S 2.461 Planning the secure use of Bluetooth

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: IT Security Officer, Head of IT

Bluetooth may be used in various scenarios due to the many available application profiles. Therefore, the safe use of Bluetooth requires careful prior planning within the organisation. The strategy of the organisation regarding Bluetooth has to be defined as well as the extent to which the individual functions and application profiles are to be used.

Basically there are two types of Bluetooth devices:

• End devices with Bluetooth functions (Bluetooth end devices), such as mobile phones, smartphones, laptops, etc.
• Peripheral devices with Bluetooth functions (Bluetooth peripheral devices), such as mouse, keyboard, headset, etc.

Bluetooth end devices usually provide all functions of the Bluetooth specification and the implemented safety functions may be used freely. Bluetooth peripheral devices extend Bluetooth end devices with their particular functions. However, they can usually only use the existing security functions in a limited way. Bluetooth peripheral devices generally use individual application profiles of the Bluetooth end devices.

The purpose of Bluetooth peripheral devices is usually defined by their design. A Bluetooth headset for example may only be used for verbal communication and a Bluetooth keyboard only serves as an input device. The end devices, however, offer multiple possibilities of use. For example, a mobile phone may serve as a modem for a laptop using Bluetooth or data may be exchanged between two Bluetooth end devices.

Therefore the purpose of Bluetooth devices inside and outside of the organisation needs to be considered. In a next step the areas and conditions for use of Bluetooth have to be defined. For example, in areas of the organisation where business-critical information is processed, no Bluetooth input devices should be used because the keyboard input could be recorded using keylogging attacks. Therefore, there has to be a clear definition of what Bluetooth functions may be used in what areas of the organisation. Even if the use of Bluetooth is prohibited within certain spatial areas, there may still be devices with Bluetooth interfaces in these areas. To prevent them from being contacted from the outside, either the Bluetooth interfaces of these devices have to be disabled or it has to be prohibited to take devices with Bluetooth interfaces, such as mobile phones or PDAs, into these areas.

Furthermore, a decision regarding the security functions to be used has to be made in order to secure the Bluetooth devices and the communication between two Bluetooth devices (see S 3.79 Introduction to basic terms and functional principle of Bluetooth). This decision forms the basis of the secure configuration and operation of Bluetooth devices (see S 4.362 Secure configuration of Bluetooth and S 4.363 Secure operation of Bluetooth devices). Additionally, there have to be rules describing what has to be observed when using Bluetooth devices and their security functions.

The conditions for the use of Bluetooth have to be included in the security policy of the organisation.

The following points are important for the secure operation of Bluetooth devices and the devices connected to them:

• The method of operation and technology of the wireless communication system used must be completely understood by those responsible for its operation.
• The security of the technology used should be evaluated regularly. Likewise, the security settings of the end devices used (e.g. mobile phones, laptops, PDAs) have to be examined regularly. Security-related patches and updates have to be installed as quickly as possible.
• The conditions for the use of Bluetooth have to be included in the security policy of the organisation.
• It must be determined whether the use of Bluetooth is permitted or prohibited. For example, it may be reasonable for security reasons to prohibit the use of Bluetooth with professional IT devices in general or in certain areas.
• To protect the transmitted data, specifications must be devised that deal with, among other things, the selection and configuration of adequate encryption and authentication methods as well as with key management.

Security instructions for Bluetooth use

The users have to be provided with simple and clear security instructions for Bluetooth use. These have to explain the users' responsibilities in Bluetooth use, the security-relevant settings of Bluetooth devices, what settings may and/or have to be specified by the users and what settings have to be specified by administrators and so on. In addition, they have to define what kind of data may be transmitted via Bluetooth.

Many devices used by end users such as mobile phones or PDAs are equipped with Bluetooth interfaces that are usually enabled by default. There have to be clear rules on whether these Bluetooth interfaces may be used and if so under what conditions.

To prevent overloading users with too many details, it may make sense to create a separate Bluetooth user policy. In this case, the user policy should contain short descriptions of the special aspects related to Bluetooth usage, for example:

• under what conditions Bluetooth components may be used,
• how to correctly install and use Bluetooth end devices,
• what steps must be taken if it is suspected that a Bluetooth component has been compromised, and in particular, who needs to be notified in this case.

The security of Bluetooth connections greatly depends on the quality of the Bluetooth passwords used. Therefore, the passwords have to be carefully selected and users and administrators have to be made aware of their importance (see S 3.80 Raising awareness for the use of Bluetooth).

It is also important to clearly describe how to handle security solutions on the client side. This includes, for example, that any security-related configurations may not be changed.

In addition, the user policy should contain a clearly stated ban on connecting unauthorised Bluetooth components. Furthermore, the policy should provide information, especially for the use of classified information such as classified materials, on which information may be transmitted via Bluetooth and which not. The users have to be made aware of the Bluetooth threats and of the contents and consequences of the Bluetooth policy.

Review questions:

• Is there an up-to-date security policy for the use of Bluetooth?
• Are there documented framework conditions for the secure use of Bluetooth?