Darcy Keith
Sun
Bluetooth headsets are appealing because of their ease of use – but they pose security risks.
When gadgets want to speak to each other these days, they can do it in secret.
Bluetooth, a wireless technology that connects all manner of electronic devices, has become ubiquitous in our daily lives and has made life more convenient and less cluttered.
But this no-wires-attached world has cybercriminals plotting to listen in. They are ready to turn it into a pathway to your bank account or other sensitive information.
Bluetooth has taken a big bite out of the global wireless market in recent years, with an increasing number of consumer products using the short-range radio frequency technology.
Providing a life free of annoying wires and cords, Bluetooth is available on everything now from desktops, printers and automobiles to cellphones, personal digital assistants (PDAs) and mobile computers.
Just look around, and you will probably find someone talking on one of those headsets with the blinking bright blue LED light — the telltale sign of a mobile phone that doesn’t require any hand-holding thanks to Bluetooth.
But as the popularity of Bluetooth increases, so does its interest to identity thieves hungry to get personal information either being transmitted online or stored on your mobile device.
Many security issues involving Bluetooth centre around mobile devices, such as cellphones and PDAs, in part because they can now hold a great deal of this sensitive information.
“Mobile device security in general, in my opinion, isn’t really getting an appropriate amount of attention,” Ollie Whitehouse, security response researcher for Symantec Corp., the world’s biggest security software maker, said in an interview from London. “There are people downloading more sensitive information to mobile devices that may have things like their credit card numbers. However, people rarely treat them with the same respect, or as seriously, as say their house keys. Yet potentially the data on the device is just as important, and the impact of losing it and misuse is potentially just as high.”
Security threats to Bluetooth emerged a few years ago, and it didn’t take long for the attack jargon to arrive. There is Bluesnarfing, which involves secretly obtaining sensitive information such as address books and e-mail from user devices; Bluejacking (also known as Bluespamming), where an unauthorized individual sends a text message or file anonymously from one Bluetooth device to another, and Bluebugging, or the theft of mobile-phone commands using Bluetooth technology without notifying the device owner.
Bluebugging is a key concern because it allows the hacker to do such things as initiate phone calls, send and receive text messages, eavesdrop on phone conversations and connect to the Internet. Imagine if a hacker sends a text message warning of a bomb threat, and it looks as though the sender was you. There is even the potential for an intruder to place a virus on your handheld device, wreaking the same kind of havoc it would have on your computer.
But Mike Haro, senior security analyst with IT security company Sophos, notes that the security threat arising from Bluetooth use in cellphones and PDAs is still at the “proof of concept stage.” Actual cases of identity theft have been hard to find.
“Everything we’ve seen to date has been examples of ways in which Bluetooth can be exploited or how any infection could be spread via handset. . . . We haven’t seen anything that’s actually been largely propagated in the real world.”
To reduce your risk of identity theft, experts recommend turning off the “discoverable” mode of your Bluetooth cellphone or PDA, which sends a signal indicating it’s looking to pair with another Bluetooth gadget to transmit data. When left on, an attacker could detect the signal and attempt to pair with your device for the purpose of stealing your personal identification number. That’s when the real troubles begin, because with that PIN in hand, that attacker could retrieve all sorts of stored information.
To further minimize your risk, it’s recommended that you use a good PIN code, at least five digits long, that’s harder to crack. And perhaps more simple yet, avoid storing sensitive data such as your social security and credit card numbers.
