Potential security risks posed by the Bluetooth wireless technology are prompting some IT managers to rein in use of Bluetooth-equipped mobile phones and computers on their networks.
Bluetooth vendors are scheduled to hold a press briefing today where they will discuss the security issues and provide guidance on how users can guard their devices against hackers. But several IT managers last week said they now see a need to protect their networks from Bluetooth attacks by taking the same steps they took to secure their corporate wireless LANs.
Emmett Hawkins, chief technology officer at Leapfrog Services Inc., said he’s so concerned about Bluetooth security risks that he plans to use a tool called Bluewatch from AirDefense Inc. to scan every device on his network and employees’ mobile phones for the presence of the wireless technology. Hawkins will then decide which devices should be allowed to run Bluetooth and access the network at Leapfrog, an Atlanta-based vendor of managed network services.
Cracks in Bluetooth’s security capabilities first came to light in February, when researchers in the U.K. said they had developed a tool that could exploit a flaw in some phones to connect to other devices without going through the normal pairing process. Once the connection was established, the tool could download data such as address books and personal calendars.
Attack techniques
The Bluetooth Special Interest Group (SIG), a trade association based in Overland Park, Kan., today plans to address the technology’s vulnerability to the “bluesnarfing” attacks and another hacking technique called “bluejacking.”
The group said in a statement that Bluetooth users need to “understand the realities of the situation (and) know how to protect themselves.” Patches are available for the phones that are at risk of being attacked, said a spokesman for the Bluetooth SIG. He added that the group also plans to detail initiatives it has under way to make Bluetooth more secure.
The spokesman said that only a relatively small number of phones from Nokia Corp. and Sony Ericsson Mobile Communications AB are susceptible to bluesnarfing. Despite the current concerns, he claimed that Bluetooth “is more secure than any other wireless technology” because of the short transmission range of most devices and its 128-bit encryption capabilities. Neither Nokia nor Sony Ericsson returned calls.
Bluetooth security concerns will likely continue to grow as devices that use the technology proliferate, said Chris Kozup, an analyst at Meta Group Inc. Kozup said Bluetooth-equipped mobile phones can be a particularly vexing problem for IT managers because many are bought by individual employees, making them harder to manage than corporate assets such as laptops.
Bluejacking involves sending unsolicited text messages to other Bluetooth users. Karl Feilder, president and CEO of Red-M Ltd., a vendor of wireless security tools in Bucks, England, described bluejacking as “an annoyance” that can be defeated by turning off the phone function on devices, which needs to be on to allow the exchange of such messages.
Few IT managers are even aware of Bluetooth’s widespread use, Feilder said. Worldwide shipments of mobile phones and other devices that use the technology exceeded 1 million units per week last year, according to the Bluetooth SIG. He estimated that as many as 2 billion Bluetooth-equipped devices could be in use by next year.
Many Bluetooth products are short-range devices that can transmit across distances of only about 30 feet. But Jay Chaudhary, chairman of AirDefense in Alpharetta, Ga., said a large number of laptops include longer-range Bluetooth radios that can work at distances of up to 300 feet. That could make them more vulnerable to attacks, he said.
For more enterprise computing news, visit Computerworld.com. Story copyright (c) 2004 Computerworld, Inc. All rights reserved.