ISO 27001 Bluetooth Security Checklist

No Objectives: 1 Develop an agency security policy that addresses the use of wireless technology including Bluetooth technology. 2 Ensure that users on the network are fully trained in computer security awareness and the risks associated with wireless technology (i.e., Bluetooth). 3 Perform a risk assessment to understand the value of the assets in the agency that need protection. 4 Perform comprehensive security assessments at regular intervals to fully understand the wireless network security posture. 5 Ensure that the wireless network is fully understood. With piconets forming scatter-nets with possible connections to 802.11 networks and connections to both wired and wireless wide area networks, an agency must understand the overall connectivity. Note: a device may contain various wireless technologies and interfaces. 6 Ensure external boundary protection is in place around the perimeter of the building or buildings of the agency. Procedures Management Recommendations Management Recommendations Status Notes

Management Recommendations Management Recommendations Management Recommendations

Management Recommendations

7 Deploy physical access controls to the building and Management other secure areas (e.g., photo ID, card badge readers). Recommendations 8 Ensure that handheld or small Bluetooth devices are protected from theft. 9 Ensure that Bluetooth devices are turned off during all hours when they are not used. 10 Take a complete inventory of all Bluetooth-enabled wireless devices. 11 Study and understand all planned Bluetooth-enabled devices to understand any security idiosyncrasies or inadequacies. 12 Change the default settings of the Bluetooth device to reflect the agencys security policy. 13 Set Bluetooth devices to the lowest necessary and sufficient power level so that transmissions remain within the secure perimeter of the agency. 14 Ensure that the Bluetooth bonding environment is secure from eavesdroppers (i.e., the environment has been visually inspected for possible adversaries before the initialization procedures during which key exchanges occur). 15 Choose PIN codes that are sufficiently random and avoid all weak PINs. 16 Choose PIN codes that are sufficiently long (maximal length if possible). 17 Ensure that no Bluetooth device is defaulting to the zero PIN. 18 Configure Bluetooth devices to delete PINs after initialization to ensure that PIN entry is required every time and that the PINs are not stored in memory after power removal. 19 Use an alternative protocol for the exchange of PIN codes, e.g., the Diffie-Hellman Key Exchange or Certificate-based key exchange methods at the application layer. Use of such processes simplifies the generation and distribution of longer PIN codes. 20 Ensure that combination keys are used instead of unit keys. Management Recommendations Management Recommendations Management Recommendations Management Recommendations Technical Recommendations Technical Recommendations Technical Recommendations

Technical Recommendations Technical Recommendations Technical Recommendations Technical Recommendations

Technical Recommendations

Operational Recommendations

21 Invoke link encryption for all Bluetooth connections regardless of how needless encryption may seem (i.e., no Security Mode 1). 22 Ensure that encryption is enabled on every link in the communication chain. 23 Make use of Security Mode 2 in controlled and wellunderstood environments. 24 Ensure device mutual authentication for all accesses. 25 26 27 28

Operational Recommendations

29

Operational Recommendations Operational Recommendations Operational Recommendations Enable encryption for all broadcast transmissions Operational (Encryption Mode 3). Recommendations Configure encryption key sizes to the maximum Operational allowable. Recommendations Establish a minimum key size for any key negotiation Operational process. Recommendations Ensure that portable devices with Bluetooth interfaces Operational are configured with a password to prevent unauthorized Recommendations access if lost or stolen. Use application-level (on top of the Bluetooth stack) Operational encryption and authentication for highly sensitive data Recommendations communication. For example, an IPsec-based Virtual Private Network (VPN) technology can be used for highly sensitive transactions. Operational Recommendations Operational Recommendations Operational Recommendations Operational Recommendations Operational Recommendations Operational Recommendations Operational Recommendations

30 Use smart card technology in the Bluetooth network to provide key management. 31 Install antivirus software on intelligent, Bluetoothenabled hosts. 32 Fully test and deploy software Bluetooth patches and upgrades regularly. 33 Deploy user authentication such as biometrics, smart cards, two-factor authentication, or PKI. 34 Deploy intrusion detection agents on the wireless part of the network to detect suspicious behavior or unauthorized access and activity. 35 Fully understand the impacts of deploying any security feature or product prior to deployment. 36 Designate an individual to track the progress of Bluetooth security products and standards (perhaps via the Bluetooth SIG) and the threats and vulnerabilities with the technology. 37 Wait until future releases of Bluetooth technology incorporate fixes to the security features or offer enhanced security features.

Operational Recommendations