Bluetooth security 'crisis' looming

Security experts have warned of the need to take care as new Bluetooth devices with a transmission range of up to 100 metres arrive.

Security consultant @stake believes that devices conforming to the latest Bluetooth standard represent a potential crisis similar to the introduction of wireless local area networks based on the 802.11b Wi-Fi standard.

The firm expects that Class 1 Bluetooth will appear on everything from laptops to mobile phones, allowing hackers to gain access to sensitive information.

Ollie Whitehouse, director of security architecture at @stake, said in a statement: "With this class of device, wireless transmission of information leaves the office environment and travels anywhere an employee does.

"This means that third parties can access information without penetrating the physical security of an office or dealing with the problems of circumventing existing network security.

"The onus really is on vendors to ensure that all devices are optimised for security before they are put in the hands of customers."

In a recent white paper, @stake warned that even non-discoverable devices still respond to direct name and service enquiries and are therefore open to detection and attack.

Other common problems identified include Windows 2000 hosts configured to connect to all Bluetooth devices, and Windows registries that retain details of all devices to which they have been connected.

Another potentially serious problem centres on mobile phones that retain pairing information details when Sim cards are swapped.

This means that a third party that has access to a phone for even a few minutes can place a bond on it and use it as a platform for future attacks.

"The very real risks of Bluetooth will only multiply as adoption increases and the drivers vary from their default configurations," said Whitehouse.

"Many vendors release Bluetooth products with a best effort approach to security that can only compromise the integrity of the information held on those devices.

"Vendors should understand these issues and risks and develop mechanisms for delivering security out of the box. While it is not a time to panic, it is certainly a time to act."