S 2.463 Use of a central pool of Bluetooth peripheral devices

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: User, Administrator

Some terminal devices are not equipped with a Bluetooth module in their default configuration or their Bluetooth modules do not comply with the current Bluetooth specification. In order to equip such terminal devices with a state-of-the-art Bluetooth technology in the short term, it may be helpful to set up a central pool of Bluetooth peripheral devices. Different Bluetooth devices can be managed in this pool. Starting with Bluetooth mice and keyboards, via GPS receivers able to communicate to a Bluetooth terminal device using Bluetooth, right through to Bluetooth adapters (as USB stick or as plug-in card for laptops) providing a terminal device with the option of using Bluetooth.

The fact that a Bluetooth adapter is always required in order to be able to use this radio technology must above all be taken into consideration for Bluetooth keyboards and mice. Using this Bluetooth adapter, a terminal device can generally be identified as a Bluetooth device and its configuration must be correspondingly secure. Apart from that, the recommendations of safeguard S 4.254 Secure usage of wireless keyboards and mice must be taken into consideration when using Bluetooth keyboards and mice.

A large number of products communicating via Bluetooth are also available in the market. When the Bluetooth security features are implemented and configured correctly, Bluetooth generally offers a higher level of protection than radio systems using a proprietary technology. However, it must above all be ensured that a sufficiently long key is used for the Bluetooth connection for keyboards. Moreover, the input devices must comply with the Bluetooth specification 2.1 + EDR, since this specification allows for the so-called Simple Secure Pairing (see S 4.362 Secure configuration of Bluetooth) providing increased security for the Bluetooth connection and making key-logging attacks more difficult.

All Bluetooth devices contained in the pool should meet the criteria defined for the organisation by the recommendations in safeguard S 2.462 Selection criteria for the procurement of Bluetooth devices.

When issuing the Bluetooth devices, the respective users must be informed of the proper use of the Bluetooth device and the related security functions. For this, an overview sheet containing the security instructions for using Bluetooth must be drawn up that should also include installation instructions and instructions of use for the Bluetooth terminal device. Furthermore, it must be documented who borrowed which Bluetooth device at what date and time and which purpose the device is to be used for. The receipt of the Bluetooth device must be confirmed by the user with his/her signature. The signature of the user furthermore confirms that the user is familiar with and will adhere to the security instructions for using Bluetooth. The return of the Bluetooth device must also be documented on the form.

It may possibly be advantageous to merge the central pool for Bluetooth devices and any existing pool for mobile phones and to integrate the Bluetooth device into the latter (see S 2.190 Setting up a mobile phone pool). Today, many mobile phones are equipped with Bluetooth by default so that the same security settings must be performed on mobile phones as on other Bluetooth devices as a consequence.

Review questions:

• Are Bluetooth devices from central pools reset to the factory settings when returned?