S 3.80 Raising awareness for the use of Bluetooth

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Head of IT, Administrator, IT Security Officer

When operating devices with Bluetooth interfaces, the IT Security Officers and the security management should inform themselves on the basics of Bluetooth. An overview of the basic terms of Bluetooth is included in safeguard S 3.79 Introduction to basic terms and functional principle of Bluetooth.

Training administrators

The administrators of devices with Bluetooth interfaces should possess practical knowledge as well as theoretical knowledge. They should be trained on the following topics, amongst others:

• overview of security aspects for Bluetooth,
• typical threats with Bluetooth devices,
• operating modes, establishment of connection, authentication and protection of Bluetooth communication,
• selection of suitable security mechanisms for Bluetooth operation,
• configuration and testing of Bluetooth components, and
• security-relevant Bluetooth configuration parameters.

Raising the awareness of users

The users of devices with Bluetooth interface should also become acquainted with the functional principles and secure operation of Bluetooth components. The meanings of the security settings and why they are important must be explained in detail to the users. In addition, they need to be informed of the threats resulting as a consequence of bypassing or disabling these security settings for the sake of convenience or to reduce the number of annoying warning messages. By raising the users' awareness of specific threats, it is possible to achieve proper operation of the Bluetooth components and security settings.

The use of PINs as basis for authentication and encryption represents a problem in connection with the practical use of Bluetooth. Typical behaviour of the users when assigning PINs has often resulted in attacks in the past. Here, Secure Simple Pairing provides a remedy. Particularly the method of numeric comparison offers the possibility of secure use of Bluetooth as this does not require strong passwords selected by the users.

Protection of communication via Bluetooth cannot be forced technically; it remains a duty of the user, also with regard to the current procedures. For this, secure configuration and reasonable use of the technology are most important.

The contents of the training programme must always be adapted according to the corresponding operational scenarios. Training programmes using web-based, interactive programmes in the intranet could also be used for this purpose. In addition to receiving training on Bluetooth security mechanisms, the employees should also be given a copy of the corresponding security policy of their institution.

Review questions:

• Are the administrators prepared to handle the Bluetooth components, and in particular, have they received training in aspects related to security?
• Are the users familiar with the Bluetooth security mechanisms?