Urban Legend Becomes Real
Several years ago some reports came to information security experts from black hat chat sites (evil hacker online groups). The reports said that thieves were stealing high-profile mobile devices left in cars using Bluetooth scanners.
Researchers contacted a number of urban police departments and were unable to find any evidence for this activity. The researchers concluded that there was no significant evidence and the idea was thought to have been just an online urban legend.
That thinking has now changed.
Above the “noise” of everyday car and home break-ins, a number of very specific robberies have come to light, thanks to recent research findings by several law enforcement agencies as well as some information security investigative reporters. In a number of cases, cars or houses were broken into and the only items stolen were Bluetooth devices of significant value in terms of resale or the data they potentially contained.
Any good Security Awareness program and related mobile-device policy should include directives for employees hiding company-owned devices left in a car. If your organization allows employees to house valuable company data on personal devices (BYOD), then your mobile device policy should also extend to those devices.Until now, most existing policies have been considered a fair mitigation for many levels of risk associated with mobile devices temporarily stored in a locked vehicle. However, in light of these new findings, your policies and Security Awareness programs may need to be updated.
Everything in Information Security Must Be Balanced Against Risk
We now know that, armed with a readily available Bluetooth scanning device (which can be as simple as an APP on a jail-broken phone), thieves can target high profile devices such as corporate laptops or top-of-the-line mobile devices. By doing this, the thieves not only come away with more valuable devices but also potentially more valuable data.
If you already have well-planned end-point protection on mobile devices that match the risk of loss of the data on those devices, your principal concern is just the loss of hardware due to theft and the loss of productivity.
If you or your business partners do not yet have or cannot afford a comprehensive end-point product, you have the additional risk of the loss and exposure of data.
An alternative to end-point protection is the use of IT policies for the configuration of mobile devices as well as acceptable use policies for the employees that use these devices.
In both of these scenarios, you should consider revisiting these policies as new exploits are found or any other changes in the information security landscape.
The lengths you go to protect data will vary depending on the type of data. For example, you may feel that your contacts list warrants less protection than customer account data or personally identifiable health information. Due diligence becomes more of an obvious priority when weighed against millions of dollars of damages from lawsuits or legal violations. Even a small breach of seemingly insignificant data could ruin the reputation of a business -- so don’t assume that your small organization is not at risk.
5 Tips for a Bluetooth security policy review
Here are some suggestions to help you get a handle on your employee Bluetooth policy.
1. In light of the new findings, you may consider disabling Bluetooth on all mobile devices that do not use the functionality for business reasons.
2. For mobile devices that have Bluetooth devices, you should already have some user Security Awareness training that covers the topics of BlueJacking, BlueSnarfing and related attacks. To this training, add letting employees know that they should turn Bluetooth OFF or completely turn off any mobile devices left in vehicles, not just hidden out of sight. Some device-specific or OS-specific training may need to be added also.
3. Educate users and policy editors on the difference between “sleep mode” and OFF. If a device is in a sleep mode, it may continue to show up on Bluetooth scanners. The device must be turned completely off or have Bluetooth disabled under settings.
4. If your security policies include any “security by obscurity” actions such as recommending employees put organization-owned mobile devices in a car trunk, this will need to be reconsidered. The device’s Bluetooth signal will alert thieves to devices in trunks. Many of these new hacks were discovered by these scenarios. In more than one case a car was broken into, the trunk latch pulled, and corporate devices were stolen from the trunk while personal valuables remained in the glovebox and under car seats.
5. Internal due diligence should be done through testing. Contact your trusted security partner and have your organization’s parking lot as well as restaurants that your employees visit scanned with a Bluetooth scanner. Remove personally identifiable information and share the results with policy stakeholders as well as the Security Awareness program managers. Let employees know that these practices can also help protect their own property to increase interest and buy-in.
Sources / Further Reading:
Maritime CyberSecurity November 2019