With technology advancing at a groundbreaking pace, new features and capabilities have brought numerous unintended security consequences and risks.
Implementing organizations and users must take on the responsibility to protect data and identities.
With rising awareness of security and privacy in IT systems and applications, embedding security in all layers of system design, development and operations are gaining attention from users, system owners, and designers.
This trend is especially critical in the business and government sectors working with proprietary or sensitive information.
Heavier reliance on wireless and Internet of Things (IoT) technology further complicate the security landscape.
Users often trade privacy for convenience and voluntarily share sensitive information when using mobile devices.
Using Bluetooth to exchange sensitive information poses an alarmingly high-security risk.
However, a thoughtful approach to system design, vigilant users, and attention to security will mitigate many of the potential vulnerabilities.
Security Challenges Using Bluetooth Technology
The Bluetooth standard is so complex that few people truly understand it. Bluetooth Special Interest Group (SIG), the governing body for Bluetooth technology, published approximately 3,000 pages of specifications.
That is about 10 times the volume published for Wi-Fi. The extensive standard offers a wide range of options for developers; however, developers may not have a proper understanding of the entire protocol resulting in vulnerabilities in their systems.
Bluetooth SIG is developing a new security audit tool that may prevent some of the more common implementation errors.
A more diligent adversary may take the time to discover a weakness.
There has been a recent increase in Bluetooth exploits.
A simple search in the common vulnerabilities and exposure database (CVE) shows over 300 known vulnerabilities related to Bluetooth.
Security officers are at a disadvantage because they need to anticipate every possible method by which an attacker could gain access, while the attacker only needs to find one unmitigated vulnerability.
A common vulnerability is the length of the encryption key. A short key length is vulnerable to a brute force attack and should not be used. Although the Bluetooth Core Specification now recommends 7 octets as the minimum encryption key length, some legacy devices may not have been updated or some developers may ignore this new guideline.
Given all the Bluetooth vulnerabilities that have already been discovered, there will be more to come. Organizations need to take careful measures in implementing the right technology and processes while mitigating the associated risks.
What Can You Do?
Only the right mix of technologies, partners, and culture will keep organizations secure.
Organizations must be armed with the knowledge and tactics to uphold their security posture by providing multi-facet protection addressing hardware, software, and user behaviors aspects.
Furthermore, organizations can encourage users to invest in additional cybersecurity tools under an employee’s reimbursement plans.
It’s time for organizations and users to step up their game to protect sensitive data.
Here at IT Veterans, we specialize in secure mobility and cybersecurity.
We have a number of effective, economical, and easy to use solutions to decrease risk in wireless technology implementation and improve cybersecurity posture.
If you’d like to talk about security or learn how we can help. Contact us here.
Author: Julie A. Hanway; IT Veterans Team Member
Biblio:
Doffman, Z. (August 15, 2019). New Critical Bluetooth Security Issue Exposes Millions Of Devices To Attack. Retrieved March 16, 2020, from https://www.forbes.com/sites/zakdoffman/2019/08/15/critical-new-bluetooth-security-issue-leaves-your-devices-and-data-open-to-attack/#723257764ec8
Kacherovska, D. (August 15, 2019). How Secure Is the BLE Communication Standard? Retrieved March 16, 2020, from https://dzone.com/articles/how-secure-is-the-ble-communication-standard
Martin, J., Alpuche, D., Bodeman, K., Brown, L., Fenske, E., Foppe, L., … Teplov , S. (June 16, 2019). Handoff All Your Privacy – A Review of Apple’s Bluetooth Low Energy Continuity Protocol. Retrieved March 16, 2020, from https://petsymposium.org/2019/files/papers/issue4/popets-2019-0057.pdf
Newman, L. (May 19, 2019). Bluetooth’s Complexity Has Become a Security Risk. Retrieved March 16, 2020, from https://www.wired.com/story/bluetooth-complex-security-risk/
Zepeda, D. (August 1, 2019). AirDrop vulnerability can show your phone number and passwords to malicious third parties. Retrieved March 23, 2020, from https://www.imore.com/airdrop-vulnerability-can-shows-your-phone-number-and-passwords-malicious-third-parties
Common Vulnerabilities and Exposures (CVE®), The MITRE Corporation, https://cve.mitre.org/index.html. Access on 5/12/2020