By Dimitri Vlachos, VP of Marketing, Pwnie Express
Bluetooth technology was originally designed for continuous, streaming data applications –
essentially, it was intended to replace wires to create the possibility of a Wireless Personal Area Network.
The (then new) technology added a digital layer in many consumer and industrial applications and has since become incredibly widespread.
Bluetooth is now a standard feature in most phones, cars and computers, and becoming
increasingly included in a variety of other devices. With the introduction of Bluetooth Low
Energy, devices that are considered a part of the Internet of Things – like smart door locks or soccer balls – are now using Bluetooth technology.
Though Bluetooth Classic and Bluetooth Low Energy share a name and a wavelength, they are fundamentally different technologies. While most consumers don’t realize that their Bluetooth headphones and their Bluetooth light bulbs function differently, they do understand that products with the stylized B symbol can be controlled with their phones.
This has contributed, in part, to the widespread adoption of BLE as an IoT protocol. Instead of learning an entirely new system, consumers just need to use the Bluetooth functionality on their phone or computer to control the cornucopia of devices using Bluetooth technology.
These devices are being used across all industries – healthcare, athletics, energy, home, and more. The Bluetooth Special Interest Group has even defined several BLE/Bluetooth Smart “profiles” for compatibility within different applications.
These include everything from blood pressure and glucose monitoring to calculating a runner’s speed and cadence profile. New devices have included BLE in everything from health monitoring services to the ability to assess environmental conditions.
This widespread adoption of Bluetooth technology has not only led to cheap hardware and
consumer adoption, but also criminal adoption. Not only is Bluetooth being added to consumer devices such as shoes and water bottles, but it is also being added to criminal devices such as credit card skimmers.
The same ease of use offered by consumer Bluetooth devices is now very common in criminal devices.
Unfortunately, the widespread adoption of Bluetooth functionality also comes with the
prevalence of Bluetooth security risks. Far too little has been done over the years to ensure the security of a Bluetooth connection.
Some examples of Bluetooth security risks are Man in the Middle attacks (intercepting and then changing commands), identity tracking, intercepting information, disruption of a device’s operations, and passive eavesdropping.
While most people think your heart rate or music preferences aren’t that important, best
practices for Bluetooth security should always be engaged, as eavesdropping (or unauthorized filming) could happen during an important, or secure, phone call made through an older Bluetooth speaker.
In fact, though the Internet of Things is striving towards making our everyday life easier, there is an ever-growing presence of the Internet of Evil Things.
The Internet of Evil Things is a very real threat. In fact, the UK Government has banned Apple Watches from Cabinet meetings out of fear that they will record the room audio, track GPS coordinates, or even monitor heart rates and be used as a crude lie detector.
As more and more capable devices are woven into people’s daily lives, there is more and more risk associated with the vulnerabilities of those devices.
Some of Bluetooth’s vulnerabilities have already been demonstrated, and while not all may
seem dangerous, each provides another example of extra connectivity that resulted in
As many know, cars have been hacked into, proving that insecure Bluetooth functionality will provide hackers with another beachhead in the future. Bluetooth Smart locks, which are meant to keep homes and businesses secure, have also been revealed to be easily penetrable.
Securing Bluetooth connections should be like securing any kind of device or network – first and foremost, the protocol should be secure. However, you can still open yourself up to vast risks if you aren’t carefully implementing your Bluetooth technology.
The best security against Bluetooth vulnerabilities is simple: keep your devices up-to-date.
Bluetooth 4.2 is more protected than previous versions, however, only further updates will be able to protect against vulnerabilities as they crop up.
Another piece of advice is to take connected devices out of discoverable mode and to be wary of any unknown devices you pair with.
In addition, configuration and standard protections are extremely important when it comes to Bluetooth. Never leave your device in its default configuration – that is probably the easiest way to allow a hacker to break into your device.
Also, take advantage of the security features that exist on your device. Is encryption optional?
If so, be sure to turn it on. Enable PINs when connecting to your device, and make sure you choose a strong one that you have never used before.
Lastly – and perhaps the most obvious piece of advice – don’t download any suspicious files.
Though Bluetooth and BLE are increasingly adopted across all verticals, the security industry has lagged behind.
Current network security tools focus almost exclusively on standard wired ethernet networks, often ignoring wireless networks and Bluetooth devices.
Following Bluetooth best practices certainly help, but businesses need to be aware and have the visibility and control over the devices – all of the devices – that are in their environment.
About The Author
Dimitri Vlachos brings over 15 years of marketing leadership in both
startups and established corporations to Pwnie Express.
Most recently he served as VP of Marketing at ObserveIT where he was
responsible for scaling demand generation and establishing the company
as a leader in Insider Threat management.
Before ObserveIT, he served as VP of Marketing and Products at Riverbed Technologies, where he was responsible for all marketing and products across the $250M performance management business unit. He has also held roles at Mazu Networks (acquired by Riverbed), Cisco, and BBN (acquired by GTE). Dimitri is a graduate of Bucknell University and can be reached online at firstname.lastname@example.org, @DimitriVlachos, or http://www.pwnieexpress.com