Challenges Inherent in Bluetooth Security

With technology advancing at a groundbreaking pace, new features and capabilities have brought numerous unintended security consequences and risks.

Implementing organizations and users must take on the responsibility to protect data and identities.

With rising awareness of security and privacy in IT systems and applications, embedding security in all layers of system design, development and operations are gaining attention from users, system owners, and designers.

This trend is especially critical in the business and government sectors working with proprietary or sensitive information.

Heavier reliance on wireless and Internet of Things (IoT) technology further complicate the security landscape. 

Users often trade privacy for convenience and voluntarily share sensitive information when using mobile devices.

Using Bluetooth to exchange sensitive information poses an alarmingly high-security risk.

However, a thoughtful approach to system design, vigilant users, and attention to security will mitigate many of the potential vulnerabilities.

bluetooth vulnerabilities

Security Challenges Using Bluetooth Technology

The Bluetooth standard is so complex that few people truly understand it. Bluetooth Special Interest Group (SIG), the governing body for Bluetooth technology, published approximately 3,000 pages of specifications.

That is about 10 times the volume published for Wi-Fi. The extensive standard offers a wide range of options for developers; however, developers may not have a proper understanding of the entire protocol resulting in vulnerabilities in their systems.

Bluetooth SIG is developing a new security audit tool that may prevent some of the more common implementation errors.

A more diligent adversary may take the time to discover a weakness.

There has been a recent increase in Bluetooth exploits.

bluetooth security flaw

A simple search in the common vulnerabilities and exposure database (CVE) shows over 300 known vulnerabilities related to Bluetooth.

Security officers are at a disadvantage because they need to anticipate every possible method by which an attacker could gain access, while the attacker only needs to find one unmitigated vulnerability.

A common vulnerability is the length of the encryption key. A short key length is vulnerable to a brute force attack and should not be used. Although the Bluetooth Core Specification now recommends 7 octets as the minimum encryption key length, some legacy devices may not have been updated or some developers may ignore this new guideline.

Given all the Bluetooth vulnerabilities that have already been discovered, there will be more to come. Organizations need to take careful measures in implementing the right technology and processes while mitigating the associated risks.

What Can You Do?

Only the right mix of technologies, partners, and culture will keep organizations secure.

Organizations must be armed with the knowledge and tactics to uphold their security posture by providing multi-facet protection addressing hardware, software, and user behaviors aspects.

Furthermore, organizations can encourage users to invest in additional cybersecurity tools under an employee’s reimbursement plans.

It’s time for organizations and users to step up their game to protect sensitive data.

Here at IT Veterans, we specialize in secure mobility and cybersecurity.

We have a number of effective, economical, and easy to use solutions to decrease risk in wireless technology implementation and improve cybersecurity posture.

If you’d like to talk about security or learn how we can help. Contact us here.

Author: Julie A. Hanway; IT Veterans Team Member

Biblio:

Doffman, Z. (August 15, 2019). New Critical Bluetooth Security Issue Exposes Millions Of Devices To Attack. Retrieved March 16, 2020, from https://www.forbes.com/sites/zakdoffman/2019/08/15/critical-new-bluetooth-security-issue-leaves-your-devices-and-data-open-to-attack/#723257764ec8

Kacherovska, D. (August 15, 2019). How Secure Is the BLE Communication Standard? Retrieved March 16, 2020, from https://dzone.com/articles/how-secure-is-the-ble-communication-standard

Martin, J., Alpuche, D., Bodeman, K., Brown, L., Fenske, E., Foppe, L., … Teplov , S. (June 16, 2019). Handoff All Your Privacy – A Review of Apple’s Bluetooth Low Energy Continuity Protocol. Retrieved March 16, 2020, from https://petsymposium.org/2019/files/papers/issue4/popets-2019-0057.pdf

Newman, L. (May 19, 2019). Bluetooth’s Complexity Has Become a Security Risk. Retrieved March 16, 2020, from https://www.wired.com/story/bluetooth-complex-security-risk/

Zepeda, D. (August 1, 2019). AirDrop vulnerability can show your phone number and passwords to malicious third parties. Retrieved March 23, 2020, from https://www.imore.com/airdrop-vulnerability-can-shows-your-phone-number-and-passwords-malicious-third-parties

Common Vulnerabilities and Exposures (CVE®), The MITRE Corporation, https://cve.mitre.org/index.html. Access on 5/12/2020

veteran

by Julie A. Hanway

Julie Hanway, a former US Army linguist, has done technical writing and editing at various agencies throughout the National Capital Region for the past decade. She has worked for IT Veterans as a Technical Writer since 2018. Julie has learned a great deal about wireless technologies during her time with ITV and she is looking forward to learning more and pursuing some technical certifications.

Leave a Reply

IT Veterans, LLCHeadquarters
Providing professional services and tailored solutions that are relevant, innovative, and reliable.
Corporate Details
Main Office LocationWhere to find us?
Get in TouchConnect with us
2018 to 2022Awards
ResourcesContract Vehicles
  • GSA MAS Contract: 47QTCA20D00DY
  • NAVSEA SeaPort-NxG Contract Number: N0017821D9143
  • VA CVE SDVOSB Certified
Herndon, VirginiaHeadquarters
Providing professional services and tailored solutions that are relevant, innovative, and reliable.
Corporate Details
  • NSA Commercial Solutions for Classified
    (CSfC) Trusted Integrator
  • NAICS Codes: 238210, 541330, 541511, 541512, 541513, 541519, 541611, 541618, 561611, 611430.
  • CAGE Code: 5DNY9
  • DUNS # 830034737
  • An ISO 9001:2015 certified company 
OUR LOCATIONWhere to find us?
2018 to 2022Awards
ResourcesContract Vehicles
  • GSA MAS Contract: 47QTCA20D00DY
  • NAVSEA SeaPort-NxG Contract Number: N0017821D9143
  • VA CVE SDVOSB Certified
We are HiringCareers
Get InformedTechnology Insights
GET IN TOUCHITV Social links
At IT Veterans, we recognize the importance of providing customers with access to the right solution.