Bluetooth Blues
In the sixth of his weekly series for Cambridge Network members, IT governance expert Alan Calder explains the ABCs of business security and compliance. This week he looks at Paris Hilton, Harald Bluetooth and bluesnarfing.
The Problem
Your cellular communication is only as secure as its weakest link.
Once upon a time, your GSM cellular phone communicated directly and pretty securely with a GSM relay station and, from there, with the telephone network. In the last few years, have become Bluetooth-enabled, and this has introduced a major weakness.
Bluetooth isn’t secure. Bluetooth equipped cellular phones and SmartPhones don’t usually have access control systems, firewalls, or anti-virus software. And that’s a pity, because Bluetooth-enabled devices are now a preferred method of attack on corporate and personal data.
As Paris Hilton is said to have found out. The story is that the society heiress had all the photos, contact details and other data stolen off her mobile phone and posted on a Website.
The Risks
Bluesnarfing is basically a hack attack on a Bluetooth-enabled device that allows download of all the information on the device – without leaving any trace of the attack. And the maximum range isn’t the advertised 10 metres – equipment that can mount a hack from up to a mile away is now available.
Mobile phone viruses are becoming more effective. Leaving your phone in ‘discoverable’ mode makes bluejacking (direct sharing of messages, pictures, and so on) easier; it also makes virus penetration and hacking easier. And phreakers could make calls on your number, deny you the use of your own phone, and steal your data.
The Bluetooth standard is apparently only due for a security update toward the end of 2005. That leaves the bad guys with a lot of time.
The Impacts
Harald Bluetooth introduced Christianity to Denmark in the 8thCentury. His namesake is allowing hackers and phreakers to introduce themselves into our once-secure mobile telephones. And the data that’s stored on mobile phones is just as subject to data protection, human rights and privacy legislation as that which is on your desktop.
And what happens to your network when you synchronize an infected mobile phone with your otherwise carefully guarded and protected desktop workstation?
What do we do about it?
The three critical steps are:
1. Keeping ‘discoverable’ mode on your Bluetooth device ‘off’ unless you really need it on.
2. Keeping it off, even if you want it on, when you’re in a ‘dodgy’ area.
3. Installing mobile anti-virus software on your mobile, with automatic over-the-air updating.
What else?
The situation is just starting to deteriorate. There are more mobile phones out there than computers, and that means that more and more phones will be attacked and compromised. Now is a good time to get into the habit of keeping them secure. The real question is: how do you teach all your staff to be careful – particularly when they’re driving?
Next week: Voice insecurity