The contents of Paris Hilton’s mobile phone recently ended up on the internet after a BlueSnarf attack on her phone. While she was clearly targeted because of her celebrity status, imagine the business implications of something similar happening to you or a member of your staff?
If you offered a customer preferential business rates that undercut your competition, the last thing you would want is that information published on the internet or sent to competitors.
Also, what if your business is involved in M&A activity? If information about who you’d been in contact with were made publicly available, it could do irreparable damage to your company’s reputation and even put the deal in jeopardy.
Yet text messages, voice messages and even conversations can be harvested from phones and PDAs with the appropriate technical knowledge and equipment.
Hacked off
Most managing directors and chief executives would be horrified at the extent to which technology can be harnessed by hackers and the ways in which this information can be used. One of the most worrying aspects of Bluetooth attacks is that most people are unaware their device has been accessed illegally until it is too late and the information has been stolen.
Bluetooth devices have certainly made our lives easier given the pressure of modern business and the need to have information at our fingertips 24/7. Most of us take things like the ability to synchronise our PDAs with our laptops for granted.
But as with all new technology, failing to take adequate precautions could mean many businesses are leaving themselves open to fraudulent and criminal activity. There will always be those who seek to take advantage of weaknesses in a system or a lack of knowledge on an individual’s part. These criminals could potentially access all your personal, sensitive and commercially confidential data if they can hack into your portable device.
The mobile phone market alone is huge – there are currently 50 million phones in the UK and this figure is growing all the time. The chance of fraudulent activity occurring increases exponentially as the demand for such devices grows.
With Bluetooth attacks, it really is a case of prevention being better than cure. And the good news is that, in most cases at least, it is easy for a businesses to ensure they take the appropriate steps to protect their employees’ mobile phones, handheld devices such as Blackberries or PDAs, and laptops from fraudsters. The key to protection is to arm yourself with knowledge so you know when and how you are most vulnerable to an attack.
Under attack
One key area where businesses leave themselves open to attack from fraudsters is Bluetooth pairing attacks, whereby an attacker gains access to the memory content of a phone, laptop or PDA at the point of first communication, gaining the pin code and obtaining control of the device.
Another risk is a BlueSnarfing attack, where the hacker gains access to phonebook and calendar information and diverts calls to their own phone.
A BlueBug attack, meanwhile, is where the hacker has full access to the device and can initiate calls, such as premium rate calls and text messages from the victim’s phone.
Bluetooth technology is also leaving individuals and businesses open to the possibilities of identity theft. Most devices have encryption settings designed to prevent this happening, but these can be cracked easily with tools and techniques that are readily available on the internet.
Businesses should think carefully about the information employees store on phones or PDAs and heed the IT department’s advice. While in many cases they will talk about the worst-case scenarios, from a business risk management point of view you cannot afford to ignore the warnings they give.
By working closely with your IT department to ensure you have appropriate procedures in place, you can go a long way to protect your business. It could be as simple as encouraging staff to switch off their Bluetooth devices when they have finished synchronising with a parent device. And if employees break company protocols, there should be penalties in place, and those penalties should be enforced as the implications are too great to ignore.
Some comfort can be drawn from the fact that the techniques available to investigators are improving all the time, enabling us to retrieve deleted texts, pictures, emails, internet activity logs and videos from these devices and help investigators piece together the evidence to convict fraudsters and criminals.
John Dunne is an IT security manager at Grant Thornton’s risk management services practice
For more go to www.bluetooth.com
