If you had a time machine and could go back through the ages, all the way back to the early 90s, and tell the average office worker that they could get crystal-clear audio, transfer files, and even print out documents without a single wire or cord involved, you’d probably get their attention pretty quickly. Thanks to the rapid rise of Bluetooth and other radio frequency (RF) technologies, this is now, not only possible but extremely commonplace, with more people than ever taking advantage of the technology thanks to the rise of the Internet of Things (IoT).
Bluetooth was invented back in the late 80s but didn’t see a widespread adoption rate until the mid to late 90s. Named after the famed Danish Viking Harald Bluetooth who united many ancient tribes of Demark into a single kingdom, Bluetooth, similarly, was seen as a way to unite RF communication protocols. (Fun Fact: The Bluetooth logo is actually a combination of ancient runes for Harald’s initials.)
In today’s modern office, Bluetooth and other RF frequencies are used on a daily basis to make employees more productive and their offices more convenient. But what kind of security risks are inherent to Bluetooth? Are they enough to possibly rethink their uses in offices where cybersecurity is of the utmost importance, such as when dealing with healthcare data and possible HIPAA violations?
How Bluetooth Works
One of the reasons Bluetooth has become so widely adopted is that it is low-power, wireless, automatic, and inexpensive. It doesn’t require line-of-sight to connect (like how your remote using infrared needs to be pointed at your television to send signals to it, for example) and can connect several devices together simultaneously (as opposed to other RF technologies limited to a 1:1 connection) from a distance of over 10 yards. Bluetooth devices connect using the ISM (industrial, scientific, and medical) band of the RF spectrum, which lies between 2.4 and 2.485 GHz, and can sync up utilizing a full-duplex connection, meaning both devices can send and receive from the other.
Security Measures of Bluetooth
There are several security modes offered by Bluetooth, and what you use will depend on the types of devices connected and your overall security situation. Speaking generally, Mode 1 is essentially entirely unsecured, Mode 2 allows the end-user to decide which devices to connect to, and Mode 3 secures the link and requires authentication for all Bluetooth traffic and connections.
Most of us are familiar with Mode 2 in our daily lives, as establishing “trusted devices” is something every Bluetooth user has likely done. Upon initially connecting to your wireless mouse or keyboard for the first time, you can designate said device as one that is trusted, which ensures a speedy, automatic connection every time henceforth. While operating your home speakers and keyboards in Mode 2 is likely fine, Mode 3 should be considered whenever sensitive business data is transmitted. This allows for complex encryption and authentication methods that make unauthorized access extremely difficult.
Where It Can Be Weak
Just like Wi-Fi and other wireless modes of communication, Bluetooth can be prone to security flaws. After all, anytime you’re sending signals through the air, they are susceptible to be received by parties outside of those you intend to send them to.
Turning off Bluetooth on your device while not in use is always a good idea, as hackers have been known to conduct what is known as “bluebugging,” targeting devices that are always in “discoverable” mode and have out-of-date firmware. Successful bluebugging allows a hacker to access sensitive information on the device.
Bluejacking, another type of Bluetooth attack, is typically not quite as dangerous as bluebugging. Arguably the most common type of Bluetooth attack, bluejacking is the act of sending out unsolicited messages to people and devices within a certain range. These are commonly SPAM messages or guerilla marketing efforts but can be avoided by turning Bluetooth off when not in use.
What Should Be Done?
The bottom line is that while nothing is 100% secure, the use of Bluetooth in your office should be viewed in the same category as Wi-Fi. Sure, it can be a security risk, but the convenience and increased productivity it affords far outweighs the risk. There are basic security measures you can (and should) conduct in your office for all Bluetooth devices that will tighten things up (as mentioned above), as well as continual best practices you should instruct all employees to follow at all times while using Bluetooth in the office. As Bluetooth and other RF technologies continue to grow with the advent of the IoT, it’s only going to become more critical we all do our part to keep our organization and its data safe and secure, especially if you’re in the healthcare industry which requires HIPAA compliance.
About the Author
Marty Puranik co-founded Atlantic.Net from his dorm room at the University of Florida in 1994. As CEO and President of Atlantic.Net, he has led the acquisition of 16 Internet companies, establishing customer relationships in more than 100 countries. Atlantic.Net has expanded to seven data centers in three different countries.
Disclaimer: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of EC-Council.