Author: Craig Taylor, Chief Information Security Officer, Neoscope

A colleague, John Mumford (Chief Risk Officer at the Fellsway Group) and I, were discussing a new feature in Windows 10 called “Dynamic Lock” that allows you to pair your cell phone to your Bluetooth enabled laptop/desktop and automatically lock the device when you walk away (with your cell phone). Once the Bluetooth connection is lost, Windows 10 knows you’re not nearby and locks the machine. Great right?

Wrong. After testing how it worked, we both turned Bluetooth off on our Windows 10 devices. In our discussion, we had two problems with this feature.

First, it trains people not to lock their computer but to depend upon Bluetooth proximity.  However, did you know Bluetooth protocols have been improving? The newest standard – Bluetooth 5.0 (in beta) – has a 400+ meter range! This puts you well out of physical view of your computer and opens you to physical attack risks.

I recommend not enabling this Bluetooth lock feature. Instead, get into the habit of hitting “Windows Key +L “(L is for Lock) every time you get up from your workstation or laptop.

Secondly, and what sparked this blog article, was the fear we shared of vulnerabilities lurking within the Bluetooth protocol itself. Enabling Bluetooth on your laptop is like cutting a hole in a bank vault for a window, then locking the window to make sure no-one gets in. Eventually, someone will figure out a way to penetrate that Bluetooth window to steal your money or your data. And that day has arrived.

On July 23rd, 2018 vendors including Apple and Intel announced Bluetooth patches to fix a new Bluetooth attack that could allow hackers to snoop on your Bluetooth data. Wait! Please don’t panic. This vulnerability only exists for that moment in time when you’re pairing your devices to each other. During that moment, a nearby hacking device could perform a man-in-the-middle attack, steal your newly negotiated encryption key, and subsequently spy on your traffic.

Fortunately, this bug was identified by a security researcher and responsibly disclosed to Bluetooth vendors and software manufacturers. Companies like Apple and Intel made patches and released them for you to install. If you’re running Apple’s IOS 11.4.1 you’re patched for this Bluetooth vulnerability.

However, the larger issue is this: what other bugs might lurk deep inside Bluetooth’s code waiting to be exploited? The more whiz-bang features you enable on your devices and computers, the more risk you’re entertaining. John and I are not advocating that we disable and cease all Bluetooth usage. In fact, I’m happily listening to music coming from my Bluetooth speaker as I write this article. However, when it comes to my critical data and devices, Bluetooth is off for me. I don’t need or want any extra  holes into my data vault.

Source: Metropolitan Policy Services, London England