Most users take Bluetooth security for granted. When you’re enjoying the convenience of hands-free phone conversations, streaming podcasts in your car or jogging with your awesome new wireless headphones, do you need to worry about whether the communication channel is secure or not?
What’s acceptable for consumers may not meet corporate standards. With a new version of the technology set to be released next year, it is a good time for enterprise security leaders to take another look at Bluetooth security and policies. While Bluetooth is about to become an even better way to share information, it can also be used to steal valuable information without the proper controls.
Bluetooth technology was first introduced 27 years ago, before security was a high priority. Using techniques like Bluesnarfing, cybercriminals were able to eavesdrop on communications and crash devices remotely. While some of these threats have been addressed in recent versions of the protocol, others, like denial-of-service (DOS), remain viable.
Bluetooth 5 to Offer Enhanced Security
Bluetooth 5, the newest version of the technology, is scheduled for release late this year or early in 2017. This version of the protocol offers several major improvements, especially for Internet of Things (IoT) devices.
- A fourfold increase in the range of transmission — up to 400 meters in some cases. This means Bluetooth could replace Wi-Fi for many IoT implementations.
- A twofold increase in the speed of data transmission — up to 2 Mbps.
- An 800 percent increase in data broadcast bandwidth, replacing the app-to-device pairing model with more connectionless traffic.
The downside of the new protocol is that without controls in place, malicious actors can now access devices and communications from much greater distances than before. If an attack is successful, they can transfer stolen data twice as fast as before. At 2 Mbps, an attacker tapping into a Bluetooth phone used in a random parking lot or coffee shop could download a huge amount of confidential data in very little time.
And there is still no user authentication in the new standard, only device authentication. An application developer can — and for most sensitive applications should — add user authentication.
Bolster Bluetooth Security
There are several actions enterprise security teams can take to bolster Bluetooth security, not the least of which is the continuous education of corporate users on simple steps they can take to do their part.
- First, security leaders should conduct a simple risk analysis to understand the value of what is being shared/communicated via Bluetooth. If discussing possible mergers or other highly confidential, strategic information, a mobile strategy involving highly secure communications channels is in order.
- Investigate devices that allow users to block or limit Bluetooth access. Some models can be set to allow access to simple devices like a remote mouse or keyboard while blocking all other Bluetooth file and device traffic.
- Set user policies that clearly and unambiguously list approved uses for corporate Bluetooth devices, specifying the types of information allowed to be transferred via Bluetooth networks.
- Require users to shut off Bluetooth whenever they aren’t using it to protect against DOS attacks.
- Create a passkey/PIN policy and change default pairing PINs whenever possible.
Plugging the Holes
Just as the 802.11 wireless local area network (WLAN) specification evolved from Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access 2 (WPA2) for a more secure wireless experience, even better security will be baked into future Bluetooth iterations. For now, however, Bluetooth security contains holes, even as the standard is poised to play a major role in the oncoming IoT tsunami.
There is no substitute for threat modeling and data classification when determining whether a conversation or file can be transferred via Bluetooth. For most enterprise use cases, a properly secured phone using the latest version of Bluetooth and a user authentication-enabled app will suffice. But for an organization’s most confidential, sensitive data communications, a more secure channel may be required.