Security threats raise concerns about Bluetooth

Computerworld - Potential security risks posed by the Bluetooth wireless technology are prompting some IT managers to rein in use of Bluetooth-equipped mobile phones and PCs on their networks.
Bluetooth vendors are scheduled to hold a press briefing today at which they will discuss the security issues and provide guidance on how users can guard their devices against hackers. But several IT managers last week said they now see a need to protect their networks from Bluetooth attacks by taking the same steps they took to secure their corporate wireless LANs.
For example, Michael Ciarochi, a network security manager at HomeBanc Corp. in Atlanta, said he discovered last week that Bluetooth radios were included in laptop PCs that were being configured by an IT engineer for delivery to the mortgage lender's mobile workers. The radios, which operate in the same 2.4-GHz band as 802.11b WLANs, were turned on as a factory default setting.
Ciarochi said he was concerned about the possibility of opening a wireless back door into data stored on the PCs and had the Bluetooth radios turned off before the systems went into use. He added that he expects to have to secure Bluetooth by "locking it down" on devices, the same approach he took with HomeBanc's WLANs.
Emmett Hawkins, chief technology officer at Leapfrog Services Inc., said he's so concerned about Bluetooth security risks that he plans to use a tool called Bluewatch from AirDefense Inc. to scan every device on his network and employees' mobile phones for the presence of the wireless technology. Hawkins will then decide which devices should be allowed to run Bluetooth and access the network at Leapfrog, an Atlanta-based vendor of managed network services.
Cracks in Bluetooth's security capabilities first came to light in February, when researchers in the U.K. said they had developed a tool that could exploit a flaw in some phones to connect to other devices without going through the normal pairing process. Once the connection was established, the tool could download data such as address books and personal calendars .
Attack Techniques
The Bluetooth Special Interest Group (SIG), a trade association based in Overland Park, Kan., today plans to address the technology's vulnerability to the "bluesnarfing" attacks and another hacking technique called "bluejacking."
The group said in a statement that Bluetooth users need to "understand the realities of the situation [and] know how to protect themselves." Patches are available for the phones that are at risk of being attacked, said a spokesman for the Bluetooth SIG. He added that the group