Bluetooth's
flaws were in the spotlight at last week's Black Hat and Defcon
security conferences in Las Vegas. Security professionals demonstrated
vulnerabilities in the wireless technology by downloading contact
information and reading text messages on the devices of unsuspecting
bystanders. This comes on the heels of software upgrades from device
makers Nokia Corp. and Sony Ericsson that address Bluetooth's security
problems. Even though Bluetooth is seemingly more insecure than ever,
it is infiltrating businesses at a tremendous rate.
"Bluetooth is a silent killer," said Stan Schatt, a vice
president and research director with Cambridge, Mass.-based Forrester
Research Inc. "You can look at someone and not know that they have a
Bluetooth device, yet they can still do damage."
The short-range 2.45 GHz wireless technology is being embedded
in more manufacturers' mobile devices. Wireless phones and headsets are
most popular, but it is also being embedded in printers, PDAs, laptops
and other devices. It is most often used to replace cords for headsets,
synch mobile devices with PCs or share contact information between
devices. According to the Scottsdale, Ariz.-based research firm
In-Stat/MDR, 69 million Bluetooth chips shipped in 2003. By 2008, the
firm expects 720 million units to ship each year. While Bluetooth is prevalent, it has very little use in a
business context and therefore is rarely managed by IT departments,
Schatt said. Generally, the technology is embedded in the devices that
employees bring into the office. Now that these devices are becoming
more commonplace, hackers are finding ways to exploit the technology's
weakness. For instance, Bluetooth can be used to download information
stored on a mobile device, including contact lists and passwords. It
can also be used to make calls using another person's device. Bluetooth
can even be used to take over another device and send SMS messages, or
to listen in on conversations.
Mobile device data is typically not pivotal to an
enterprise's security, said Craig Mathias, a principal with Framingham,
Mass.-based research firm, Farpoint Group. Nonetheless, he said
businesses should determine whether they are at risk by learning how
much sensitive business data is stored on workers' handheld devices.
"Bluetooth needs to be on the radar screen of IT departments," he said.
Bluetooth also complicates patch management, Schatt said,
because it is tougher to push out updates to cell phones and other
handheld devices than it is to PCs.
Despite its problems, Bluetooth is becoming so prevalent that
it is not practical to ban the technology. Businesses should therefore
incorporate it into their wireless strategies. Employees also need to be educated on how to use Bluetooth and
on the kinds of security vulnerabilities it may present. Mathias
recommends handing out a card with Bluetooth information to every cell
phone user. |