- Email: [email protected]
Security in a Mobile World — Is Bluetooth the Answer?
COSEv19no4.qxd
26/05/00
12:21
Page 321
Computers & Security, 19 (2000) 321-325
Security in a Mobile World — Is Bluetooth the Answer? Richard Barber Articon-Integralis,Theale House, Brunel Road,Theale, Berkshire, RG7 4AQ, UK.
Richard Barber, group technical advisor of Articon-Integralis looks, at the evolution of tele- and data-communications systems and assesses the potential advantages for mobile security offered by technologies like Bluetooth
Huge strides have been made in terms of increasing telecommunications bandwidth in recent years. But building security specification into communications standards was almost an after thought until the last couple of years. In the circuit switched world GSM brought us 9600 bits per second (bps) mobile telecommunications. Symbol encoding increased this to 14 400 bps and more recently in Northern Europe, a form of ISDN for GSM has doubled this to 28 800 bps. The ETSI standard for High Speed Circuit Switched Data (HSCSD) has provided for data rates up to 57.6 kbps based on channel bonding techniques. Typically it will allow up to 4 channels in various configurations with the data intensive downloads from the Internet used in a ‘three down one up’ arrangement. Enhanced Data Rates for Global Evolution (EDGE) is a further advance bringing higher bandwidth based on higher symbol rates from 14.4 kbps to 57.6 kbps. EDGE together with HSCSD would allow up to 230 kbps. Despite clear benefits, it brings fresh concerns for security professionals as these bandwidth increases only serve to grow the number and potential ferocity
of Denial of Service attacks on corporate systems via mobile devices. Increased capacity also serves to increase the power of the weapon that the hacker has at his disposal. It means that these attacks can be launched with incredible speed and great complexity from a mobile device that is itself more difficult to trace. It is one thing to deploy DDOS attacks from wired machines but quite another to launch the same attack from a larger number of mobile devices. Of course, this pre-supposes that the new generation of mobile devices (a combination of GSM and computing devices) will have the necessary capability to achieve this. Given the pace and acceleration of computing power this does not seem far fetched at all especially in the light of demonstrations by various vendors at CeBIT this year. All of the above refers to the traditional circuit switched world (the so-called wired world). This is the traditional approach of the telecommunications network. However, in the packet switched world the traditional environment for data communications issues are a little different.The General Packet Radio Services (GPRS) standard has been demonstrated for a while now and should be with us within six to twelve months depending on which sources you listen to. GPRS brings IP-based connectivity and services to the mobile world. This technology provides for an ‘always on’ (i.e. non-dialled) connection at data rates of around 170 kbps in any given cell.The initial
0167-4048/00$20.00 © 2000 Elsevier Science Ltd. All rights reserved.
321
COSEv19no4.qxd
26/05/00
12:21
Page 322
Security in a Mobile World/R. Barber
tests indicate it will provide a shared bandwidth service with the available bandwidth being distributed between users in a given cell, so performance may be impacted by population density and the volumes of data being transferred. The next move is to combine EDGE with GPRS. The so-called eGPRS would probably eliminate any bandwidth concerns as it should push capacity to 680 kbps per cell. The key mobile players in this area — Ericsson, Nokia and Motorola — have already publicly demonstrated speeds of 384 kbps at CeBIT this year using this technology. The next step, third generation mobile devices or 3G and UMTS we can expect 384kbps and 2Mbps per device respectively. It may seem unlikely that mobile devices will be capable of 2Mbps but judging by the way technology is moving and with a timescale that doesn’t see 3G until 2002, it is entirely possible. But what security concerns does this raise? The scenario we have is one of future mobile devices with large bandwidth and laptop level computing capability. Putting this together with advances in operating systems, Java and Jini and we have a world with mobile devices and very mobile code. Concerns about security then increase in the mobile world because the dangers of mobile code are suspected to be enormous. One piece of malicious code can be implemented in one place and it will execute somewhere else rendering it difficult to identify and secure. More about this later. Baltimore Technologies’ Telepathy product does provide an extra layer of security by using WTLS-based certificates thus allowing the encryption of WAP connections using its UniCERT PKI certificate authority. This brings SSL-type encryption between the client application and server. It’s worth noting that GSM has always offered encryption between the handset and the base station. But once the call moves beyond the air interface, this encryption no longer operates.This would normally leave WAP transactions exposed, but WTLS is intended to help secure wireless communications right up to the server.
322
But some infamous hackers have already claimed to have broken the encryption codes offered by GSM. Few believe these claims as the resources required to crack these codes are massive. In any case they would have to track the mobile on the move in order to capture the entire communication — not the sort of resources that the majority of hackers enjoy. These two layers of encryption will deter many but tend to lead hackers to the point of least resistance — the server itself. Some companies are beginning to recognize this and are employing security experts to provide them with advice on how best to secure their corporate data in the emerging world of electronic and mobile commerce. This is not really new. It has always been easier to use social engineering or hacking tools to attack poorly secured Web servers to extract the unencrypted data. Despite the numerous warnings from a wide range of sources,Web administrators are still leaving servers unsecured. Even as this article is being written it has been reported that the Police in the UK have arrested two young hackers in Wales for stealing in excess of 20 000 credit card details from vulnerable Web sites, almost certainly by going direct to Web servers. A second challenge is that the new networking standard GPRS means that users are always connected to their network. They do not need to logon in the ‘always on’ world offered by GPRS and this places increased importance on encryption and authentication layers being built into systems. It is entirely feasible (though probably not preferable) to be permanently logged on to the corporate network via the GPRS connection.This could provide a challenge and an opportunity.The challenge is to network managers to control this type of access; the opportunity is for application developers to come up with continuous authentication systems for the mobile world. Another security aspect often overlooked in securing mobile device communications is that the network operator can pinpoint where the call is being made from, based on the cell that you transmit from. Cells can be split into smaller areas to pinpoint location fairly accurately. Global positioning technology will strengthen this still further and can be applied to cars
COSEv19no4.qxd
26/05/00
12:21
Page 323
Computers & Security, Vol. 19, No. 4
as well as mobile computing devices and household appliances that we value, perhaps linking them in with Bluetooth technologies (more on this later). In the corporate environment, the Wireless LAN (WLAN) standard is likely to come to the fore. The two standards being developed to date are 802.11 a & b.The standard called ‘b’ provides for an 11 Mbps ethernet-like service situated in the 2.4 GHz frequency on the ISM band (Industrial Scientific and Medical). ISM has been chosen because it is an unlicensed portion of the radio spectrum that is adopted in most nations and so can be freely used with few, if any, regulatory issues. What constraints that do exist are currently being requested and cleared. Second frequency ‘a’ 5.2 GHz for a 25Mbps service should be complete by 2002. Competition is rife in this arena with manufacturers working on applications for this new radio frequency including use in airports, hotels and other places where people are likely to want to check E-mails or download information or connect to their corporate LAN without having to find a phone point. The obvious security concern arises because of the air interface. In the earlier days of 2Mbps WLAN some developers said that encrypting the air interface was not their responsibility. This opens up the unpleasant possibility that a corporate network employing the old 2MB WLAN could be hacked into from the company car park simply, because the car is parked within range of the base station. The 11MB version is apparently set to address this security flaw. But it does also mean that a determined hacker could conceivably spend weeks unnoticeably trying to crack the encryption on the WLAN air interface without going anywhere near corporate offices. Alternatively why not simply steal someone’s laptop and use it to hack the network? Remember, this is a case of the weakest link in the chain not necessarily the strongest encryption available. In a world in which we are transferring more and more data electronically to and from mobile devices, the security-conscious must consider the issues that the entire journey of the voice or data from the device via the base station, via several exchanges
between mobile and fixed lines as well as a series of interconnects to the final. One could assume all air interfaces between the mobile device and the base station to be reasonably well encrypted; and while exchanges and interconnects are potentially vulnerable they are unlikely points for attacks. Companies offering services need to think long and hard about how well secured these points are. As the telecoms environment moves towards offering an IP-type packet switched service manufacturers are already producing telecoms switches with firewalls built-in. Physical ‘wire tapping’ is also possible and security services as well as criminal organizations will no doubt continue to use these methods. It is worth remembering that intercepting a call at the hotel distribution MDF is much more realistic than trying to hack the corporate network or the telecoms environment, if the information warrants the effort. A great deal depends on the sensitivity of the information being secured.Valuable information could be protected by the use of VPNs (Virtual Private Networks). A useful security policy could be to enforce the use of a VPN over air interfaces. This doesn’t prevent someone stealing the laptop but it does protect data in transit. This then begs the question of securing the laptop or the data on it. So we need biometric-based access control for the laptop and/or file or hard disk encryption. Somewhere along the line there is usually the need for a PIN or password and most security professionals understand that users will, like hackers, take the line of least resistance when it comes to passwords. The growing use of Wireless Application Protocol (WAP) services for mobile phones and other mobile devices has placed an ever more pressing demand for an end-to-end security solution that goes right from the mobile device to the server where information is stored. However there are very few security manufacturers that have yet fully addressed this requirement, although some are close to it. As was mentioned above many security professionals are concerned about achieving this end-to-end protection but the reality is that most hacks, which tend to happen by the thousand each day across Web-sites,
323
COSEv19no4.qxd
26/05/00
12:21
Page 324
Security in a Mobile World/R. Barber
happen because Web servers are not secured properly. Too many IT managers think the security job is complete once they have plugged in the firewalls to their Internet access point(s). It requires far more than that. Development of protocols and policies for securing various different types of data; carrying out updates and patches when they are provided by manufacturers, and intrusion detection testing are a few of the areas that those responsible for security should be looking at. One of the most significant areas of vulnerability is not mentioned very much at all — social engineering. Simply put, social engineering is the art of persuading someone to part with the user ID’s passwords and access points necessary to log into a network. Hacking made easy! Take this a step further. Many companies suffer theft from the organization, some if it originates from the inside. It is not appropriate to blame the general population or point the finger at anyone but we all know it happens. And there is always someone who is specifically responsible. It cannot be beyond reason for some people to deliberately seek employment with a company, permanent or otherwise, with the sole intention of gaining access to the network and stealing confidential information. Or even simply gaining the information or setting up the accounts to allow others to gain access to the network and its resources. It has also been known for staff leaving under a cloud to attach modems to servers without anyone’s knowledge and thus gain unrestricted access to the network after they have left. Companies failing to prepare for these eventualities are beginning to pay the price both financially and in terms of reputation as their sites are either defaced or rendered inoperable for periods of time. Information security advisers are only now beginning to see a significant increase in demand for the sorts of services which provide early advice on prevention, detection and response to security breaches, despite evangelizing on the subject for several years. Any discussion about mobile technology and security cannot be complete without covering the develop-
324
ment of Bluetooth. IDC predicts Bluetooth will be embedded into 102 million devices in the US and 449 million worldwide by 2004 and its market will be worth $700 million by 2006. By the end of this year, about 6 per cent of digital mobile phones will be Bluetooth-enabled. Bluetooth is short range radio technology with a low power requirement and very small footprint intended to be embedded in other devices. Enabled devices will be able to communicate in a small network called a piconet, which is usually registered to a particular person. The standard allows for a number of piconets to be connected to form a ScatterNet — creating personal networking for the first time. Bluetooth could be added to a large range of devices e.g. mobile phones, PDAs, laptops, desktops, door access controls, access passes and fixed telephones.When merged with WLAN, GSM, GPRS and similar it opens the way to total connectivity. Ericsson was able to persuade leading names such as Nokia, Intel, Toshiba and IBM to join the Bluetooth initiative even before it was publicly launched in 1998. 3Com, Lucent, Microsoft and Motorola have joined since and the Bluetooth group now has over 1400 corporate members. It is clear that Bluetooth will have a major impact on the ability of mobile devices to communicate with each other and provide a ‘safety zone’ for mobile users in the ‘always on’ world. Ericsson has done a lot of the groundwork and has already gained regulatory ‘type approval’ for the Bluetooth radio module across 13 European countries.This lowers one significant barrier to developing products for this new standard. The module itself is currently available on three chips and within one year this will be compressed into a single chip costing manufacturers around $8 per chip initially. This cost is likely to fall further as manufacturers seek to put Bluetooth into most domestic and business applications. It is quite possible that within a few years Bluetooth will be inside new TVs, hi-fis, VCRs, fridges, microwaves, laptops, desktop PCs and even cars.
COSEv19no4.qxd
26/05/00
12:21
Page 325
Computers & Security, Vol. 19, No. 4
Bluetooth was developed from the beginning with high levels of security at its heart. Bluetooth can be used as a security monitor that simply sits and watches other Bluetooth-connected devices attached to an individual.The Bluetooth module allows for the creation of one master device and seven slaves. One of these slaves can itself be the master for a further seven slaves producing a possible 80 devices in each ScatterNet. Offering a ‘frequency hopping’ capability for Bluetooth devices at 2.5 GHz, communications between devices will hop between 1600 different frequencies per second across a total of 79 frequencies — moving in a quasi-random fashion. This in itself is a major security advantage. Air interface traffic will also be encrypted using between 8 and 128 bits and applications using Bluetooth can also provide their own encryption layer.This multi-layered approach considerably reduces the potential for undetected and undesirable intrusion. An example helps illustrate some of these security benefits more fully. These devices will always remain on standby and if during the middle of the night someone should break into the home and start moving these devices around, one device would send an alert perhaps to the landline or alarm device and police station to warn them that someone has gained unauthorized entry to the property and is trying to make off with specific equipment.The user might also employ specific security layers himself. For example if a request is made for a ‘logout’ when your PC only needs a ‘logon’ then the piconet can alert the user to this unusual request. It would also mean that the device would tend to recognize an intruder’s location and would know that you could not possibly be logging in from Los Angeles if all other devices in your piconet are sending messages or ‘heartbeats’ to each other that you are within 100 metres of them in a company site in
London.Various levels of checking and alerting can be built in according to the severity of the attempted breach and the danger this puts you in. Bluetooth could also be used to help achieve seamless connectivity so that an executive en route to a meeting with a customer but stuck in traffic could start the meeting and simply verbally instruct the car to send the presentation to another person.Voice recognition translates the command to instructions from the car to the laptop to access the named file. The laptop then looks into the Bluetooth environment for a GSM or similar service. Using that connection it calls the other party and, without their involvement but based on other applications, transfers the file and sends an audio message to the other user’s earpiece. Applications could be built around this to ensure that the necessary levels of security and positive identification are employed to avoid mishaps. Bluetooth undoubtedly brings us close to the point where companies and individuals can feel more comfortable about communications carried out via mobile devices. Many people who are still concerned about giving out credit card details or transferring important corporate documents between mobile devices will have their fears allayed by Bluetooth. It only remains to be seen what Bluetooth-enabled applications reach us first. But whatever the mobile totally-connected future holds, it is comforting to know that there are people out there thinking of our concerns and determined to allay our security concerns at home, on the move and in the office. Lessons learnt in the past will not be wasted.
Richard Barber is the group technical advisor working in an advisory capacity on technical matters right across the whole Articon-Integralis group.The group has a total of 19 offices across 7 countries with approximately 500 employees.The group’s clients include government organizations and a range of major European companies including two thirds of DAX 30 and half of the FTSE 100 companies.
325
26/05/00
12:21
Page 321
Computers & Security, 19 (2000) 321-325
Security in a Mobile World — Is Bluetooth the Answer? Richard Barber Articon-Integralis,Theale House, Brunel Road,Theale, Berkshire, RG7 4AQ, UK.
Richard Barber, group technical advisor of Articon-Integralis looks, at the evolution of tele- and data-communications systems and assesses the potential advantages for mobile security offered by technologies like Bluetooth
Huge strides have been made in terms of increasing telecommunications bandwidth in recent years. But building security specification into communications standards was almost an after thought until the last couple of years. In the circuit switched world GSM brought us 9600 bits per second (bps) mobile telecommunications. Symbol encoding increased this to 14 400 bps and more recently in Northern Europe, a form of ISDN for GSM has doubled this to 28 800 bps. The ETSI standard for High Speed Circuit Switched Data (HSCSD) has provided for data rates up to 57.6 kbps based on channel bonding techniques. Typically it will allow up to 4 channels in various configurations with the data intensive downloads from the Internet used in a ‘three down one up’ arrangement. Enhanced Data Rates for Global Evolution (EDGE) is a further advance bringing higher bandwidth based on higher symbol rates from 14.4 kbps to 57.6 kbps. EDGE together with HSCSD would allow up to 230 kbps. Despite clear benefits, it brings fresh concerns for security professionals as these bandwidth increases only serve to grow the number and potential ferocity
of Denial of Service attacks on corporate systems via mobile devices. Increased capacity also serves to increase the power of the weapon that the hacker has at his disposal. It means that these attacks can be launched with incredible speed and great complexity from a mobile device that is itself more difficult to trace. It is one thing to deploy DDOS attacks from wired machines but quite another to launch the same attack from a larger number of mobile devices. Of course, this pre-supposes that the new generation of mobile devices (a combination of GSM and computing devices) will have the necessary capability to achieve this. Given the pace and acceleration of computing power this does not seem far fetched at all especially in the light of demonstrations by various vendors at CeBIT this year. All of the above refers to the traditional circuit switched world (the so-called wired world). This is the traditional approach of the telecommunications network. However, in the packet switched world the traditional environment for data communications issues are a little different.The General Packet Radio Services (GPRS) standard has been demonstrated for a while now and should be with us within six to twelve months depending on which sources you listen to. GPRS brings IP-based connectivity and services to the mobile world. This technology provides for an ‘always on’ (i.e. non-dialled) connection at data rates of around 170 kbps in any given cell.The initial
0167-4048/00$20.00 © 2000 Elsevier Science Ltd. All rights reserved.
321
COSEv19no4.qxd
26/05/00
12:21
Page 322
Security in a Mobile World/R. Barber
tests indicate it will provide a shared bandwidth service with the available bandwidth being distributed between users in a given cell, so performance may be impacted by population density and the volumes of data being transferred. The next move is to combine EDGE with GPRS. The so-called eGPRS would probably eliminate any bandwidth concerns as it should push capacity to 680 kbps per cell. The key mobile players in this area — Ericsson, Nokia and Motorola — have already publicly demonstrated speeds of 384 kbps at CeBIT this year using this technology. The next step, third generation mobile devices or 3G and UMTS we can expect 384kbps and 2Mbps per device respectively. It may seem unlikely that mobile devices will be capable of 2Mbps but judging by the way technology is moving and with a timescale that doesn’t see 3G until 2002, it is entirely possible. But what security concerns does this raise? The scenario we have is one of future mobile devices with large bandwidth and laptop level computing capability. Putting this together with advances in operating systems, Java and Jini and we have a world with mobile devices and very mobile code. Concerns about security then increase in the mobile world because the dangers of mobile code are suspected to be enormous. One piece of malicious code can be implemented in one place and it will execute somewhere else rendering it difficult to identify and secure. More about this later. Baltimore Technologies’ Telepathy product does provide an extra layer of security by using WTLS-based certificates thus allowing the encryption of WAP connections using its UniCERT PKI certificate authority. This brings SSL-type encryption between the client application and server. It’s worth noting that GSM has always offered encryption between the handset and the base station. But once the call moves beyond the air interface, this encryption no longer operates.This would normally leave WAP transactions exposed, but WTLS is intended to help secure wireless communications right up to the server.
322
But some infamous hackers have already claimed to have broken the encryption codes offered by GSM. Few believe these claims as the resources required to crack these codes are massive. In any case they would have to track the mobile on the move in order to capture the entire communication — not the sort of resources that the majority of hackers enjoy. These two layers of encryption will deter many but tend to lead hackers to the point of least resistance — the server itself. Some companies are beginning to recognize this and are employing security experts to provide them with advice on how best to secure their corporate data in the emerging world of electronic and mobile commerce. This is not really new. It has always been easier to use social engineering or hacking tools to attack poorly secured Web servers to extract the unencrypted data. Despite the numerous warnings from a wide range of sources,Web administrators are still leaving servers unsecured. Even as this article is being written it has been reported that the Police in the UK have arrested two young hackers in Wales for stealing in excess of 20 000 credit card details from vulnerable Web sites, almost certainly by going direct to Web servers. A second challenge is that the new networking standard GPRS means that users are always connected to their network. They do not need to logon in the ‘always on’ world offered by GPRS and this places increased importance on encryption and authentication layers being built into systems. It is entirely feasible (though probably not preferable) to be permanently logged on to the corporate network via the GPRS connection.This could provide a challenge and an opportunity.The challenge is to network managers to control this type of access; the opportunity is for application developers to come up with continuous authentication systems for the mobile world. Another security aspect often overlooked in securing mobile device communications is that the network operator can pinpoint where the call is being made from, based on the cell that you transmit from. Cells can be split into smaller areas to pinpoint location fairly accurately. Global positioning technology will strengthen this still further and can be applied to cars
COSEv19no4.qxd
26/05/00
12:21
Page 323
Computers & Security, Vol. 19, No. 4
as well as mobile computing devices and household appliances that we value, perhaps linking them in with Bluetooth technologies (more on this later). In the corporate environment, the Wireless LAN (WLAN) standard is likely to come to the fore. The two standards being developed to date are 802.11 a & b.The standard called ‘b’ provides for an 11 Mbps ethernet-like service situated in the 2.4 GHz frequency on the ISM band (Industrial Scientific and Medical). ISM has been chosen because it is an unlicensed portion of the radio spectrum that is adopted in most nations and so can be freely used with few, if any, regulatory issues. What constraints that do exist are currently being requested and cleared. Second frequency ‘a’ 5.2 GHz for a 25Mbps service should be complete by 2002. Competition is rife in this arena with manufacturers working on applications for this new radio frequency including use in airports, hotels and other places where people are likely to want to check E-mails or download information or connect to their corporate LAN without having to find a phone point. The obvious security concern arises because of the air interface. In the earlier days of 2Mbps WLAN some developers said that encrypting the air interface was not their responsibility. This opens up the unpleasant possibility that a corporate network employing the old 2MB WLAN could be hacked into from the company car park simply, because the car is parked within range of the base station. The 11MB version is apparently set to address this security flaw. But it does also mean that a determined hacker could conceivably spend weeks unnoticeably trying to crack the encryption on the WLAN air interface without going anywhere near corporate offices. Alternatively why not simply steal someone’s laptop and use it to hack the network? Remember, this is a case of the weakest link in the chain not necessarily the strongest encryption available. In a world in which we are transferring more and more data electronically to and from mobile devices, the security-conscious must consider the issues that the entire journey of the voice or data from the device via the base station, via several exchanges
between mobile and fixed lines as well as a series of interconnects to the final. One could assume all air interfaces between the mobile device and the base station to be reasonably well encrypted; and while exchanges and interconnects are potentially vulnerable they are unlikely points for attacks. Companies offering services need to think long and hard about how well secured these points are. As the telecoms environment moves towards offering an IP-type packet switched service manufacturers are already producing telecoms switches with firewalls built-in. Physical ‘wire tapping’ is also possible and security services as well as criminal organizations will no doubt continue to use these methods. It is worth remembering that intercepting a call at the hotel distribution MDF is much more realistic than trying to hack the corporate network or the telecoms environment, if the information warrants the effort. A great deal depends on the sensitivity of the information being secured.Valuable information could be protected by the use of VPNs (Virtual Private Networks). A useful security policy could be to enforce the use of a VPN over air interfaces. This doesn’t prevent someone stealing the laptop but it does protect data in transit. This then begs the question of securing the laptop or the data on it. So we need biometric-based access control for the laptop and/or file or hard disk encryption. Somewhere along the line there is usually the need for a PIN or password and most security professionals understand that users will, like hackers, take the line of least resistance when it comes to passwords. The growing use of Wireless Application Protocol (WAP) services for mobile phones and other mobile devices has placed an ever more pressing demand for an end-to-end security solution that goes right from the mobile device to the server where information is stored. However there are very few security manufacturers that have yet fully addressed this requirement, although some are close to it. As was mentioned above many security professionals are concerned about achieving this end-to-end protection but the reality is that most hacks, which tend to happen by the thousand each day across Web-sites,
323
COSEv19no4.qxd
26/05/00
12:21
Page 324
Security in a Mobile World/R. Barber
happen because Web servers are not secured properly. Too many IT managers think the security job is complete once they have plugged in the firewalls to their Internet access point(s). It requires far more than that. Development of protocols and policies for securing various different types of data; carrying out updates and patches when they are provided by manufacturers, and intrusion detection testing are a few of the areas that those responsible for security should be looking at. One of the most significant areas of vulnerability is not mentioned very much at all — social engineering. Simply put, social engineering is the art of persuading someone to part with the user ID’s passwords and access points necessary to log into a network. Hacking made easy! Take this a step further. Many companies suffer theft from the organization, some if it originates from the inside. It is not appropriate to blame the general population or point the finger at anyone but we all know it happens. And there is always someone who is specifically responsible. It cannot be beyond reason for some people to deliberately seek employment with a company, permanent or otherwise, with the sole intention of gaining access to the network and stealing confidential information. Or even simply gaining the information or setting up the accounts to allow others to gain access to the network and its resources. It has also been known for staff leaving under a cloud to attach modems to servers without anyone’s knowledge and thus gain unrestricted access to the network after they have left. Companies failing to prepare for these eventualities are beginning to pay the price both financially and in terms of reputation as their sites are either defaced or rendered inoperable for periods of time. Information security advisers are only now beginning to see a significant increase in demand for the sorts of services which provide early advice on prevention, detection and response to security breaches, despite evangelizing on the subject for several years. Any discussion about mobile technology and security cannot be complete without covering the develop-
324
ment of Bluetooth. IDC predicts Bluetooth will be embedded into 102 million devices in the US and 449 million worldwide by 2004 and its market will be worth $700 million by 2006. By the end of this year, about 6 per cent of digital mobile phones will be Bluetooth-enabled. Bluetooth is short range radio technology with a low power requirement and very small footprint intended to be embedded in other devices. Enabled devices will be able to communicate in a small network called a piconet, which is usually registered to a particular person. The standard allows for a number of piconets to be connected to form a ScatterNet — creating personal networking for the first time. Bluetooth could be added to a large range of devices e.g. mobile phones, PDAs, laptops, desktops, door access controls, access passes and fixed telephones.When merged with WLAN, GSM, GPRS and similar it opens the way to total connectivity. Ericsson was able to persuade leading names such as Nokia, Intel, Toshiba and IBM to join the Bluetooth initiative even before it was publicly launched in 1998. 3Com, Lucent, Microsoft and Motorola have joined since and the Bluetooth group now has over 1400 corporate members. It is clear that Bluetooth will have a major impact on the ability of mobile devices to communicate with each other and provide a ‘safety zone’ for mobile users in the ‘always on’ world. Ericsson has done a lot of the groundwork and has already gained regulatory ‘type approval’ for the Bluetooth radio module across 13 European countries.This lowers one significant barrier to developing products for this new standard. The module itself is currently available on three chips and within one year this will be compressed into a single chip costing manufacturers around $8 per chip initially. This cost is likely to fall further as manufacturers seek to put Bluetooth into most domestic and business applications. It is quite possible that within a few years Bluetooth will be inside new TVs, hi-fis, VCRs, fridges, microwaves, laptops, desktop PCs and even cars.
COSEv19no4.qxd
26/05/00
12:21
Page 325
Computers & Security, Vol. 19, No. 4
Bluetooth was developed from the beginning with high levels of security at its heart. Bluetooth can be used as a security monitor that simply sits and watches other Bluetooth-connected devices attached to an individual.The Bluetooth module allows for the creation of one master device and seven slaves. One of these slaves can itself be the master for a further seven slaves producing a possible 80 devices in each ScatterNet. Offering a ‘frequency hopping’ capability for Bluetooth devices at 2.5 GHz, communications between devices will hop between 1600 different frequencies per second across a total of 79 frequencies — moving in a quasi-random fashion. This in itself is a major security advantage. Air interface traffic will also be encrypted using between 8 and 128 bits and applications using Bluetooth can also provide their own encryption layer.This multi-layered approach considerably reduces the potential for undetected and undesirable intrusion. An example helps illustrate some of these security benefits more fully. These devices will always remain on standby and if during the middle of the night someone should break into the home and start moving these devices around, one device would send an alert perhaps to the landline or alarm device and police station to warn them that someone has gained unauthorized entry to the property and is trying to make off with specific equipment.The user might also employ specific security layers himself. For example if a request is made for a ‘logout’ when your PC only needs a ‘logon’ then the piconet can alert the user to this unusual request. It would also mean that the device would tend to recognize an intruder’s location and would know that you could not possibly be logging in from Los Angeles if all other devices in your piconet are sending messages or ‘heartbeats’ to each other that you are within 100 metres of them in a company site in
London.Various levels of checking and alerting can be built in according to the severity of the attempted breach and the danger this puts you in. Bluetooth could also be used to help achieve seamless connectivity so that an executive en route to a meeting with a customer but stuck in traffic could start the meeting and simply verbally instruct the car to send the presentation to another person.Voice recognition translates the command to instructions from the car to the laptop to access the named file. The laptop then looks into the Bluetooth environment for a GSM or similar service. Using that connection it calls the other party and, without their involvement but based on other applications, transfers the file and sends an audio message to the other user’s earpiece. Applications could be built around this to ensure that the necessary levels of security and positive identification are employed to avoid mishaps. Bluetooth undoubtedly brings us close to the point where companies and individuals can feel more comfortable about communications carried out via mobile devices. Many people who are still concerned about giving out credit card details or transferring important corporate documents between mobile devices will have their fears allayed by Bluetooth. It only remains to be seen what Bluetooth-enabled applications reach us first. But whatever the mobile totally-connected future holds, it is comforting to know that there are people out there thinking of our concerns and determined to allay our security concerns at home, on the move and in the office. Lessons learnt in the past will not be wasted.
Richard Barber is the group technical advisor working in an advisory capacity on technical matters right across the whole Articon-Integralis group.The group has a total of 19 offices across 7 countries with approximately 500 employees.The group’s clients include government organizations and a range of major European companies including two thirds of DAX 30 and half of the FTSE 100 companies.
325