Wireless security risk: The importance of Bluetooth devices’ Common Criteria certification

In parallel with the explosive development of digitalization and online work, worrisome statistics regarding cyberattacks are expanding yearly. The outbreak of the pandemic in 2020 significantly increased the wireless security risk and contributed even more to the success of cybercriminals, as many companies had to switch to the home office or hybrid work model almost overnight without any preparation. 

Cybercriminals use increasingly advanced methods and sophisticated solutions to find security gaps and vulnerabilities in a variety of ways. The widely used wireless devices and the sensitive data shared through these products provide a large potential area for malicious ​​attacks. Jabra recognized this problem and was the first in the world to obtain Common Criteria certification for two types of wireless headset devices. 

In our article below, we introduce the potential cyber dangers wireless devices - including headsets - are exposed to, as well as the benefits that Common Criteria evaluation and certification can bring to manufacturers of such products.

The increasing number of cyberattacks 

The ever-increasing number of cyberattacks worldwide poses a huge challenge to all sectors. “Cyberattacks increased by 42% in the first half of 2022 compared to the same period in 2021.” “Approximately 15 million data records were exposed globally due to data breaches in the third quarter of 2022. This amount has climbed by 37 percent compared to the previous quarter.”- just to mention some of the latest statistics.

Today, cybercriminals have extremely advanced and diverse technology with which they can easily uncover security gaps and vulnerabilities. Systems and IT products that are not properly secured can easily fall victim to a malicious attack. Wireless devices are no exception.

‍

Wireless security risk

Wireless devices connected to the network via Bluetooth or other technology make our life and work easier in countless ways. Unprotected and cybersecurity-untested devices, however, represent a significant potential source of danger for users. 

The COVID-19 pandemic has multiplied the number of hybrid and remote workplace models. As a result, online work has grown enormously. A significant part of corporate processes has moved into the digital space, including managing finances and sharing confidential company data. According to this, securing the communication channels as well as the devices used, (including wireless devices such as headsets and microphones) are critical when installing the proper cybersecurity infrastructure.

The most common attacks of Bluetooth devices:

• When a Bluetooth device transmits unwanted spam and phishing messages to another Bluetooth device, it is known as bluejacking.
• Bluesnarfing is a malicious hack that uses a Bluetooth connection to steal information from one’s device.
• Bluesmacking is a denial of service (DoS) attack that attempts to overload one’s device and shut it down.
• Bluebugging is a sort of attack in which a cybercriminal uses a hidden Bluetooth connection to acquire backdoor access to one’s device.
• Car whispering is a Bluetooth security flaw that affects Bluetooth-enabled car radios.

Main vulnerabilities of wireless headphone devices 

Wireless headphones are in daily use in homes and workplaces but are often overlooked when it comes to cybersecurity. The most common potential risks of headphones and headphone software include:

‍

• Transforming headphones into microphones: vulnerabilities in the headphones can enable cybercriminals to transform headphones into microphones and record anything that is said.
• Numerous attack methods use Bluetooth technology to infiltrate and control Bluetooth-enabled devices. BlueBorne - discovered in 2017 by IoT security firm Armis-, for example, consists of eight connected zero-day vulnerabilities that potentially attack major operating systems. Affected devices can pose a variety of security issues for their users, such as virus propagation, spying, data theft, etc.
• Unprotected headphone software that opens connected systems to potential MITM attacks.

Common Criteria certification for wireless devices

The Common Criteria for Information Technology Security Evaluation (ISO 15408) is a framework of globally recognized and scalable cybersecurity certification standards. A Common Criteria (CC) certification assures that an IT product or system was defined, implemented, and evaluated in a rigorous, standard, and repeatable manner at a level appropriate for the intended environment. All CCRA member nations recognize Common Criteria certificates which currently means 31 countries.

Although Common Criteria certification is not mandatory for wireless devices; it provides the manufacturer with a significant advantage over its competitors in addition to making the product more secure.

The Danish company Jabra - which specializes in audio equipment and more recently video conferencing systems-, exploited this opportunity when it got its headphones evaluated against the Common Criteria standards this year. 

‍

‍

Jabra’s Common Criteria certified wireless headsets 

The spread and frequent use of wireless headphones and headsets become a huge risk for business owners, employees, and consumers during business or private talks where critical information and data are transmitted. Jabra addresses these difficulties head-on with its ASD-certified DECT Engage devices, giving a secure solution for any company or IT department to deploy into places where conversations are sensitive and require deeper security.

In August 2022, Jabra's Engage 65 and Engage 75 DECT wireless headphones got successfully certified by the Australian Certification Authority (ACA) of the Australian Signal Directorate (ASD).

The devices were evaluated and certified at the Evaluation Assurance Level (EAL) 2 by the Australian government's Common Criteria Evaluation and Certification Program. With this, Jabra’s products are the first (and at the moment only) secure headsets on the Common Criteria's Certified Products List.

Get your Bluetooth devices certified with CCLab

With the increase in cyber attacks, there is a clear growth in the demand for proven secure systems and devices both from the reseller and end-user side. In other words, those manufacturers who cannot prove the security of their products will certainly remain at a disadvantage against their competitors in the future.

With the drastic increase in digitalization and online work, the risks, possible security gaps, and vulnerabilities of wireless devices (particularly headsets and speaker phones) have come to the fore. 

Obtaining Common Criteria certification, therefore, is recommended for manufacturers, who want to maintain or even increase the trust of their customers as well as gain a significant competitive advantage in the market, while also making their wireless devices more secure.

At CCLab, we are prepared to support you throughout the entire process using our extensive experience and industry-leading agile process in Common Criteria evaluations. Besides the assessment, we offer consultation services to assist you to plan for the project so that you may avoid delays and excessive costs throughout the Common Criteria certification process.

‍

Reach out to us regarding your Common Criteria evaluation project and let's discuss the details.

‍

‍