Study: Bluetooth security should raise red flags

Because much of the Bluetooth wireless security model is optional, network executives should start setting policies for handling the short-range radio technology, according to new Gartner Inc. research.

A key element of that model is link-layer security. But Bluetooth-equipped devices available today are not required to have this activated. The result: Corporate data can pass over a Bluetooth connection between a mobile phone and a laptop unprotected by encryption and vulnerable to interception.

Bluetooth is a wireless specification, managed by the Bluetooth Special Interest Group (SIG), that describes a 1Mbps, 2.4-GHz radio connection that reaches about 30 feet. It’s being used to replace cable connections between mobile phones, headset, laptops, PDAs, keyboards and fax machines. Each Bluetooth equipped product supports one or more Bluetooth applications, called profiles, such as file sharing, voice and dial-up networking. Bluetooth products can carry a Bluetooth SIG “classmark” or designation indicating which profiles are available.

The number of products carrying Bluetooth radios is surging, says William Clark, director for Gartner’s mobile and wireless research. Already, nearly 700 products are on the market, from more than 50 vendors including Nokia Corp., Palm Inc. and Hewlett-Packard Co.

Gartner estimates that 161 million Bluetooth-equipped products will ship in 2003, rising to US$362 million in 2004. Close to 80 per cent of these products will be mobile phones, laptops and PDAs. Employees could use Bluetooth to connect their laptop to a mobile phone or fax machine, create a mini-network of PDAs and laptops, or automatically synchronize information on different computers or handhelds.

The Bluetooth specification works well at the lowest levels, Clark says, but many features affecting security and management are not required by the standards group. Besides the link layer, security settings for each profile are also optional. If these are not available or not activated data is vulnerable wherever Bluetooth is used as a connection medium, Clark says.

Clark has calculated that the two facts add up to unexpectedly high costs for companies. “We project that [Bluetooth] will add (US)$70 per user, per year, to the total cost of ownership for mobile computing devices,” Clark says. Given that the Bluetooth SIG has announced a goal of driving Bluetooth chip costs to less than US$5, that’s a huge premium for a big company with lots of Bluetooth devices.

The Bluetooth classmark that appears on products has nothing to do with security or interoperability, Clark says. Executives need to create policies to address the potential security problems that Bluetooth could create for companies.

Among Clark’s recommendations:

– Require link-level security to be active in all Bluetooth devices.

– Always use application-level security: Point-to-Point Tunneling Protocol, Secure Sockets Layer or virtual private networking (VPN).

– Take steps to make employees aware of the risks, encourage good user security practices and configure devices properly.

– Evaluate a product’s user interface to decide how easily it lets users set up and manage security.

Gartner is urging Bluetooth SIG members to create an “enterprise-class security model,” to be designated with a new classmark. Among other things, this designation could guarantee “always-on” link-layer security and rigorous, application-level interoperability testing for devices.

“This would save enterprises billions of dollars, on a global basis,” Clark says. “Instead of doing their own testing, they could simply specify these enterprise-class requirements, and buy the products that have been certified to meet them.”