Most users take Bluetooth security for granted. When you’re enjoying the convenience of hands-free phone conversations, streaming podcasts in your car or jogging with your awesome new wireless headphones, do you need to worry about whether the communication channel is secure or not?

What’s acceptable for consumers may not meet corporate standards. With a new version of the technology set to be released next year, it is a good time for enterprise security leaders to take another look at Bluetooth security and policies. While Bluetooth is about to become an even better way to share information, it can also be used to steal valuable information without the proper controls.

Bluetooth technology was first introduced 27 years ago, before security was a high priority. Using techniques like Bluesnarfing, cybercriminals were able to eavesdrop on communications and crash devices remotely. While some of these threats have been addressed in recent versions of the protocol, others, like denial-of-service (DOS), remain viable.

Bluetooth 5 to Offer Enhanced Security

Bluetooth 5, the newest version of the technology, is scheduled for release late this year or early in 2017. This version of the protocol offers several major improvements, especially for Internet of Things (IoT) devices.

  • A fourfold increase in the range of transmission — up to 400 meters in some cases. This means Bluetooth could replace Wi-Fi for many IoT implementations.
  • A twofold increase in the speed of data transmission — up to 2 Mbps.
  • An 800 percent increase in data broadcast bandwidth, replacing the app-to-device pairing model with more connectionless traffic.

The downside of the new protocol is that without controls in place, malicious actors can now access devices and communications from much greater distances than before. If an attack is successful, they can transfer stolen data twice as fast as before. At 2 Mbps, an attacker tapping into a Bluetooth phone used in a random parking lot or coffee shop could download a huge amount of confidential data in very little time.

And there is still no user authentication in the new standard, only device authentication. An application developer can — and for most sensitive applications should — add user authentication.

Bolster Bluetooth Security

There are several actions enterprise security teams can take to bolster Bluetooth security, not the least of which is the continuous education of corporate users on simple steps they can take to do their part.

  • First, security leaders should conduct a simple risk analysis to understand the value of what is being shared/communicated via Bluetooth. If discussing possible mergers or other highly confidential, strategic information, a mobile strategy involving highly secure communications channels is in order.
  • Investigate devices that allow users to block or limit Bluetooth access. Some models can be set to allow access to simple devices like a remote mouse or keyboard while blocking all other Bluetooth file and device traffic.
  • Set user policies that clearly and unambiguously list approved uses for corporate Bluetooth devices, specifying the types of information allowed to be transferred via Bluetooth networks.
  • Require users to shut off Bluetooth whenever they aren’t using it to protect against DOS attacks.
  • Create a passkey/PIN policy and change default pairing PINs whenever possible.

Plugging the Holes

Just as the 802.11 wireless local area network (WLAN) specification evolved from Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access 2 (WPA2) for a more secure wireless experience, even better security will be baked into future Bluetooth iterations. For now, however, Bluetooth security contains holes, even as the standard is poised to play a major role in the oncoming IoT tsunami.

There is no substitute for threat modeling and data classification when determining whether a conversation or file can be transferred via Bluetooth. For most enterprise use cases, a properly secured phone using the latest version of Bluetooth and a user authentication-enabled app will suffice. But for an organization’s most confidential, sensitive data communications, a more secure channel may be required.

Watch the on-demand webinar: Why More Autonomous “Things” Require You to Re-Examine Security Practices

More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read