Is Bluetooth still secure?

Hackers are starting to look at mobile devices as a launch pad to spring attacks on personal computers and workstations, and eventually, corporate networks. This has put the spotlight on wireless technology such as Bluetooth, which can potentially provide hackers with easy access to mobile devices.

But industry players say these risks can be easily mitigated, as long as manufacturers implement the technology appropriately and users are aware of how they can keep their devices secure.

Mobile devices have been a target of hackers for some time, with attacks dating back to 2004 where viruses, such as Cabir and Skulls, had surfaced, said Tim Hartman, senior technical director of security solutions, Symantec Asia-Pacific and Japan.

"We're likely to see more security issues affect mobile users as the mobile community grows and devices gain functionality," he said. "With hackers researching vulnerabilities in Bluetooth-enabled devices, the possibility of a worm or some other type of malicious code propagating by exploiting these vulnerabilities, increase."

Symantec recently identified a new worm OSX.Leap.A, that targeted Apple's Macintosh OS X 10.4 operating system, spreading via the iChat instant messaging application, Hartman said. Categorized as a Level 1 threat--the least severe-- he added that the worm could affect Bluetooth users as well.

The Mac OS X platform last month was also found to be susceptible to a proof-of-concept worm that used Bluetooth to propagate.

The Apple OS was not the only one to be hit.

A loophole was also found in several Sony Ericsson Bluetooth mobile phones, making them vulnerable to denial-of-service attacks.

Getting the basics right
Some of the security issues that have emerged can be traced back to the implementation stage, Eric Schneider, marketing director for Asia-Pacific and Japan, Bluetooth Special Interest Group (SIG), said in an interview. A non-profit trade association with over 4,000 members worldwide, the SIG aims to drive the development of Bluetooth and has working groups that focus on areas such as technology specifications, and product testing and qualification.

Bluetooth facts and figures Established by the Bluetooth Special Interest Group (SIG), Bluetooth is an industry standard for transmitting data files--up to 3 Mbps--within distances ranging from 10 meters to 100 meters. Today, it is commonly found in mobile phones and PDAs. The SIG estimates that almost 10 million Bluetooth-enabled devices are shipped worldwide in a week today, with the Asia-Pacific region being the fastest-growing market. Half of the SIG's associate members are from the Asia-Pacific region which includes Japan, Australia and New Zealand. Many of the group's product manufacturing and testing exercises are carried out in this region. Research company Gartner projects that Bluetooth penetration in the Asia-Pacific region, excluding Japan, will reach 19.8 percent in 2006 and hit 46.5 percent in 2009. ABI Research also estimates that 500 million Bluetooth-enabled devices will be shipped worldwide in 2006, up from 300 million last year.

The SIG outlines technical specifications that are used to build Bluetooth devices. Some of these make up the "basic" foundation of such devices, and manufacturers are required to implement the specifications in their Bluetooth products, Schneider explained.

Other specifications are optional, and manufacturers can choose not to embed these in their products, he said. Some of these, however, could have been used to make their systems more secure, Schneider noted.

"So they didn't take advantage of an optional feature [that could have produced more secure products]," he said.

So why not make these specifications compulsory too?

Schneider stressed that this cannot come under the SIG's purview.

"Telling a manufacturer how secure they want to make their products isn't our role," he said. "They need to balance usability and security…We give them the tools to make that balance."

Schneider explained that Bluetooth specifications are defined by the SIG committee, where members decide which components should be tagged mandatory, and which should be made optional requirements. The group's board of directors include executives from Intel, Ericsson, Microsoft, Motorola and Nokia.

Symantec's Hartman agreed that the "trade-off" between usability and security can sometimes lead to security problems. "At the time a product is introduced, an exploit is either not known,

[deemed] unlikely or an implementation of the technology has not been thought to warrant real concern," he said.
"I agree that in this day and age, if you are developing new technology on existing platforms, you should strive to use the highest level of security [that's] at your disposal," Hartman said. "If consumers suffer and are unable to use the product because of security concerns, the [manufacturer] should add other layers of security. If that fails, companies should alert existing or potential users of possible threats."

Peter Ang, Sony Ericsson Mobile's Asia-Pacific director of product marketing, applications and content, said his company will implement all necessary product specifications recommended by the SIG, "even if it's just an optional component".

He noted that the company's customers in the Asia-Pacific region have not been affected by the recent security issue, and added that the risk to the user's device is low.

"Our phones allow users to turn on the Bluetooth function and choose whether to make their phone visible to others in the area," Ang explained. "They can also reject a request to connect, and [choose not to] receive a data file from another device. So it's up to users to decide how they want to handle access to their device."

"If they don't accept [request to receive data from unknown devices], then there wouldn't have been a problem," he said, noting that the security risk could have been easily avoided. Nonetheless, Sony Ericsson is still "monitoring the situation", he added.

Bluetooth security tips Here's a checklist on how you can ensure your Bluetooth devices are well-protected: •  Always use a password or key when pairing up two devices. •  Don't pair with devices you're unfamiliar with as this will give them full access to your device. •  Turn off your Bluetooth function whenever it's not required. •  If you need to turn your Bluetooth on, make sure your device is set to "hidden" or "invisible" mode. •  Activate additional layers of security to your device if they are available. •  If the Bluetooth-enabled device is stolen or lost, unpair or remove it from the list of "trusted" devices that's on all devices it was previously paired. •  If your device comes with an antivirus software, remember to keep it updated.

According to Schneider, the SIG's security team is also currently investigating the Mac OS X issue. "We have a comprehensive process to deal with [security problems] so this is no different," he said. "We're now trying to find out where and what the issue is. There's no timeframe [to announce how it can be resolved] because we don't yet know where the issue lies."

"If it's an implementation issue, then the timeline will have to come from the manufacturers. If it's a specification issue, then the timeline will come from us," he added.

Schneider noted that security is a primary focus for the SIG. "Everytime we work on a new [Bluetooth] specification, security is looked at," he said.

Hartman said: "People who use Bluetooth should be aware of the risks associated with it and take appropriate precautions." He noted that a default setting on most Bluetooth devices makes them detectable, or "discoverable", by other Bluetooth devices in the vicinity. Mobile phone users can then be invited to connect with other users' devices and chat, or what is called "toothing".

"While an attractive feature to social users, this activity opens up their devices to potential hacking and access to personal information stored on the phone," he warned.

Carolina Milanesi, Gartner's principal analyst of mobile devices and consumer services, added that security breaches can be avoided most of the time if a certain degree of care is taken when Bluetooth-enabled devices are used.

She noted that there is "little consistency" in how users pair up their Bluetooth devices, as this process can differ from one manufacturer to another. The SIG does not require that there be a common way to pair up two devices, giving manufacturers a free rein to decide on their preferred way to do so, she said. This leaves users "struggling" each time they switch between devices.

"As most users are still leaving their home PCs and wireless LANs unprotected, it is hardly a surprise that they do not seem concerned about securing their phones and PDAs," Milanesi said.

"Users are more concerned about how easy a product is to set up and use, than how secure it is. So, phone manufacturers have--understandably, in Gartner's view--felt no urgency to enhance the security of their devices."