Businesses are still leaving themselves wide open to criminal activity by failing to adequately protect Bluetooth devices from hackers.
Warnings of activities such as ‘bluesnarfing’ and ‘bluebugging’ have been prevalent among security experts for years after reports that up to two-thirds of companies risk wireless data being stolen or compromised from mobile devices.
But a recent report from financial adviser Grant Thornton reveals that as the use of employee mobile phones, laptops and held-held devices such as Blackberries or PDAs increases, so does the need for better protection against fraudulent activity, especially as most companies do not even realise security has been compromised until it’s too late.
“There are a number of very simple precautions that can be undertaken to ensure that the likelihood of an attack is minimised, such as disabling the Bluetooth signal on your device when it’s not in use,” said John Dunne, IT security manager with Grant Thornton’s risk management services practice.
“Most devices have encryption settings but they can be easily cracked with tools and techniques that are readily available on the internet. Businesses need to think very carefully about the information they store on a phone or PDA.”
The main risk areas are Bluetooth pairing attacks, where an attacker gains full access to the memory content of the device at the first point of communication and uses the pincode to become a trusted device; bluesnarfing, where a hacker gains access to phonebook and calendar information and can divert calls to their own phone; and bluebug attacks, where the hacker has full access to the device and can initiate calls or texts from the victim’s phone.
“Take the example of [celebrity heiress and socialite] Paris Hilton. Her mobile phone contents ended up on the internet after a bluesnarf attack on her phone. If you were a business involved in M&A activity, the last thing you would want is someone finding out who you had been in contact with over the past few weeks,” explained Dunne. “If this information is made publicly available it could do incredible damage to your firm’s reputation, let alone cause the deal to collapse.
IT expert and AccountingWeb contributor Stewart Twynham, also points out that one of the biggest threats from Bluetooth is the fact that most people leave mobile phones and laptops in ‘discoverable mode’ so that other Bluetooth devices can see them for the purpose of pairing. Not only is it a magnet for Bluetooth attacks, it also helps thieves identify and locate the devices being used nearby worth stealing.
“The greatest number of security breaches still come from the targeting of vulnerabilities rather than individuals or companies. Except for some very high profile cases, most attacks are opportune and simply involve waiting from the next vulnerable target.”
Twynham advocates training staff in the security dangers of using mobile devices and having the right technical framework in place to protect sensitive data. He also warns that businesses need to know exactly where sensitive data is stored and processed.
Steve Cornmell, a partner specialising in fraud investigations within Grant Thornton’s forensic and investigation services, added: “Awareness is the key issue. You have to keep passwords secret, keep changing them and don’t use common words that people can use password cracking software to break.
“There is software you can use to help identify when attacks are happening. But when people transfer data on infrared links or through wireless connections, they need to password protect individual files as well as the network so that even if someone recognises the network they can’t get in to have a look around.”
