Security threats raise concerns about Bluetooth

Potential security risks posed by the Bluetooth wireless technology are prompting some IT managers to rein in use of Bluetooth-equipped mobile phones and PCs on their networks.

Bluetooth vendors are scheduled to hold a press briefing today at which they will discuss the security issues and provide guidance on how users can guard their devices against hackers. But several IT managers last week said they now see a need to protect their networks from Bluetooth attacks by taking the same steps they took to secure their corporate wireless LANs.

For example, Michael Ciarochi, a network security manager at HomeBanc Corp. in Atlanta, said he discovered last week that Bluetooth radios were included in laptop PCs that were being configured by an IT engineer for delivery to the mortgage lender's mobile workers. The radios, which operate in the same 2.4-GHz band as 802.11b WLANs, were turned on as a factory default setting.

Ciarochi said he was concerned about the possibility of opening a wireless back door into data stored on the PCs and had the Bluetooth radios turned off before the systems went into use. He added that he expects to have to secure Bluetooth by "locking it down" on devices, the same approach he took with HomeBanc's WLANs.

Emmett Hawkins, chief technology officer at Leapfrog Services Inc., said he's so concerned about Bluetooth security risks that he plans to use a tool called Bluewatch from AirDefense Inc. to scan every device on his network and employees' mobile phones for the presence of the wireless technology. Hawkins will then decide which devices should be allowed to run Bluetooth and access the network at Leapfrog, an Atlanta-based vendor of managed network services.

Cracks in Bluetooth's security capabilities first came to light in February, when researchers in the U.K. said they had developed a tool that could exploit a flaw in some phones to connect to other devices without going through the normal pairing process. Once the connection was established, the tool could download data such as address books and personal calendars.

The Bluetooth Special Interest Group (SIG), a trade association based in Overland Park, Kan., today plans to address the technology's vulnerability to the "bluesnarfing" attacks and another hacking technique called "bluejacking."

The group said in a statement that Bluetooth users need to "understand the realities of the situation [and] know how to protect themselves." Patches are available for the phones that are at risk of being attacked, said a spokesman for the Bluetooth SIG. He added that the group also plans to detail initiatives it has under way to make Bluetooth more secure.

The spokesman said that only a relatively small number of phones from Nokia Corp. and Sony Ericsson Mobile Communications AB are susceptible to bluesnarfing. Despite the current concerns, he claimed that Bluetooth "is more secure than any other wireless technology" because of the short transmission range of most devices and its 128-bit encryption capabilities. Neither Nokia nor Sony Ericsson returned calls.

Bluetooth security concerns will likely continue to grow as devices that use the technology proliferate, said Chris Kozup, an analyst at Meta Group Inc. Kozup said Bluetooth-equipped mobile phones can be a particularly vexing problem for IT managers because many are bought by individual employees, making them harder to manage than corporate assets such as laptop PCs.