.
  • Repercussions: Discuss in detail the penalties for violating this policy.

Scan for devices

After you've created and distributed the policy, I recommend performing a wireless sweep to determine whether Bluetooth is active around your physical security boundaries. Red-M sells an excellent product called Red-Alert PRO, an intelligent wireless probe that scans for the presence of all 41 channels of 802.11a, 802.11b, and 802.11g, as well as Bluetooth activity.

By scanning for Bluetooth-enabled devices, you can continually update the risk profile for your network. In addition, you can better determine when to expend additional resources to address the security vulnerabilities of this fast-growing technology.

Final thoughts

Bluetooth devices are becoming more prevalent in the corporate culture. While they may not be large repositories of important corporate data, they still pose some security risks. Either incorporate these devices into your organization's security architecture, or ban their presence altogether. If you can't secure it, it doesn't need to touch or interact with your network.

For more information about Bluetooth security and vulnerabilities, I recommend The Bunker Web site, which maintains an excellent repository of Bluetooth security issues and vulnerable devices.

Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a network security administrator for the Defense Information Systems Agency.

Editor's Picks

Free Newsletters, In your Inbox