Bluetooth Device Security

A bluetooth device operates on radio signals and supports both data and voice transmission. Examples of bluetooth devices are cell phones, wireless keyboards, wireless mice, remote controls for TV etc., PDA’s, mobile car phones, laptops and most other wireless devices that are available. The device must be Bluetooth enabled in the Control Panel or System Preferences, to be able to communicate with other bluetooth devices. The limitation of bluetooth devices is the minimal range of the signals for these devices to be in to allow connection. The range depends on the Class of device. Bluetooth comes in three classes:

1)Class 1 are used primarily in industrial applications has a range up to 300 feet
2) Class 2 has a range up to 30 feet, and
3) Class 3 has a range up to 3 feet. The Bluetooth devices you commonly use are most likely to be Class 2. Anyone connecting to a bluetooth device must be within the range that the class of device specifies.
Security Risks for Bluetooth Devices

To illustrate the risks I will be using a bluetooth enabled phone as an example. The same hackers that try to get into your computer network also make attempts to hijack your mobile car phone or cell phone. Once they have accessed your phone commands they can make phone calls, send and receive messages, listen to your phone conversations, learn all your contacts and addresses, and connect to the Internet, all without your knowledge. However, they must be located within 30 feet of your phone to do any of the above, unless they have special equipment. This applies to any bluetooth device that can be accessed, but a cell phone or mobile car phone are probably the most common.

How To Secure a Bluetooth Device

There are a few very simple things you can do to minimize your risk of anyone hijacking your phone or other wireless device:

1. To allow connection of your bluetooth device with another, you must turn on Discoverability or Pairing mode, so that your device can find the other device. The easiest method of providing security is to only turn Discoverability mode (pairing mode) on when you are attempting to connect to(pair with) another device. As soon as the devices have paired (made a connection), turn Discoverability off. Only using this setting when you need it, reduces the amount of time that someone could pair with your device.
2. A PIN number is an alphanumeric string that is associated with the devices, each time they connect with each other. The longer the string the more secure the connection. If possible and the device supports it, increase the length of the PIN to 8 or more alphanumeric characters. If the device does not support changing the PIN, the manufacturer of the device may have a software upgrade that will allow it to be changed. It is only needed while the devices are making a connection (pairing) to make a secure connection, but it must be shared with the devices you want to connect to, because without the PIN, pairing will not occur. During pairing, a hacker has the easiest access to your devices. Occasionally, the PIN is static because it was assigned by the manufacturer. In this case you would need to remember the PIN because it is not automatically changed with each pairing.
3. Protect your PIN by pairing your devices in a private area. This reduces the chances of a hacker regenerating the PIN as it is exchanged between devices. A 4 digit PIN, can be discovered within hours, by a hacker with special equipment. An 8 character alphanumeric string could take years to discover. Pairing your devices in private to prevent the theft of your PIN over the air waves, is one of the ‘best practices’ of wireless security.
4. Turn the Discoverability (Pairing) mode off when in unfamiliar areas. Anyone could be trying to find another wireless device to pair with, don’t let yours be one of them.
5. Only pair (connect) with known devices. If you are asked to connect to (pair with) an unknown device and to enter your PIN code, it is best not to accept the invitation, enter the PIN code or connect to the unfamiliar device.
6. For mobile car phones there is a software tool that is widely available, called Car Whisperer . It can remotely connect to the car phone and send audio to the speakers using any bluetooth enabled laptop with the software tool installed. This tool can pick up sound from the microphone attached to the car phone. However, this tool can only work under the following circumstances:
   • the car phone is in Pairing Mode
   • it uses a static 4 digit PIN number that doesn’t change
   • the car phone is not paired with any other device
   • the car phone is within 30 feet of the laptop (using special tools the distance between the devices can be increased significantly). 
7. Some Bluetooth enabled phones have vulnerabilities that allow an unknown individual to attack your phone. There are 3 different types of vulnerabilities that your phone may be susceptible to:

• "Bluejacking" allows a person to send you ‘Business Cards’ with dubious content. and is usually done for fun. The originating phone must be within 30 feet of you, therefore the sender can see the look on your face when you receive the message. Usually Bluejacking is not malicious and does not steal information. It usually occurs in public places but can occur only if your phone is in Pairing Mode.
• "Bluebugging" occurs when a hacker takes control of your phone’s commands. They can then send and receive email, add to your phonebook, access the internet plus other unpleasant things, all without your knowledge. Your phone is only vulnerable when in pairing mode and within 30 feet of the hacker.
• "Bluesnarfing" gains access to your phonebook, International Mobile Equipment Identity, your calendar and images associated with your phonebook This is more sophisticated than the others as it requires special equipment if the hacker is not located within 30 feet and a device running special software. It becomes much more difficult for a hacker to use this method if your phone is in Non-Pairing Mode.
  

**The manufacturers of many phones have software patches available to close the holes that allow Bluebugging and Bluesnarfing. Check with your phone’s manufacturer to see if there is a software update available and keep your phone up-to-date.**

Bluetooth enabled devices are not limited to phones, remember that any wireless device including your wireless keyboard, wireless mouse and wireless printer also must pair with other devices to work.