[ISN] Crackdown begins on Bluetooth bandits

InfoSec News isn at c4i.org
Mon Mar 28 04:59:55 EST 2005 

http://ww1.mid-day.com/news/city/2005/march/106245.htm

By: Binoo Nair 
March 25, 2005 

If a camera phone can catch you with your pants down, one with 
Bluetooth can do the same - albeit figuratively - to your company. 

Following the ban on camera phones in hotel lobbies, a crackdown has 
begun on people who misuse the wireless technology called Bluetooth to 
steal sensitive information from their employers and pass it on to 
competitors.

The Digital Due Diligence (DDD), a group of computer technologists 
formed by the Federation of Indian Chambers of Commerce and Industry 
(FICCI), has recommended that companies ban employees from using 
Bluetooth-enabled cell phones, as they can be used to leak 
confidential information to competitors.

The DDD will submit a white paper on the dangers of these smart phones 
to companies across the country next week. FICCI formed the DDD after 
auction portal baazee.com took the rap when the infamous Delhi Public 
School MMS clip turned up for sale on its site.

Bluetooth, an essential component of today's hi-end 'smart phones', is 
used to transfer information between devices without the use of wires. 

While this makes it extremely convenient, it also leaves scope for 
misuse.

You could, for example, use it to access information (such as your 
boss's email) on a computer remotely, and transfer sensitive files 
from a PC to your phone. And since the technology is still new, little 
can be done to prevent this. 

"We have found that these smart phones are being used by employees to 
carry out vital information from companies. And, so far, it is not 
possible to track this sort of data theft," said Chirag Unadkat, 
director of the DDD.

Explaining the risks of Bluetooth, Web security expert Vijay Mukhi 
said, "An employee can access data on any computer, transfer it to a 
smart phone and pass it on. He can steal information from his boss's 
computer with almost no physical contact. 

"Some phones can communicate with other Bluetooth devices from 100 
metres away. This can leave companies wide open to industrial 
espionage," added Mukhi, who is co-writing the white paper with 
Unadkat.

The threat is augmented by the fact that most companies, according to 
Mukhi, are not even aware of the dangers of smart phones. 

Both experts say that while it is not possible to ban smart phones 
altogether, companies can bar them from vital facilities like the 
server rooms. 

Another option, they say, is disabling the Bluetooth and infrared 
compatibility of the company's computers.

White paper proposals

* Be aware of the problem

* Password-protect your computer so that others can't fiddle with it 
  while you're away

* Banning smart phones in areas like server rooms and conference rooms

* Disable Bluetooth and infrared on your company's computers

* Install software that can keep a log of wireless transfers made from 
  your computer.

(There is, however, no commercially available product that can do this.)

More information about the ISN mailing list