S 4.364 Procedures regarding the disposal of Bluetooth devices

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

When Bluetooth components must be taken out of operation, all sensitive information must be deleted. In particular, the authentication information used to access Bluetooth networks and other accessible resources stored in the security infrastructure and other systems must be deleted and/or declared invalid. This means that cryptographic keys must be securely deleted and certificates for digital signatures must be blocked, for example.

A variety of devices are used as Bluetooth devices. These devices include, amongst others:

• laptops
• PDAs, smart phones, and similar devices with Bluetooth support
• Bluetooth-enabled telephones, printers, and cameras
• Bluetooth-enabled peripheral devices such as headsets, mice, keyboards, etc.

The Bluetooth functionality is typically one of a number of various other functions on these terminal devices. When taking these terminal devices out of operation, such devices must therefore be examined to determine if they contain Bluetooth information critical to security that needs to be deleted, transferred, and/or archived, e.g.:

• information on the users of the terminal device
• certificates and the corresponding private keys (for users or devices)
• information on the connected terminal devices (pairing information)
• key material of authentication methods such as keys for pairing between Bluetooth terminal devices

Suitable methods must be used to destroy, delete, or reuse the security-relevant information depending on the device and the storage method. For certificates, for example, an entry must be made in the corresponding certificate revocation list (CRL) to revoke the certificate.

If a Bluetooth device is stolen, at least all information mentioned above must be taken into account and it must be ensured that these terminal devices are no longer granted access to remaining Bluetooth devices or network structures. The best way to achieve this is to delete the pairing information about the stolen terminal devices from the remaining terminal devices.

Review questions:

• Is it ensured that the security-critical Bluetooth information is deleted when taking Bluetooth-enabled terminal devices out of operation?
• Are suitable methods for destroying, deleting, or reusing security-relevant information on Bluetooth devices present?