As more and more devices become networked, the use cases for wireless communications protocols like Bluetooth and NFC (Near Field Communications) multiply. Hardly a week goes by where some company figures out a way to pair wireless communications with some inanimate object or another. (Bluetooth bike locks, anyone?)
But what happens when those wireless devices run critical infrastructure or life-saving technology like implanted medical devices? We learned earlier this week that no less than Dick Cheney was concerned enough about wireless attacks on his implanted defibrillator that he had the wireless management features of the device disabled, for fear they could be used in an assassination attempt. Security experts, like Dr. Kevin Fu at The University of Michigan, doubtful that such an attack was realistic, also refused to rule it out entirely.
Given the many, proven tools and strategies for hacking wireless communications like Bluetooth, you might think that foregoing well known protocols and going with something less well-explored. Maybe even a proprietary protocol that only your devices use, but that nobody has ever seen before?
Not so fast! In the latest installment of Talking Code, the Security Ledger security news and discussion program, sponsored by Veracode, I talk with my guests, Chris Wysopal and Josh Corman, about the relative strengths and weaknesses of wireless implementations such as Bluetooth. The question, they say, shouldn’t be ‘which wireless protocol is the most secure?’ Rather, it should be ‘do we really need this device to have a wireless interface at all?’
Corman worries that product designers these days are often treating wi-fi like the tech world’s equivalent of “bacon.” As in: “everything tastes better with bacon.” Irresistible as wi-fi connectivity is, designers should be thoughtful of the security implications of any wireless implementation: the different hacks and attack scenario that any wireless protocol – proprietary or standard – introduces.
“Functionality adds risk, and it should be traded off with risk,” Wysopal said.
Check out the full video of our chat here: