Bluetooth Security - a consumer primer

This article will introduce to you the various security issues that may arise with using Bluetooth. Well cover some new terminology as related to criminal or unwanted behavior as related to Bluetooth. Well also tell you what Bluetooth SIG is doing to address these security issues.

Bluetooth wireless technology is all about transmitting data. Its meant mostly for convenience, as its only good for transmitting information within a 10 meter distance. Naturally were concerned about the security of the data that we store and transmit using any wireless technology, Bluetooth included. The following scenarios demonstrate security issues that can occur using a wireless technology such as Bluetooth:
  • Worms. The Cabir worm came out in June 2004. This worm is the first example of a virus that was written for the mobile phone platform. In theory, it could be transmitted using Bluetooth technology and damage the information stored in your cell phone.
  • Mobile Fraud. This is where criminals, using Bluetooth technology to hide their identities and location, commit fraud by mobile phone; taking money for goods or services that they then do not provide.
  • Identity and Information Theft. Bluesnarfing is a method of hacking a cell phone using a Bluetooth wireless connection with the intent of copying any data stored on that phone. Most newer cell phones are resistant to bluesnarfing. Another method, called Bluebugging, allows hackers to basically hijack a users phone without their knowledge, again using the Bluetooth wireless connection. With bluebugging, hackers can do just about anything you can do with your cell phone. They can make phone calls, send and receive text messages, use the Internet, go through your phone numbers, and even listen in on your cell phone conversations.
  • Unwanted crashers! Bluejacking is a term that describes the unwanted distribution of personal messages to people with cell phones using a Bluetooth wireless connection. To bluejack, the person needs to be within 10 meters of your cell phone.
Before you throw your Bluetooth enabled telephone, car-kit or headset away and reach for a land line, you need to understand that the problem isnt with Bluetooth technology itself but how its been implemented by the various manufacturers.

Basically, the thing to remember is that Bluetooth technology itself is secure because it uses an algorithm to convey the data between two devices communicating with Bluetooth wireless protocols (for example, your cell phone and your wireless cell phone headset). So the problem has more to do with the implementation of the Bluetooth technology within cell phones and cell phone accessories and less to do with Bluetooth itself.

In terms of making Bluetooth implementation secure, product developers can set security levels for the following:
  • Bluetooth mode security level
  • Device security level
  • Services security level
Product developers can use one of three modes of security when implementing Bluetooth access connecting two devices: Mode 1 (non-secure), Mode 2 (service level security), and Mode 3 (link level security).

Devices themselves have two levels of security: trusted and untrusted. When you pair a trusted device with another, the trusted device can access any service provided by the second device. Some devices, like cell phones, should have higher levels of security put upon them than other types of devices, like printers.

Services also have three levels of security: those that are open to all devices, those that require authentication, and those that require both authentication and authorization. Authentication is when the user that wants to communicate with you is verified first. Authorization occurs only after authentication. Basically depending on the device security level, it will be authorized either full access or limited access to services. This is why Bluetooth headsets will require you to enter PIN codes, to authenticate the headset to your cell phone.

Phone manufacturers are under pressure to improve their software to reduce the vulnerability that current cell phones have to various security issues. Before you buy a Bluetooth headset, telephone, or car-kit, confirm that it is a newer model and find out what that manufacturers position is on security. Its quite possible that while you might get a good deal on an older cell phone or cell phone headset, it may not have as rigorous security measures as newer models.

You can also do the following to reduce your risk:
  • Turn your cell phone to non-discoverable mode when you dont need to use the Bluetooth technology for yourself.
  • Regularly check your cell phone manufacturer for software patch updates that remedy new security risks.
Unless the hacker is using special equipment, they usually need to be within 10 meters of your cell phone to hack you. If youre driving down the highway using your cell phone with a wireless headset, chances are slim that youre phone is getting hacked (unless you have a hostile sitting in your back seat!)