Opinion: A new type of Bluetooth security

Bluetooth has been a big success in the mobile world, but primarily for just one application: wireless headsets. These are extremely popular and with good reason: You can't beat the convenience, and they are have become quite inexpensive.

But Bluetooth can do much more than just connect a headset with a phone. The technology also is capable of file transfer, dial-up networking, printing, and much more. These services are called profiles, and you can find the complete list of profiles here. Note, though, that not all Bluetooth implementations and devices support all profiles, so check with your vendor(s) to make sure you're getting what you need before you buy a Bluetooth-equipped handset or add-on adapter like a USB dongle.

Bluetooth does specify a reasonable, if not very robust, security protocol between the two endpoints in a Bluetooth link, and I encourage users to enable this feature. Any bit of network security, to paraphrase Martha Stewart, is a good thing.

But what if your application requires really strong security, such as government-class security designed for sensitive (but unclassified) data. Bluetooth isn't up to that task, nor are most commercial solutions today. The relevant standard is FIPS 140-2, and in many federal applications, the use of 140-2-approved products is not optional. I encourage application of this standard in many commercial environments as well.

That being said, I'm not going to advocate that Bluetooth advocates add FIPS certification to its specification. Rather, I want to introduce you to a novel, government-grade security solution that uses Bluetooth and that may well have applications in the commercial world as well.

I recently learned about this solution during a briefing with Trust Digital, a firm that specializes in mobile device security across a broad range of applications. The company also plays in the mobile device management arena, an area of increasing interest to network managers with increasing mobile user bases.

The problem is simple: How can we implement a highly-secure connection between mobile devices and network-based IT resources, across wired and wireless links alike? VPNs are a great idea, if not a requirement here, but, too often in the design of such security solutions, the other piece of the puzzle, strong authentication, is forgotten.

The answer is simple in concept - two-factor authentication. This is sometimes called the "something you have plus something you know" approach. The "something you know" is usually a password, and properly chosen, these are a good first step.

The "something you have" is more problematic because it involves additional hardware. Biometrics is a very interesting approach; I've been investigating the use of fingerprint scanning as the second factor and I'll have more for you on that down the road.

The government, however, has another idea that they've put into practice, which is essentially smart cards (a hardware token, if you will) connected via Bluetooth. The smart card in this case is the Department of Defense Common Access Card (CAC), which is the new staff ID card recently put into place. Bluetooth readers for the CAC are available from a number of sources and work with a variety of mobile devices, effectively driving mobile security in a huge range of sensitive applications. Note all of this sits on top of the Bluetooth link and, as a result, this system has both strong convenience and strong security.

I'd love to see a low-cost, commercial implementation of this concept soon. Two factor authentication could then become as common as, well, the one-factor alternative, but with a dramatic increase in security, which we all can appreciate.

Craig J. Mathias is a principal with Farpoint Group, an advisory firm specializing in wireless networking and mobile computing. He can be reached at craig@farpointgroup.com.

Copyright © 2008 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon