Bluetooth security… Some consider it an oxymoron, like ‘global intelligence’ community or ‘offshore support’ while others recognize Bluetooth flaws and understand their causes. Whatever side of the fence your opinions lie, it’s fair to observe that Bluetooth has its issues and security vulnerabilities are now being exploited by hackers seeking access to data.
The rise of the Internet of Everything (IoE) hasn’t helped matters and ensured that Bluetooth-enabled devices now number in the billions. From fitness bands to headsets, keyboards, sensors and other connected devices such as hair straighteners. The benefit of a Bluetooth hair straightener lies beyond the scope of this article but the point is that TechCrunch reported that it’s easily hacked, with a manufacturer fix pending at the time of writing and the last app update released more than a year before. Granted, such a device cannot allow access to proprietary data but it could be used to cause a fire, for example, by overriding the maximum temperature setting or altering duration settings to ensure burn damage. Clearly, any product that introduces potential risk (to data or otherwise) needs embedded security.
When so many devices are Bluetooth-based, how can users ensure optimal security? How come device manufacturers fail to incorporate key security features available in the Bluetooth protocol? What steps are being taken to force a higher security awareness?
Bluetooth is essentially a wireless protocol that connects two devices in close proximity and the official 5.0 standard claims distances of up to 800 feet, some four times greater than Bluetooth 4.2. However, hackers can extend these ranges using high-frequency antennas. Bluetooth is universal for all smartphones, tablets, and laptops. Newer standards are always backward-compatible.
Features can include the transfer of data, voice communication, messaging, encryption, and more. Bluetooth Low Energy (BLE) saves power, no surprise there. PCs can use Bluetooth, usually achieved through a USB dongle as few PC motherboards have it incorporated. Examples include keyboards, headsets and graphics tablets, most of which operate on a 2.4Ghz frequency. Smart buildings, cities and even the auto industry (your vehicles infotainment system) all use Bluetooth to some extent. In essence, we cannot escape it, but we should demand more security by default.
It’s Happened Before And Will Again
Rather than dwell on my own opinions, let’s review some from the experts:
Firstly, Bruce Schneier, one of my favorite security advocates, pointed out in September 2017 (around the time of the BlueBorne attack) that, “Bluetooth offers a wider attacker surface than Wi-Fi, is almost entirely unexplored by the research community and hence contains far more vulnerabilities.” He went on to say that Bluetooth also introduces vulnerabilities to ‘air-gapped’ networks, which could jeopardize industrial systems, government agencies, and critical infrastructure. Makes sense, doesn’t it? Note that with BlueBorne, no user intervention was necessary, i.e., no pairing or message alert to deal with. It simply exploited known device vulnerabilities.
Of course, proximity to the Bluetooth device is also necessary but once close enough, a hacker with the correct tools can hack a Bluetooth device. Search for ‘Bluetooth hacking tools’ in your preferred search engine and a viable list is returned.
In 2019, Security Dive reported on some newer Bluetooth hacking techniques, such as BTLEjacking (jams takes over a BLE device) and Bleedingbit ( exploiting flaws in Bluetooth chips). Yevgeny Dibrov, Armis CEO, in the same article, cited Bleedingbit as a wake-up call for enterprise security.
The auto industry did not escape either as the CarsBlues hack affected millions of vehicles worldwide.
Bluetooth attacks are broken down into three basic categories:
Bluejacking - think of it as spam for mobile using nearby discoverable devices
Bluesnarfing - hacker uses software to request information from a device
Bluebugging - a takeover of a nearby device that is in discoverable mode
It’s worth mentioning that all of these attacks can be prevented if users ensure that firmware is updated, OS updates are installed, AND Bluetooth is off if not in use. OR at least ensure that your device is not visible to others by setting device visibility to ‘off.’
Security researchers are always finding new vulnerabilities, some of which may already be in use by dedicated hackers. Users, themselves are often powerless against these attacks. The latest expose users to third-party tracking and data access on Windows 10, iOS and macOS. Fitbit and Apple Watch users are also vulnerable. At the time of writing, no related attacks are reported in the field.
What Can Users Do To Improve Security?
In many cases, a device user cannot control the security level of the device with pairing being automatic or requiring a four-digit pin, for example. Others will require a multi-stage process before pairing is complete. Security, encryption, and other settings are typically configured by the manufacturer, and their decision is generally linked to the type of device involved and their perception of the security risk applicable.
If you take two companies, one is a specialist in kitchen appliances, and the other makes wireless peripherals; which one will have more expertise in IT-related security issues? Which one will provide regular updates to users as vulnerabilities are identified?
The tendency to make everything smart has its drawbacks when the device manufacturers themselves lack the smarts to incorporate security by design. The hardware modules (provided by Bluetooth chipset manufacturers) are fully configurable, and the software stack is similarly configurable. Between the two, it is possible to secure all Bluetooth devices. Yet smart locks, security systems, and other devices are less secure than their dumbed down counterparts. This can’t be right. The bad news is that for around $200, any wannabe thief can start a criminal business hacking locks in the area.
What can users do about it? Not a damn thing, apart from avoiding the use of insecure devices. Okay, so we know the problem is there. Who CAN help to force compliance with desired security levels?
Get The Finger Out And Get Pro-Active
IT Pros often dread Microsoft updates, and their June update is a perfect example of forcing better security. It will intentionally prevent some Bluetooth devices from working in Windows 10. Personally, I think it’s a good idea to have the OS verify the security vulnerabilities of a device by comparing with blacklisted versions, etc. If unsuitable, it won’t work. I’m perfectly okay with that. Other platforms take the same approach. Sure, it means upgrading hardware in some cases, a patch in others. A small price to pay in the interest of security.
However, rather than blaming all manufacturers for security lapses, given that some are likely startups merely seeking to add Bluetooth to devices in their core area of expertise, why not force compliance using the organization that monitors Bluetooth licensing and trademark usage? This is, of course, the Bluetooth Special Interest Group (SIG), a not-for-profit organization that changed its licensing model in February 2014. Before that time, OEM users of Bluetooth modules approved by the SIG, did not incur any cost in licensing products using those modules, with the entire process facilitated by the module manufacturers, who themselves did not agree with the change. Under the new structure, all those seeking to promote products as Bluetooth-enabled need to join the SIG. It’s free to join. Big deal! Products must be qualified and the fee for qualification is $8,000. This is for each product line, whether a new, changed, used or branded Bluetooth product. It is possible to reduce this $8,000 fee to $4,000 by becoming an associate member (a minimum of $7,500 annual membership fee applies). If your company makes more than $100 million a year, then you can pay $35,000. A bargain at any price, isn’t it?
Considering that are more than 35,000 members at the time of writing, and a variety of fees throughout the development process, is it unreasonable to expect the SIG organization or its test centers to verify, provide support or enforce the security necessary, according to device purpose and risk potential? After all, if the products are unapproved, we shouldn’t be using them anyway. Maybe it’s worth asking them or devising another replacement standard that meets expectations without the corresponding fees for manufacturers.
To sum up, Bluetooth has its issues but user awareness can prevent many attack vectors. Device manufacturers are indeed at fault in some cases but could do with more proactive support, especially if wireless communication is not in their skillset. Given the fees charged to all involved for licensing, SIG needs to get involved in maximizing security options for all Bluetooth products. Perhaps its ubiquitous presence is making them complacent.
In the meantime, it’s best to select smart or Bluetooth products based on brand experience and only if you really need them. Consider potential security issues by choosing recognized companies only and avoid cheap alternatives. Makers of a smart dog bowl are unlikely to be well-versed in finetuning Bluetooth security settings. OR maybe the changing Bluetooth standards and OS updates are just another means of forcing users to upgrade based on perceived security threats. These and other conspiracy theories can be found online. I write some of them…