By Alex Viall, MD, Mustard IT
Bluetooth technology has been around since 2000. It’s become a seamless way for professionals to connect devices and it can be deployed for a variety of uses – from diverting voice calls through car speakers, to providing the freedom of wireless mice, headphones and more. The question now however, is how safe is Bluetooth technology?
Has the ubiquity of the technology created complacency regarding Bluetooth network security? Everyone is aware of the risks involved with using the internet for business, but have you thought about the impacts of a breach of a Bluetooth connection?
This article will explore how Bluetooth actually works, where the Bluetooth security vulnerabilities are, and how to reduce your Bluetooth security risks, both on the go and from an organisational perspective.
What are the security issues?
Bluetooth is extremely convenient, but it can leave users vulnerable to Bluetooth security risks if it’s not used safely. If you have email, social media, banking apps or confidential files on your device, you are at risk.
It’s vital that devices used for business in particular are protected from attack. Once we understand some of the many ways hackers can wreak havoc on your systems using Bluetooth vulnerabilities, we can learn to protect ourselves.
Viruses and worms
Smartphones and tablets are vulnerable to viruses often downloaded from reputable looking apps. Smartphone keyboards are prone to typing errors, which can lead to mistyped web addresses. Misspelling a common website name by one letter can lead to malware and other damaging files can be installed on your devices. As smartphone screens are smaller, counterfeit websites can be more difficult to spot. Once a virus has been installed, it can open up the device to Bluetooth security vulnerabilities and other issues.
If a hacker gains access to your device (by connecting without your permission) they can steal personal data from calendars, email, images, contacts, messages etc. This could compromise any amount of sensitive information. Does Bluetooth use data once it’s been hacked? No, it remains limited to radio waves.
Denial of Service Attacks (DDOS)
This is a malicious tactic sometimes used to inconvenience or intimidate a person. If a DDOS attack is launched on your device, it will become overwhelmed with nuisance instructions and freeze up. Calls can’t be answered, data is (sometimes permanently) inaccessible and chews up battery power.
This is also known as Bluetooth eavesdropping. Just as virus websites use a misspelled address to trick users, hackers set up common looking device names (‘printer’ for example) and trick you into pairing with them instead of the actual device you were seeking. These are an unfortunate factor of Bluetooth security vulnerabilities.
As you pair with them, they gain access to your entire device – they can hear and record calls, track your location on GPS and use your contact list.
If you have connected to a headset with a microphone, hackers can even listen in to conversations that are happening around you. As with bluesnarfing, you wonder does Bluetooth use data when it’s been hacked and the answer is no, so that’s one less thing to worry about.
How to reduce risk – update your Bluetooth versions
The level of Bluetooth security involved depends on which Bluetooth versions the devices use. We’ll explain each of the versions below. It can sometimes be difficult to tell which Bluetooth versions your devices have. If you’re unsure, contact the manufacturer directly. No matter which version you use, Bluetooth multi connect won’t be available, but it may update with newer releases of the hardware.
If you have level one devices, it means they will ‘pair’ (connect) without requiring any Bluetooth passkey or verification. This can be very risky – it is essentially an open door, where anyone can pair to your device and access what’s stored there.
This is the most common Bluetooth security setting. The devices pair together, and then ask for security codes to be exchanged to verify the connection. The short period of time between pairing and verification can create a security vulnerability but the risk is minimal.
Devices with level three security offers strong Bluetooth protection against unwanted intrusions. These devices must authenticate (swap security codes) before pairing, which means the gap found in level two devices is completely closed.
These devices have the most stringent authentication protocols. They act like level three devices and authenticate before pairing. The authentication process is more complex, making it extremely difficult to penetrate, reducing the Bluetooth security risks significantly.
A final point on hardware – it may be worth researching common Bluetooth enabled accessories, such as headsets or headphones. Some brands have additional layers of encryption available. It is worth paying more for extra risk reduction, and helps to answer the question: is Bluetooth safe?
How to reduce risk – behavioural change
Once you are confident that you are using the most appropriate version of Bluetooth on your devices, you can begin to focus on behavioural change.
Because proximity is critical to connecting, a lot of harm can be avoided by doing the majority device set up in a secure location (like the office).
Implementing these changes will see a huge boost for your Bluetooth network security.
Connect devices in secure locations
The biggest opportunity for hackers to access a device through Bluetooth vulnerabilities is the moment between two devices pairing and trading authentication codes.
This gap can be only a second long but it’s long enough to be a risk. To avoid exposing yourself to this risk and increase Bluetooth protection, pair devices at the office or at home.
You only need to do this once for each coupling. Once the connection is authorised the gap is closed. Connecting privately reduces the risk of Bluetooth eavesdropping.
If your devices do become unpaired (it happens), resist the urge to reconnect them in public, even if you are on the go.
When you can’t return to the office, remember the 50m proximity rule and find somewhere isolated to reconnect.
Hide your connection
If Bluetooth is enabled on a device, it will automatically broadcast its presence to every other device within range. This is called being set to ‘discoverable’. It’s necessary to be discoverable when you’re trying to pair with another device of course. If you are not actively seeking to connect to a device, change your settings to ‘undiscoverable’ to avoid Bluetooth eavesdropping. You can still use your Bluetooth but no-one else can find your device on a list. If you’re not using Bluetooth, turn the function off completely until you do need it to provide additional Bluetooth protection.
Reset the PIN
The authorisation code used to couple devices is commonly a preset 4 digit PIN. If you have the option to change this, do so. Extend the code from 4 to 8 characters, and make the code an alphanumeric scramble. Treat it with the same respect as any other password.
Lock down your smart device
In today’s mobile business environment, a smartphone is the most likely device to broadcast information through a Bluetooth connection. Add passwords, codes and authorisations on any account that’s linked to business data. That way if hackers do access the device, there may be little for them to see, reducing Bluetooth vulnerabilities.
How to reduce risk – policy change
It’s possible that your staff are completely unaware of the risks they can bring to the business by using Bluetooth in public places. Depending on the size of your workforce, you will need to educate them on the risks and make some changes to company devices are managed.
There are changes that can be made with Bluetooth network security on the individual behavioural level and also in cooperation with your IT and cyber security teams.
The following suggestions centre around smartphones and tablets, because they are common data hubs and most likely to be paired in public areas.
When a new device is deployed:
- Install encryption software
- Install mobile anti-virus software
- Enable password protection (using voice recognition and fingerprint scans if possible)
- For all accounts connected to the device, use randomly generated passwords
- Turn off on-screen notifications. This stops confidential business related messages and emails displaying on screen for anyone to see
Use digital hygiene:
- Connect to company networks using SSL VPNs only. This scrambles access for opportunist hackers.
- Do not save passwords on the device (either as autocomplete options or as a note). Autofilled passwords are a gift to anyone with bad intentions.
- Close applications that aren’t in use. It will save battery life and restrict hackers from accessing them without passwords
- Unpair devices from one-time connections like printing booths or rental cars. Delete your connection from the car if you can.
- Clearing this data should be routine for company cars due for return from long term leases.
- Turn off WiFi, Bluetooth and GPS when the connections aren’t being actively used. It’s far more difficult to connect to a device when these pathways are closed. It will save battery, too.
- Install updates as soon as they are available. Updates are released in response to newly identified weaknesses in data security.
- Failing to update leaves devices vulnerable to known risks.
- Back up data as often as practical. This may occur automatically through cloud accounts or need to be done manually on a schedule. Ensure the data storage is secure too.
- If a device goes missing (i.e. lost or stolen) it must be reported directly. Remove the device from all lists of paired devices to deny access.
- Do not pair with an unknown device, or accept a digital business card without an identifiable source. Spontaneous pairing requests should always be denied, especially if it requests your Bluetooth passkey. Avoid this by keeping devices set to undiscoverable.
IT department involvement:
- Issue company devices for staff. There will be an initial cost, however having high level access and control on these devices can provide a huge ROI in terms of cyber security threat reduction.
- Make use of a company rights management system on smart devices. This allows an additional layer of security before allowing access to sensitive company data. For more information on this or other network security issues read our page on securing your network.
- Decide if personal devices should be permitted to connect to company wifi networks. This has huge potential for exploitation. Consider establishing a separate, limited network that provides connection but no access to company systems.
- Install anti virus software onto company devices. Business management apps can also monitor usage, which can feed into security, efficiency and other metrics.
- Develop a new user checklist to include with company issued devices. The checklist could include information about is Bluetooth safe, instructions on how to pair Bluetooth devices safely, what is the range of Bluetooth, how to connect to the CRM and password requirements, for example.