Enterprise Mobile Device Bluetooth Security Issues
One particular area of vulnerability for the enterprise mobile device is the Bluetooth interface. Traditionally, Bluetooth has been an adjunct communication interface used for connecting to wireless headsets and keyboards, to the smartphone integration system in cars, and to other such accessories.
More recently, Bluetooth has become a conduit for Internet connectivity using a technique called tethering that allows the mobile device to function like a “modem” through which your desktop or laptop can connect to the Internet.
All in all, the hitherto-unsung Bluetooth interface is becoming more prominent for your users. Keep in mind, however, that most device-based firewalls typically cover all IP interfaces – WLAN, GPRS/EDGE, 3G, LTE, and the like – and they may not provide specific coverage for the Bluetooth interface.
If your users fire up Bluetooth, assuming coverage while blissfully unaware of the vulnerability, they may be lulled into a false sense of security. (“Hey, the firewall on my smartphone has me covered, right?” Well, no.)
The first recommendation you may want to make to your users is, “Turn off Bluetooth.” Reality check: That’s not practical, and even less likely to be followed. But even the National Institute of Standards and Technology (NIST) took up the refrain when it issued its “Guidelines on Cell Phone and PDA Security,” recommending that the user actually “curb wireless interfaces.”
The idea was for users to turn off any interface they weren’t using until those interfaces were actually needed. Here’s another reality check: The majority of your users most likely favor the convenience of “always-on” interfaces. They’d rather not go through the trouble of turning those things on and off “as needed,” and that’s unlikely to change. Clearly you need a more pragmatic solution.
Optimistically, it’s only a matter of time until Bluetooth interface security shows up among the features that on-device firewalls offer. Until that happens, you can include a Bluetooth-specific firewall, in addition to the on-device firewall, as part of your recommendation. For instance, Fruit Mobile offers a firewall for Android devices that protects specifically against Bluetooth attacks, as shown here in the figure.