Introduction to Bluetooth technology
Bluetooth technology is a very useful tool for business. It doesn’t rely on a wifi connection to work which can help to reduce data connection costs amongst other things. It’s also very simple to set up and use which is attractive. There are security risks associated with using Bluetooth and they should be managed as you would with any business data connection. This article will explain how Bluetooth works, where it’s useful for businesses, the known security issues it has and how to protect your data.
What is bluetooth technology and where is it commonly used in business?
Bluetooth uses radio waves to send data between devices that are Bluetooth enabled. There’s no need for modems or routers as when using wifi. The only requirement is proximity – Bluetooth connections only hold to a distance of about 50 metres (164ft). This makes Bluetooth ideal for supporting communication devices such as
- hands free headsets (the stereotypical Bluetooth earpiece)
- wireless mice for laptop computers
- health monitoring tools
- wireless headphones
- car speakers for hands free calling
- smart phones supporting all of the above.
Bluetooth is most commonly used on mobile devices, and due to the rise of smart phone use and the rise in remote and mobile workers there is naturally a focus on mobile security. In the US it’s estimated that 63 million people are working from a base outside of the traditional office (that’s 43% of the workforce!) and the figure is rising in the UK too.
With this number of mobile devices outside the traditional office ensuring they are secure when they hold valuable and sensitive business data is key. However the risks associated with bluetooth technology are often overlooked.
Bluetooth Security Issues
There are security issues associated with Bluetooth. It is valuable technology and it can be made safer, but first it’s important to understand the risks. There are many different ways hackers can make use of your Bluetooth connection. They are:
A hacker can connect to your device without your knowledge and steal images, calendar information, messages, contacts etc. This could be sensitive company data.
Worms and viruses
Some viruses are designed specifically for mobile devices. If your Bluetooth is set to ‘discoverable’ it can spread to or from your device. These viruses are often loaded onto a device through an innocent looking app. Malware can also be accidentally downloaded from unsafe websites. These websites can be more difficult to detect on smaller smart phone screens. Keyboards are smaller on mobile devices and are more vulnerable to typing errors, leading to unintentional access to malicious sites.
War nibbling is the act of scanning a location for unsecured Bluetooth connections. This is opportunistic rather than targeted but can still cause a lot of damage.
Denial of Service Attacks (DOS)
Your device can be crashed, that is, so overloaded with commands that it can’t function normally. This usually blocks calls and wipes out battery life, leaving you with a ‘bricked’ phone. This could be more than an inconvenience if original data was stored on the device.
This is more likely to occur through a wifi connection but’s it’s important to know. Hackers can create a fake wireless access point (WAP). When you connect to the ‘free wifi network’ you see in the coffee shop, any data you send online can be accessed by the hackers. This is particularly alarming if company network passwords are stored on the device. If this password is accessed the entire company network may be compromised.
In this case, a hacker can take complete control of your device. This often happens by creating fake Bluetooth profiles with a similar name to a device you’re looking to connect to (for example your laptop mouse or headphones). When you connect, hackers can listen in to calls, read your messages, access your contacts and track your location via GPS. Headsets are particularly weak here – when hacked they can act as microphones, listening in to your calls but also any conversation around you while you’re wearing it.
How is my device vulnerable to attack?
Bluetooth has been around for a long time now. Fact is, the older the technology the more vulnerable it will be to hacking. If your devices use version 1.x, 2.0 or 4.0 LE, you are extremely vulnerable as these software editions have all been proven to be very easily manipulated. If you can, ban devices with these operating protocols immediately. For more information about protective actions, see the next section.
It’s important to understand how your devices connect. There are 4 different levels of security when it comes to pairing, and it’s important to select the highest level if possible. It can be difficult to know how individual devices connect but it can usually be established by contacting the manufacturer.
- Level One devices pair without any passwords required. This means anyone can pair with the device and potentially listen in or gain access.
- Level Two is quite common. Devices pair before the PIN codes are exchanged, creating a window where the devices are vulnerable.
- Level Three devices authenticate before pairing, which reduces the risk that comes with Level Two devices.
- Level Four devices are similar to Level Three in that they authenticate before pairing, but require more stringent authentication processes.
It doesn’t take much imagination to understand how hackers can take your personal and professional information and use it for their own gain. It may be that hackers are seeking to access financial details or company information. Data could be used for blackmail or to undermine business operations. When phones are hacked they can be used to make expensive international or premium service calls (at your expense). No matter what, it’s worth avoiding.
Best practices you can employ for better Bluetooth security
All of this information might leave you feeling like Bluetooth technology is dangerous to use. It doesn’t have to be. The benefits of using Bluetooth technology for your business can outweigh the risks, if you know how to use it safely. So, how can you address these vulnerabilities?
Hide your connection
When a Bluetooth enabled device has the function turned on, anyone within range, with a Bluetooth device can see that you are ‘discoverable’ – your device name will appear in a list on their device (much like when you have wifi on and you can see a list of available networks, even those that are password protected). The first and most simple thing you can do: if you are not using your Bluetooth, set your device to be ‘undiscoverable’ or turn the function off. (This will also save your battery). Simply put, if a hacker can’t find you, they can’t choose you as a target.
Connect your device in private
When you connect your devices for the first time, often there is a moment where the devices pair up before trading authentication codes. This small window is long enough for a hacker to access your data as discussed above. To avoid this, pair at the office or at home for the first time. After that the devices will connect without this vulnerable window.
If your devices do become unpaired, wait until you are in a private place before you pair them again. Do not pair devices in public spaces such as cafes or convention halls.
Create a difficult PIN
As mentioned above, when devices are paired for the first time, they must trade PINs (personal identification numbers). If you can edit the PIN on your devices, make then random alphanumeric codes (don’t use a name or birthdate). If you have the option to extend the code from 4 to 8 characters, do it.
Select the right technology
Not all technology is created equal. If you are selecting a device (such as a set of wireless headphones), keep Bluetooth security in mind. There are sometimes versions of a device that can broadcast using encrypted signals, giving an extra layer of protection.
Smartphone extra precautions
Often Bluetooth devices such as headphones are connected to a smartphone. In a business environment, smart technology is indispensable. Taking a few extra steps to protect the phone itself will strengthen the security of the Bluetooth connection. Even if hackers do get access, you can limit the data they can see and manipulate.
Preset the smart phones or empower your staff to:
- enable password/fingerprint/voice protection.
- use the longest possible passwords and make sure they are randomly generated.
- encrypt the data stored on the smart phone.
- install mobile security software (similar to anti-virus on a computer).
- Turn off on-screen notifications, so sensitive emails or message content are not able to be displayed on a locked screen.
Behaviours matter too. Teach your staff to:
- Turn off applications that aren’t being used. This will help reduce what hackers can access and it will also increase battery life.
- Turn off GPS, wifi and Bluetooth when they aren’t being used. This will save battery, but it also makes it much harder for opportunistic hackers to gain access to the device.
- Only connect to the business networks through a SSL VPN. If you don’t provide this for your business network, consider establishing it for added data security.
- Unpair and delete the device and clear any data from one-time connections like rental cars. This should also be required for company cars, especially at the end of any lease agreements.
- Download and install any updates or patches the device requires. As weaknesses are identified they are fixed with updates. Failing to update leaves devices open to known risks.
- Manage their devices. If a paired device is lost or stolen it should be reported immediately and removed from the list of automatically paired devices.
- Vet any offered pairings or electronic business cards. If an employee is not expecting to be paired with a device they should deny access immediately (and change their setting to undiscoverable).
- Back up data to secure, encrypted storage as often as practical. This will protect data loss through DOS attacks.
- Avoid saving important passwords on the device. It may be inconvenient to type in complicated passwords but having them saved grants intruders free entry – completely defeating the purpose of the password.
Talk to your IT department about:
- Providing company devices for staff. Asking staff to use personal devices can save money up front, but can leave sensitive data at risk as there can only be voluntary compliance with security behaviours.
- Installing smart phone security apps on business devices. These apps can provide monitoring and behaviour management support.
- Configuring your business smart phones to connect to your company rights management system. Essentially this means requiring additional password security to access company information. This will slow down any hacker from accessing sensitive material.
- Weighing up the risk of permitting personal devices to be connected to, or access business networks. A separate network could be established with limited access to company data, for example.
- Creating user checklists for new devices. When staff are issued with a smart phone or other device, a list of security measures to take before leaving the office could provide assurance.
Mobile devices and Bluetooth technology can be an absolute boon to your business. When so many people are working away from a traditional office environment it’s almost inescapable. The freedom to move brings new risks, as we’ve seen. Connecting a laptop to a smart phone and wireless headphones in a coffee shop may seem like a closed system, but in reality it’s a golden opportunity for those with malicious intent.
Taking the simple precautions of turning off Bluetooth when not in use and setting the device to ‘hidden’ instead of ‘discoverable’ significantly reduce the risk of being hacked. For a small business owner or freelancer this may be enough protection. For those working for a larger operation, there are plenty of other precautions that can and should be taken. If you’re unsure, talk to your IT department about what security protocols you should be following. If there are no protocols in place at your company, now may be the time to discuss implementing them.
About EC-MSP IT Services
EC-MSP are one of the most trusted IT support providers in London. If you would like more help advice and support on your Bluetooth security polices or have other business IT support needs, contact us today to see how we can help.