Assessing Bluetooth Security Issues

Previous page
Table of content
Next page

Note

Files are sent back and forth with your Treo using the Bluetooth General Object Exchange Profile, which is based on the Object Exchange (OBEX) communications protocol. OBEX is designed to allow the exchange of binary objects between devices and is supported in Palm devices as far back as the Palm III for sharing PIM data. OBEX is typically associated with infrared communication but is also used regularly now for transferring files and data via Bluetooth.


There have been some concerns in the mobile community about Bluetooth security as more devices ship with support for Bluetooth. The concerns primarily have to do with Bluetooth being capable of opening a notebook PC, handheld, or mobile phone to wireless attacks. Part of the problem is that some users don't realize that, by enabling Bluetooth on their devices, they might be opening a gateway for unwanted communications, much like accessing the Internet without a firewall. Another part of the problem concerns a few faulty Bluetooth implementations that exposed several models of mobile phones to attack.

In reality, Bluetooth is a sophisticated technology that addresses security seriously. Bluetooth connections require acceptance by the user and are capable of using 128-bit encryption with other security protocols. The real concern with Bluetooth security isn't so much the technology itself as it is the manner in which people use it. As an example, your front door doesn't pose a security risk unless you leave it unlocked. The door offers security by virtue of the lock, but you must take some responsibility in shutting and securing the lock after you pass through the door. Similarly, Bluetooth requires some responsibility on the user's part if it is to offer maximum security.

Note

The actual location of the Bluetooth Exchange folder on your desktop computer is My Documents\Bluetooth Exchange Folder.


To better understand your responsibility in keeping your Treo secure from Bluetooth attackers, it's important to understand the types of attacks that can be launched against a Bluetooth device. The simplest and least dangerous form of Bluetooth attack is known as Bluejacking, which is more of an annoyance than a true security attack. In Bluejacking, another Bluetooth user sends an unsolicited message (usually as an electronic business card) through a Bluetooth connection to your device. You certainly have the option of rejecting the message, but just the fact that you're prompted by it, unsolicited, is a hassle. To send you a Bluejack message, of course, the other person has to be within 10 meters (32 feet) of your device, but this can be accomplished easily with anonymity in a crowded area.

Note

The unlocked GSM Treo 650 available directly from Palm was the first device to offer Bluetooth dial-up networking support. Wireless carriers have promised updates to enable the feature on their phonessome have delivered, some not.


It's important to understand that Bluejacking doesn't put your device at risk in any way. Both parties in a Bluejack communication are in complete control of their devices, and the Bluejacker has no way of extracting any information from your device. That's why I refer to Bluejacking as more of an annoyance than a true security attack. Even so, some people are shocked to receive an unsolicited message or, with some phones, an image or a sound. They wrongly assume that someone has attacked their phone or given them a virus. Quite the contrary; some people have turned Bluejacking into a more positive experience by using it as a way to meet new people. To learn more about Bluejacking and view the official Bluejack Code of Ethics, visit http://www.bluejackq.com/.

Note

You can enter the Bluetooth dial-up networking settings on a Windows computer entirely through the Phone and Modem applet in Control Panel. Even so, your wireless carrier should provide you with information about how to enter these settings.


A much more serious Bluetooth security attack is known as Bluesnarfing, which involves another Bluetooth user gaining access to your device data and literally stealing information from your device. The at-risk data can include your contact list, text messages, memos, and anything else stored on your Treo. Although Bluesnarfing has certainly taken place in the past, it relied on a hole in Bluetooth implementations on specific mobile phones, not on a weakness with Bluetooth itself. In other words, the Bluetooth technology is secure enough to prevent Bluesnarfing, assuming that device manufacturers implement Bluetooth properly on their devices. Fortunately, there are no reported security problems with the Bluetooth implementation on Treo devices.

Another topic closely related to Bluetooth security is Bluetooth sniping, which involves using specially modified equipment to send and receive Bluetooth signals over a long range, currently up to 1 mile. When combined with Bluesnarfing, Bluetooth sniping presents an extremely dangerous opportunity for hackers to breach Bluetooth devices from a long distance. So far, Bluetooth sniping has been used primarily as a way of simply exploring the limits of the Bluetooth technology. It does open up the prospect of attackers operating from afar, assuming that they've figured out a way to access your device.

Note

The term "Bluejacking" doesn't refer to hijacking; instead, it originated with a person named Jack who anonymously sent the Bluetooth message "Buy Ericsson" to a Nokia phone user while waiting in line at a bank.


Now that you understand what's at risk with Bluetooth from a technological level, it's important to explain your side of the security equation. As with many technologies, it turns out that the Bluetooth technology is surprisingly secure; the real weak link is us humans. Bluetooth is obviously a communication technology that allows you to connect devices wirelessly. The key to keeping your Treo secure is ensuring that only devices you want connected to it are indeed connected to it. This involves some vigilance on your part to ensure that you don't inadvertently allow someone else to connect to your device. How can this happen?

First, start with the biggest Bluetooth issue of allmaking your device discoverable. Your Treo can be set as discoverable or invisible, with the former option allowing any other Bluetooth device to see your device. Although seeing is different from connecting, by making your device discoverable, you significantly increase the chances of someone attempting a security attack against you. It's just too easy for hackers to fish for devices in a crowded area and take a stab at breaching one of them. As I've already said, Bluetooth is pretty solid in terms of its security, but remaining invisible is much safer than being discoverableat least if you're a Bluetooth device. So keeping your device invisible (undiscoverable) is the best defense against Bluejacking.

Tip

I recommend initially pairing your Treo with your headset or hands-free car kit in a private area (a safe distance away from other potential Bluetooth users) and then being cautious about allowing others to tinker with your device.


On the other hand, the discoverable feature is built into Bluetooth devices for a reason. For example, your desktop PC probably requires your Treo to be discoverable to connect and synchronize wirelessly. In this example, it might be advantageous to keep your device discoverable when you're at home or in your office. You might find a reasonable tradeoff in keeping your device discoverable some of the time and then setting it to invisible when you're in crowded areas where an anonymous attacker might be more apt to strike.

Another area in which many Treo devices are potentially at risk is pairing. When you pair your device with another device, each device is added to the other's device list and given the capability of connecting to each other. In most cases, this arrangement is fine because you want to initiate a connection with a device. If someone is able to secretly pair her device with yours, however, she could feasibly connect to your device without your knowledge. For this reason, most Bluetooth device users have to be careful about allowing other people to borrow their devices.

To summarize, here are a few tips to help maximize Bluetooth security with your Treo:

  • Make your device discoverable only when absolutely necessary.

  • Pair up with new devices only in private, out of range of other potential Bluetooth users.

  • Don't allow anyone else to tinker with your Treo.

  • Don't respond to unsolicited messages you receive.

If you follow these guidelines, you should be able to safely enjoy Bluetooth's benefits with minimal worries about your device's security.


    Previous page
    Table of content
    Next page
    TREO essentials
    Treo Essentials
    ISBN: 0789733285
    EAN: 2147483647
    Year: 2005
    Pages: 189
    Authors: Michael Morrison
    BUY ON AMAZON
    Interprocess Communications in Linux: The Nooks and Crannies
    Absolute Beginner[ap]s Guide to Project Management
    Inside Network Security Assessment: Guarding Your IT Infrastructure
    Telecommunications Essentials, Second Edition: The Complete Global Source (2nd Edition)
    Quantitative Methods in Project Management
    Python Standard Library (Nutshell Handbooks) with
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy