Study: Bluetooth security should raise red flags

Network World - Much of the Bluetooth wireless security model is optional but network executives should start setting policies for handling the short-range radio technology, according to new Gartner Inc. research.
A key element of that model is link-layer security. But Bluetooth-equipped devices available today are not required to have this activated. The result: Corporate data can pass over a Bluetooth connection between a mobile phone and a laptop unprotected by encryption and vulnerable to interception.
Bluetooth is a wireless specification, managed by the Bluetooth Special Interest Group (SIG), that describes a 1M bit/sec, 2.4-GHz radio connection that reaches about 30 feet. It's being used to replace cable connections between mobile phones, headsets, laptops, PDAs, keyboards and fax machines. Each Bluetooth-equipped product supports one or more Bluetooth applications, called profiles, such as file sharing, voice and dial-up networking. Bluetooth products can carry a Bluetooth SIG "classmark" or designation indicating which profiles are available.
The number of products carrying Bluetooth radios is surging, said William Clark, director for Gartner's mobile and wireless research. Already, nearly 700 products are on the market from more than 50 vendors including Nokia Corp., Palm Inc. and Hewlett-Packard Co.
Gartner estimates that 161 million Bluetooth-equipped products will ship in 2003, rising to 362 million in 2004. Close to 80% of these products will be mobile phones, laptops and PDAs. An employee could use Bluetooth to connect a laptop to a mobile phone or fax machine, create a mini-network of PDAs and laptops, or automatically synchronize information on different computers or handhelds.
The Bluetooth specification works well at the lowest levels, Clark said, but many features affecting security and management are not required by the standards group. Besides the link layer, security settings for each profile are also optional. If these are not available or not activated, data is vulnerable wherever Bluetooth is used as a connection medium, Clark said.
Clark has calculated that those two factors add up to unexpectedly high costs for companies. "We project that [Bluetooth] will add $70 per user, per year, to the total cost of ownership for mobile computing devices," he said. Given that the Bluetooth SIG has announced a goal of driving Bluetooth chip costs to less than $5, that's a huge premium for a big company with lots of Bluetooth devices.
The Bluetooth classmark that appears on products has nothing to do with security or interoperability, Clark said. Executives need to create policies to address the potential security problems that Bluetooth could create for companies.

Among Clark's recommendations:

• Require link-level security to be active in all Bluetooth devices.



• Always use application-level security: Point-to-Point Tunneling Protocol, Secure Sockets Layer or VPN.



• Take steps to make employees aware of the risks, encourage good user security practices and configure devices properly.



• Evaluate a product's user interface to decide how easily it lets users set up and manage security.

Reprinted with permission from

For more information about enterprise networking, go to NetworkWorld.com
Story copyright 2009 Network World, Inc. All rights reserved.