It’s likely you’ve heard of Bluetooth, the technology that allows devices to communicate wirelessly over short distances. Smart phones, phone headsets, many Internet of Things (IoT) gadgets — they’re all using Bluetooth to move and share your data.
So this is just Wi-Fi, right? Wrong. Bluetooth is a distinct technology that faces its own set of security challenges.
Nothing to see here
A big part of Bluetooth security (and cybersecurity in general) is minimizing your exposure—the bad guys can’t attack what they don’t know exists. By default, Bluetooth devices are set to “discoverable mode,” announcing their presence to anyone nearby searching for a device. So the solution is actually very simple: disable Bluetooth until it is needed, and only activate it when you’re ready to use the device.
Best practices
· Turn off your device’s discovery function until and unless you need it. You’ll find the Bluetooth options for toggling discoverable mode on/off under your device’s Settings menu.
· Be aware of your surroundings and any potential eavesdroppers when pairing your device such as connecting your smartphone to a Bluetooth-enabled speaker. “Shoulder surfers” can learn your password by simply watching you enter it.
· Know with what or whom you are connecting – reject all others. Do not accept requests to connect to an unknown device nor add contacts to your device’s contact list from unknown sources. Once added, these devices and contacts will be treated as ‘trusted’ by your device.
· Install software updates as soon as they’re available. These often include critical security patches needed to protect your device and, more importantly, the information stored on it, from harm.
· Be extremely wary of any device that doesn’t have the capability to receive software updates. This limitation is especially a concern for the rapidly-growing Internet of Things (IoT) category of conveniences.
I have the Blues…
· Have you ever received text spam? If so, you may have been “Bluejacked,” a tricky hack in which the bad guys push unsolicited messages to Bluetooth-enabled devices. Getting an annoying text message isn’t in itself a threat to your information security. Taking action on that message, however, may cause harm.
· Play it safe and refrain from clicking on a link, opening a file, or taking any other action requested in an unsolicited text message. Getting you to take an action is the message’s goal – and just the thing needed to give these bad actors access to your device.
· I know the sender, so I’m okay, right? Wrong. Even if you do know the sender, show a healthy skepticism. If the text seems out of the ordinary or is completely unexpected, stay out of harm’s way by confirming its legitimacy with the sender. Note: When exercising due diligence, do so using a different method, such as a phone call or email, which is safer than replying via text to a potentially fraudulent text message.
If you have any additional questions about protecting yourself from Bluetooth threats, contact your Circuit IT Security Officer, local IT staff, or ITSO for more information.
________________
Critical Infrastructure Protection: Detecting Non-Discoverable Bluetooth Devices – Although it is technically possible for a hacker to discover a Bluetooth device’s address through brute-force means, this would take years, and require the hacker to remain in close proximity during the effort.
How-To Geek: How to Pair a Bluetooth Device to Your Computer, Tablet, or Phone
Buzzle: What is Bluesnarfing and How to Prevent It?
Security Tip: The Internet of Things … to Worry About
Security Tip: Malware Triggers: Click with Caution!
So this is just Wi-Fi, right? Wrong. Bluetooth is a distinct technology that faces its own set of security challenges.
Nothing to see here
A big part of Bluetooth security (and cybersecurity in general) is minimizing your exposure—the bad guys can’t attack what they don’t know exists. By default, Bluetooth devices are set to “discoverable mode,” announcing their presence to anyone nearby searching for a device. So the solution is actually very simple: disable Bluetooth until it is needed, and only activate it when you’re ready to use the device.
Best practices
· Turn off your device’s discovery function until and unless you need it. You’ll find the Bluetooth options for toggling discoverable mode on/off under your device’s Settings menu.
· Be aware of your surroundings and any potential eavesdroppers when pairing your device such as connecting your smartphone to a Bluetooth-enabled speaker. “Shoulder surfers” can learn your password by simply watching you enter it.
· Know with what or whom you are connecting – reject all others. Do not accept requests to connect to an unknown device nor add contacts to your device’s contact list from unknown sources. Once added, these devices and contacts will be treated as ‘trusted’ by your device.
· Install software updates as soon as they’re available. These often include critical security patches needed to protect your device and, more importantly, the information stored on it, from harm.
· Be extremely wary of any device that doesn’t have the capability to receive software updates. This limitation is especially a concern for the rapidly-growing Internet of Things (IoT) category of conveniences.
I have the Blues…
· Have you ever received text spam? If so, you may have been “Bluejacked,” a tricky hack in which the bad guys push unsolicited messages to Bluetooth-enabled devices. Getting an annoying text message isn’t in itself a threat to your information security. Taking action on that message, however, may cause harm.
· Play it safe and refrain from clicking on a link, opening a file, or taking any other action requested in an unsolicited text message. Getting you to take an action is the message’s goal – and just the thing needed to give these bad actors access to your device.
· I know the sender, so I’m okay, right? Wrong. Even if you do know the sender, show a healthy skepticism. If the text seems out of the ordinary or is completely unexpected, stay out of harm’s way by confirming its legitimacy with the sender. Note: When exercising due diligence, do so using a different method, such as a phone call or email, which is safer than replying via text to a potentially fraudulent text message.
If you have any additional questions about protecting yourself from Bluetooth threats, contact your Circuit IT Security Officer, local IT staff, or ITSO for more information.
________________
Critical Infrastructure Protection: Detecting Non-Discoverable Bluetooth Devices – Although it is technically possible for a hacker to discover a Bluetooth device’s address through brute-force means, this would take years, and require the hacker to remain in close proximity during the effort.
How-To Geek: How to Pair a Bluetooth Device to Your Computer, Tablet, or Phone
Buzzle: What is Bluesnarfing and How to Prevent It?
Security Tip: The Internet of Things … to Worry About
Security Tip: Malware Triggers: Click with Caution!