Using Bluetooth Devices on Federal Contracts

Bluetooth should be avoided on systems doing any kind of work for the Federal government – DoD or civilian. When tightening security for system access, it’s important to consider all vectors of attack—especially Bluetooth-enabled peripherals like keyboards, mice, earbuds, and other devices. Here’s why:

CMMC Control AC.L1-3.1.1 (Access Control): This control is applicable to ALL contracts with the US Government. It requires limiting information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). Bluetooth devices typically connect to computers or mobile devices without any sort of authentication. This is a Level 1 control, meaning disabling Bluetooth is a requirement for any device handling ANY Federal Contract Information (FCI). This includes non-DoD contractors. Yes… most government contractors are not in compliance.

CMMC Compliance and FIPS 140-2 Encryption: For remote access, AC.L2-3.1.13 requires employing cryptographic mechanisms to protect the confidentiality of remote access sessions. Bluetooth is considered a remote access mechanism because the Bluetooth signals can travel beyond the confines of the office environment. This is a CMMC Level 2 control that is applicable to most DoD contractors. No Bluetooth device meets this standard. So, Bluetooth certainly cannot be used in environments where Controlled Unclassified Information (CUI) is processed.

CMMC and Federal contracts aside, using Bluetooth devices should be used only after careful evaluation of risks. Here are a few:

Lessons from Wi-Fi Breaches Consider the concept of “daisy chaining” used in Wi-Fi attacks—an adversary hops through multiple weakly secured devices to compromise a network. Bluetooth devices could be the next frontier for such tactics. Tools like Wigle or Bluetooth packet sniffers allow attackers to identify and exploit poorly secured devices in range.

Real-World Risks with Bluetooth: Open CVEs Bluetooth vulnerabilities (tracked as CVEs) frequently highlight flaws like insecure pairing methods and lack of encryption during key exchanges. These vulnerabilities could allow an attacker to capture sensitive data or gain access to systems.

Recommendations:

1. Disable Bluetooth wherever practical, particularly on systems handling sensitive data. This is a requirement for all Federal contracts.
2. Ensure alternative input devices comply with CMMC encryption standards.
3. If you must use Bluetooth… Use the device ID to configure machines to allow Bluetooth connections only from pre-identified devices.