Bluetooth can pack a mean bite

With an estimated 250 million Bluetooth-enabled devices currently in use, the fact that Bluetooth is about as secure as the proverbial wide-open barn door should be of concern to everyone responsible for the safekeeping of corporate data.

Yes, there is a Bluetooth security spec, but it’s an option most manufacturers choose not to enable. Unless the manufacturer states somewhere on the box that security is enabled in its product, you have no way of knowing.

It would require much more work on both the manufacturer’s and user’s part to ensure that the Bluetooth device can share data only with your PC. Indeed, manufacturers often open everything up so it is discoverable by any device, a condition known as “promiscuous mode.”

A device that authenticates to a Bluetooth cell phone can read any data that’s on the handset, according Richard Rushing, chief security officer at AirDefense, a company that provides Bluetooth-monitoring solution BlueWatch.

Even with security enabled, there are a number of problem areas. The security protocol, when invoked, sets up a key exchange in which the keys are transmitted through the air, making them vulnerable to interception.

Each device also has a Bluetooth pass code (also called a pairing number). But in many embedded devices, such as GPS receivers, that number is only four digits long and is hard-coded into the device. A headset or keyboard manufacturer’s security code will be the same for all of that company’s products, according to Trevor Fiatal, chief security officer of mobile solutions vendor Seven.

And perhaps this is why Martin Reynolds, a Gartner fellow, felt it necessary to send out an alert earlier this year warning enterprises to “disable Bluetooth unless there is compelling reason to activate it.”

Because Bluetooth seems like such an innocuous technology — common wisdom says it can only travel about 10 feet — most IT managers have been ignoring it. But a Class 1 Bluetooth device, such as the USB Bluetooth dongle you might install on the back of your PC or notebook, has a range of 300 feet — about the same as Wi-Fi.

The threat scenarios are as varied as you can imagine. An attacker sitting within range of your Bluetooth keyboard might transmit a low-level jamming signal to break the connection, forcing you to reassociate the keyboard with your PC. When the security keys are transferred across the air and the hacker has intercepted the exchange, it would be trivial to record every keystroke sent from the keyboard to the PC.

In a wired environment you have two significant defenses. There’s the physical barrier: The intruder must get inside the building. And then there’s the logical barrier: your firewall. But a Bluetooth device can be accessed outside the building walls, and the potential for signal-bleeding means your firewall can’t reliably protect your data.

The medium is also unobstructed. Therefore, a Bluetooth headset linked to a Bluetooth phone gives a hacker the ability to see everything being sent between the two devices.

AirDefense’s Rushing says it would be hard to establish a “no Bluetooth” policy; it’s too late for that. The bottom line: If handset manufacturers want to play in high tech, they’d better get their act together. Hard-coding authentication and pairing codes into a device just won’t cut it. The very nature of high tech is built on modification and upgradeability — not a recall of, say, 100 million defective handsets.