Most users take Bluetooth security for granted. When you’re enjoying the convenience of hands-free phone conversations, streaming podcasts in your car or jogging with your awesome new wireless headphones, do you need to worry about whether the communication channel is secure or not?

What’s acceptable for consumers may not meet corporate standards. With a new version of the technology set to be released next year, it is a good time for enterprise security leaders to take another look at Bluetooth security and policies. While Bluetooth is about to become an even better way to share information, it can also be used to steal valuable information without the proper controls.

Bluetooth technology was first introduced 27 years ago, before security was a high priority. Using techniques like Bluesnarfing, cybercriminals were able to eavesdrop on communications and crash devices remotely. While some of these threats have been addressed in recent versions of the protocol, others, like denial-of-service (DOS), remain viable.

Bluetooth 5 to Offer Enhanced Security

Bluetooth 5, the newest version of the technology, is scheduled for release late this year or early in 2017. This version of the protocol offers several major improvements, especially for Internet of Things (IoT) devices.

  • A fourfold increase in the range of transmission — up to 400 meters in some cases. This means Bluetooth could replace Wi-Fi for many IoT implementations.
  • A twofold increase in the speed of data transmission — up to 2 Mbps.
  • An 800 percent increase in data broadcast bandwidth, replacing the app-to-device pairing model with more connectionless traffic.

The downside of the new protocol is that without controls in place, malicious actors can now access devices and communications from much greater distances than before. If an attack is successful, they can transfer stolen data twice as fast as before. At 2 Mbps, an attacker tapping into a Bluetooth phone used in a random parking lot or coffee shop could download a huge amount of confidential data in very little time.

And there is still no user authentication in the new standard, only device authentication. An application developer can — and for most sensitive applications should — add user authentication.

Bolster Bluetooth Security

There are several actions enterprise security teams can take to bolster Bluetooth security, not the least of which is the continuous education of corporate users on simple steps they can take to do their part.

  • First, security leaders should conduct a simple risk analysis to understand the value of what is being shared/communicated via Bluetooth. If discussing possible mergers or other highly confidential, strategic information, a mobile strategy involving highly secure communications channels is in order.
  • Investigate devices that allow users to block or limit Bluetooth access. Some models can be set to allow access to simple devices like a remote mouse or keyboard while blocking all other Bluetooth file and device traffic.
  • Set user policies that clearly and unambiguously list approved uses for corporate Bluetooth devices, specifying the types of information allowed to be transferred via Bluetooth networks.
  • Require users to shut off Bluetooth whenever they aren’t using it to protect against DOS attacks.
  • Create a passkey/PIN policy and change default pairing PINs whenever possible.

Plugging the Holes

Just as the 802.11 wireless local area network (WLAN) specification evolved from Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access 2 (WPA2) for a more secure wireless experience, even better security will be baked into future Bluetooth iterations. For now, however, Bluetooth security contains holes, even as the standard is poised to play a major role in the oncoming IoT tsunami.

There is no substitute for threat modeling and data classification when determining whether a conversation or file can be transferred via Bluetooth. For most enterprise use cases, a properly secured phone using the latest version of Bluetooth and a user authentication-enabled app will suffice. But for an organization’s most confidential, sensitive data communications, a more secure channel may be required.

Watch the on-demand webinar: Why More Autonomous “Things” Require You to Re-Examine Security Practices

More from Application Security

Does Follina Mean It’s Time to Abandon Microsoft Office?

As a freelance writer, I spend most of my day working in Microsoft Word. Then, I send drafts to clients and companies across the globe. So, news of the newly discovered Microsoft Office vulnerability made me concerned about the possibility of accidentally spreading malware to my clients. I take extra precautions to ensure that I’m not introducing risk to my clients. Still, using Microsoft Office was something I did many times a day without a second thought. I brought up…

3 Reasons Why Technology Integration Matters

As John Donne once wrote, “No man is an island entire of itself.” With digitalization bridging any distance, the same logic could be applied to tech. Threat actors have vast underground forums for sharing their intelligence, while security professionals remain tight-lipped in a lot of data breach cases. Much like the way a vaccine can help stop the spread of infectious diseases, sharing threat intelligence and defense strategies can help to establish a more secure future for everyone.  So what…

Why Your Success Depends on Your IAM Capability

It’s truly universal: if you require your workforce, customers, patients, citizens, constituents, students, teachers… anyone, to register before digitally accessing information or buying goods or services, you are enabling that interaction with identity and access management (IAM). Many IAM vendors talk about how IAM solutions can be an enabler for productivity, about the return on investment (ROI) that can be achieved after successfully rolling out an identity strategy. They all talk about reduction in friction, improving users' perception of the…

Controlling the Source: Abusing Source Code Management Systems

For full details on this research, see the X-Force Red whitepaper “Controlling the Source: Abusing Source Code Management Systems”. This material is also being presented at Black Hat USA 2022. Source Code Management (SCM) systems play a vital role within organizations and have been an afterthought in terms of defenses compared to other critical enterprise systems such as Active Directory. SCM systems are used in the majority of organizations to manage source code and integrate with other systems within the…