SecTor 2007 - Blue Christmas?

I know a little about computer security, not a lot, but enough to be aware of where individuals and businesses are vulnerable. I've dealt with attacks and breaches, formed a response team, and been responsible for policies and procedures to mitigate risk. But when I go to a security education conference like this (http://www.sector.ca/), I realize that there is so much more to know and understand.

One session I attended this morning was all about Bluetooth vulnerabilities. The presenter was Dino Covotsos from TelSpace who traveled all the way from South Africa to be in attendance (if you want to see the PowerPoint presentation, you can view it here). One of the slides Dino used included video of hackers using Bluetooth technology to inject audio into the phone of an unsuspecting mark buying a coffee in a Starbucks Coffee shop so that when he asked for a coffee, there was an additional audio message asking the waitress for her phone number. Even more interesting was the use of Bluetooth technology to actually transfer funds from an account for the Chief Technology Officer of a bank. Yikes!

Most of us think that Bluetooth is simply a cool way to go wireless with our cell phones, or possibly to use a headset with our MP3 player, or to use a game controller for the Sony PlayStation. And to some degree that's right.

But hackers are able to do so much more including hijacking Bluetooth-enabled cell phones to make calls to 1-900 numbers, garnering hundreds of dollars an hour in a London public space. They are able to track the physical movements of individuals over a period of days in the Netherlands, thereby enabling profiling that is quite dangerous. They are able to capture bank account numbers, social insurance numbers, and entire phone books, SMS text messages, and an incredible amount of other personal information that most of us would be ashamed to find stolen so readily. And they are able to follow cars up to two miles away and listen in on all the conversations going on in that car.

Part of the problem is simply lack of education. But part is also owing to manufacturers using default PIN numbers like 0000 or 1234. Another part of the problem is that Bluetooth scanning devices can be built for about $750, something within the reach of almost everybody. Part of the problem is also the almost overwhelming desire for convenience. CBC.ca, for example, has a five-part series on cell phone technology this week, part of which deals with using cell phones instead of debit or credit cards.

All the parts of this jig-saw puzzle of Bluetooth technology mean that it will be an uphill battle working towards more security in the use of Bluetooth-enabled devices. In the meantime, I may simply turn off Bluetooth unless I have an immediate short-term need. And it may mean that I forego buying Bluetooth-enabled devices for family members this Christmas.