Hands Free? Or Security Free? You Decide
By: Mark Abraham
Mark Abraham is an Information Technology Specialist II with the Network Security Unit, Division of State Government Accountability, Office of the State Comptroller, State of New York. He is DoD IACND Level III Certified.
The other day my father asked me to help him connect his new hands-free Bluetooth headset to smart phone so he could safely speak on the phone while driving to and from conferences. It only took a minute to get it connected and he thanked me and proclaimed, “Now I’ll be safe when I use my cell phone!” This made me think about the information security or “safety” of Bluetooth on cell phones and smart phones.
I agree that while hands-free is surely the way to go when it comes to driver safety, a few minutes on the Internet was all it took to reveal that there are a few “bugs” with Bluetooth. Within 30 minutes I had downloaded a few nifty little programs that lets me do almost whatever I want with YOUR cell phone from MY laptop, PDA, or even my own cell phone. Using freely available software, I was able to scan for and find my dad’s cell phone, bypass the password, and take complete control of his phone from outside the house. (Note: I asked his permission before “hacking” him; otherwise it would be illegal.)
Once I gained control of his cell phone I was able to see and copy his address book, view his recent call activity and text messages, and even make calls using his minutes. What are those phone companies thinking? A little more tinkering revealed that I could turn on his microphone and listen to everything that was going on in the room. The implications were nauseating. Not only can hackers steal your company’s information and your minutes, now they can eavesdrop on you too.
After a couple hours I had figured out how to extend this spy capability to the headsets themselves and I was even able to tap his car’s hands free system and listen to conversations taking place in the car. Here comes the scary part. There are freely available plans to make an antenna that will let you do all of these terrific things from up to a mile away. A MILE.
Naturally my next question was, how in the world can I prevent this? Well the two main things you can do are to disable Bluetooth until you really need it, and make sure to keep your phone software up to date.
Questions
Do you have good controls over who has access to your Bluetooth devices?
Have you audited your organization to see how Bluetooth
security is being implemented?
While I encourage auditors to use new technologies to help them identify fraud and risk, it is important to use these new technologies in an ethical manner.
Posted by: Mark Abraham | October 10, 2008 at 10:25 AM
Robert:
I'd encourage you to think through the ethical implications of some of your thoughts. As auditors, we harm our credibility if we do some of the things you are suggesting.
Posted by: D | October 10, 2008 at 10:16 AM
I find the article fascinating. However, the question shouldn't be about Bluetooth controls; rather, how can we as auditors use new technology to carry out our duties to the public? In general, I think auditors should be allowed to covertly identify fraud and abuse. We could use such tools to gather evidence on management without their knowledge. By proactively taking such steps, we could help prevent the AIG's of the world from exploiting the American public. Further, I am a separated male and would like to find out whether my wife is cheating on me. I could also use this to monitor my children and neighbors. This article has given me the incentive to research how to obtain and use such tools.
Posted by: Robert Plant | October 10, 2008 at 09:51 AM