Trends & Tech

As providers of insurance and other financial services we have an even greater responsibility to preserve data security than most other businesses. Not only do we need to protect our sensitive corporate data but we have vast quantities of private financial data. We must provide our customers with the trust and knowledge the information they willingly share with us will be protected securely and safely. I recently took a look at one of the major software packages the industry uses to store and analyze an individuals or familys financial needs, and I was struck by the breadth of the data capturedscreen upon screen of personal data that would take hours to compile and enter. In fact, I suddenly realized if I were to create a similar database of information for my family, it would take me days to gather all the information and hours to key it in. The point is we do need to protect data not only from intrusion but loss. While data loss may not be a serious threat at the corporate level, where we have multiple backup strategies and off-site data storage, it is a major concern at the agency level.

The Medium Is the Message

Security threats can be classified and analyzed from a few different angles. We can address the person behind the threate.g., disgruntled employee, hacker with criminal intent, or geek just-for-the-heck-of-it hacker. We can address the physical areas attackedinternal workstation, outward-facing Web sites, or the database itself (there is a reason we keep those servers in a secure area). Finally, we can address the mediumTCPIP over Ethernet, telecom lines, 802.11 services, or the medium we are going to look at here: Bluetooth.

Bluetooth is a wireless communication standard used for the transmission of voice and data.

The ability of Bluetooth devices to discover one another automatically and create connections without user intervention is perceived as a security threat. If a Bluetooth device is in the correct mode (discoverable or visible), compatible devices can communicate with no user intervention. This is very cool if you are at a trade show and want to grab business cards from other attendees and vendors with your PDA. This is very bad if you are in a hostile environment and fear a Bluetooth hack.

Modes

There are different security modes available in Bluetoothfrom no authentication or link encryption to both. There currently are three modes of security for access between devices: Security Mode 1 is nonsecure; Mode 2 enforces service-level security; and Mode 3 has link-level security. The issue is whether we restrict the usefulness of Bluetooth by implementing more secure modes. If you have a Bluetooth printer in a conference room, do you really want to enforce strict authentication and encryption just to enable a guest to print something? There always is a trade-off with wireless technologies and security. Consider 802.11X in the home. Most of my friends are geeks, so they use WEP with nice geeky passwords for their home WiFi systems. Some take it a step further and authenticate by MAC address. On the other hand, I have my home network open and unsecured. Friends and family can come and go and instantly be online. I do have the network pretty tightly locked downno open shares, etc., so I feel reasonably secure with an open network. Of course, I live in the country, and any roving WiFi hackers would be visible if they were close enough to steal some of my bandwidth. (Beware: If you have plans to steal my bandwidth, you might be in for a nasty surprise.) I probably would change my policy were I living in a city or apartment.

Back to Bluetooth. What exploits now are possible for these devices? A warningyou will become sick of the word blue very quickly.

Bluetracking

This is pretty innocuous unless you are a potential assassination target. Bluetooth devices have unique identifiers just like MAC addresses on network cards. Special sensing devices can track the movements of a Bluetooth device. It might be fun for hackers, but come on. I think this already is possible with any cell phone. If your phone is turned on, it is communicating with the closest cell tower; it is uniquely identified and therefore can be tracked.

Bluesnarfing

For those of you over 30, snarf means to pilferto make off with the belongings of others as in, I snarfed a jelly-filled Krispy Kreme from Pauls desk. The Bluesnarf attack is made viable because on some (older) devices, it is possible to gain access to the device without alerting the owner and then gain access to data. Bluesnarfing is an attack on a Bluetooth-enabled mobile phone, which may copy its entire contact book, calendar, or anything else stored in the phones memory. An article on ZDNet UK (February 16, 2004) claims software tools needed to perpetrate a Bluesnarf attack are widely available on the Internet.
In theory, an exploitable phone with Bluetooth turned on and set in discoverable mode can be paired with and accessed by the snarfing tool. The hacker then can access any data available on the device. This would include contact lists, address books, calendar information, and pictures. (Good reason not to keep any compromising pictures on your phone.) Given the generally accepted range of Bluetooth is about 10 meters, it is fair to say there is some security risk involved in crowded areas. Solution: Turn off Bluetooth at the airport.

Bluejacking

Bluejacking may or may not be anything more than harmless messaging, depending on your point of view and your gullibility. Bluejacking takes advantage of the Bluetooth pairing protocol. When Blue-tooth devices conduct the initial handshake as they are attempting to set up ad hoc networks, the device name is passed and displayed on another device. As the name field allows up to 248 characters, it is feasible to use the pairing protocol to pass anonymous messages. You can type a message into the name field and then search for other Bluetooth devices. Imagine you are in a subway car and suddenly receive an anonymous message, Love your outfit or You have been bluejacked, on your phone or PDA. If that is all, bluejacking is in fact nothing more than creepy sophomoric fun. But remember we live in an age of instant messaging and barrages of e-mail. An unsavvy Bluetooth device user unwittingly could pair with the unknown device sending the message. Once that pairing is established, they then are vulnerable to a snarf attack. Solution: Learn not to create a trusted pair with any anonymous users.

Bluebugging

Bluebugging is the process of sending executable commands to a Bluetooth device. Specifically, BlueBug is the name of a security loophole on some Bluetooth-enabled cell phones. A German researcher named Martin Herfurt created a program he calls BlueBug (surprise, surprise) that can use an exploited phone to transmit conversations to another phone. Exploiting this loophole allows the unauthorized downloading of phone books and call lists and the sending and reading of SMS messages from the attacked phone. SMS is an acronym for Short Message Service (text messaging popular on many cell phones). Theoretically, a program exploiting the BlueBug could initiate phone calls from the compromised phone, send SMS, read and write phonebook entries, forward calls, connect to the Internet, etc. In short, any number of semi-nasty attacks are possible. The solution: Dont use a vulnerable device (only certain devices are affected).

Other Hacks

That isnt the end of the Bluetooth hacks currently in the wild (although it is the end of the exploits with blue prefixes). Most of these hacks arent even readily available or in widespread use. There are a number of security firms that create programs that exploit Bluetooth vulnerabilities in the lab or a controlled environment. Obviously, it is easier to sell a security product or service if you can demonstrate vulnerability. There is the backdoor attack (establishing a trusted relationship by pairing but without the paired device displaying in the list of paired devices). Bluetooth DoS (Denial of Service attacks) are doable. War nibbling is the technique of collecting many small bits of data from Bluetooth devices in the zone. Are you starting to wonder why there are so many people with nothing meaningful to fill their time? I am.

The Real Problem

The real security issue as I see it is as follows: A Bluetooth PDA or laptop could be compromised in a crowded area such as an airport or coffee shop. Data on the compromised device then is liable to theft or corruption. Additionally, the hacked device may be connected to another network, say, VPN over WiFi. That makes the hacked device an open gateway to the attached network. This is a security problem. The solution is easy. Make it company policy to disable Bluetooth on company PDAs and laptops when users leave the office. In the office, enforce the highest level of encryption and authentication available. Its probably overkill, but overkill can bring some peace of mind. Common sense will prevent all but the most determined Bluetooth hacks.

Is this a lot of sound and fury over nothing? Probably. Technology writers like to pursue worst-case scenarios. In reality, the range of Bluetooth transmission is so limited there likely isnt any real cause for concern. If you are within 30 feet, I can see youand I can get you. As far as my own gadgets, my cell phone is not Bluetooth-enabled nor does it have a built-in camera. If you want to tell me I look cute today on the subway, you are going to have to do it the old-fashioned waytalk to me.