Most users take Bluetooth security for granted. When you’re enjoying the convenience of hands-free phone conversations, streaming podcasts in your car or jogging with your awesome new wireless headphones, do you need to worry about whether the communication channel is secure or not?

What’s acceptable for consumers may not meet corporate standards. With a new version of the technology set to be released next year, it is a good time for enterprise security leaders to take another look at Bluetooth security and policies. While Bluetooth is about to become an even better way to share information, it can also be used to steal valuable information without the proper controls.

Bluetooth technology was first introduced 27 years ago, before security was a high priority. Using techniques like Bluesnarfing, cybercriminals were able to eavesdrop on communications and crash devices remotely. While some of these threats have been addressed in recent versions of the protocol, others, like denial-of-service (DOS), remain viable.

Bluetooth 5 to Offer Enhanced Security

Bluetooth 5, the newest version of the technology, is scheduled for release late this year or early in 2017. This version of the protocol offers several major improvements, especially for Internet of Things (IoT) devices.

  • A fourfold increase in the range of transmission — up to 400 meters in some cases. This means Bluetooth could replace Wi-Fi for many IoT implementations.
  • A twofold increase in the speed of data transmission — up to 2 Mbps.
  • An 800 percent increase in data broadcast bandwidth, replacing the app-to-device pairing model with more connectionless traffic.

The downside of the new protocol is that without controls in place, malicious actors can now access devices and communications from much greater distances than before. If an attack is successful, they can transfer stolen data twice as fast as before. At 2 Mbps, an attacker tapping into a Bluetooth phone used in a random parking lot or coffee shop could download a huge amount of confidential data in very little time.

And there is still no user authentication in the new standard, only device authentication. An application developer can — and for most sensitive applications should — add user authentication.

Bolster Bluetooth Security

There are several actions enterprise security teams can take to bolster Bluetooth security, not the least of which is the continuous education of corporate users on simple steps they can take to do their part.

  • First, security leaders should conduct a simple risk analysis to understand the value of what is being shared/communicated via Bluetooth. If discussing possible mergers or other highly confidential, strategic information, a mobile strategy involving highly secure communications channels is in order.
  • Investigate devices that allow users to block or limit Bluetooth access. Some models can be set to allow access to simple devices like a remote mouse or keyboard while blocking all other Bluetooth file and device traffic.
  • Set user policies that clearly and unambiguously list approved uses for corporate Bluetooth devices, specifying the types of information allowed to be transferred via Bluetooth networks.
  • Require users to shut off Bluetooth whenever they aren’t using it to protect against DOS attacks.
  • Create a passkey/PIN policy and change default pairing PINs whenever possible.

Plugging the Holes

Just as the 802.11 wireless local area network (WLAN) specification evolved from Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access 2 (WPA2) for a more secure wireless experience, even better security will be baked into future Bluetooth iterations. For now, however, Bluetooth security contains holes, even as the standard is poised to play a major role in the oncoming IoT tsunami.

There is no substitute for threat modeling and data classification when determining whether a conversation or file can be transferred via Bluetooth. For most enterprise use cases, a properly secured phone using the latest version of Bluetooth and a user authentication-enabled app will suffice. But for an organization’s most confidential, sensitive data communications, a more secure channel may be required.

Watch the on-demand webinar: Why More Autonomous “Things” Require You to Re-Examine Security Practices

More from Application Security

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Audio-jacking: Using generative AI to distort live audio transactions

7 min read - The rise of generative AI, including text-to-image, text-to-speech and large language models (LLMs), has significantly changed our work and personal lives. While these advancements offer many benefits, they have also presented new challenges and risks. Specifically, there has been an increase in threat actors who attempt to exploit large language models to create phishing emails and use generative AI, like fake voices, to scam people. We recently published research showcasing how adversaries could hypnotize LLMs to serve nefarious purposes simply…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today