Why Bluetooth Is a Security Risk and What You Can Do About It

There are many myths and misconceptions about Bluetooth floating around. Since 1989 it has gone through many iterations, and many of the problems that existed back then are now irrelevant.

But each new iteration also has the potential for new security holes and vulnerabilities, so it would be wrong to think that Bluetooth is now secure. It isn't.

We don't recommend giving up Bluetooth entirely. It is, after all, useful in a lot of ways. For instance, Bluetooth speakers are super convenient, Bluetooth increases mobile connectivity, and there are many benefits to take advantage of.

All we're saying is that you should be aware of the risks. This is what to do to keep yourself safe and secure while using Bluetooth.

1. Secure Connections Aren't Good Enough

When Bluetooth 2.1 was released in 2007, it introduced a new security feature called Secure Simple Pairing (SSP). Any device that uses Bluetooth 2.0 or prior does not support SSP and is therefore utterly insecure. That being said, even devices that do use SSP aren't guaranteed to be secure.

It turned out that the encryption algorithm used in Bluetooth 2.1 (the same encryption algorithm used in previous versions) was itself insecure, leading to a new encryption algorithm (AES-CCM) introduced in Bluetooth 4.0, but even this algorithm proved to have exploitable flaws because it didn't incorporate SSP.

bluetooth-security-vulnerabilities-keyboard

Then we entered the Bluetooth 4.1 era, which added a new feature called Secure Connections to non-LE Bluetooth devices, and then the Bluetooth 4.2 era, which added that same feature to LE Bluetooth devices. So starting with Bluetooth 4.2, all newer Bluetooth devices supported both SSP and AES-CCM encryption. Sounds good, right?

Not quite. The problem is that there are four different pairing methods under the umbrella term of SSP...

Numeric Comparison
Just Works
Out-of-Band
Passkey Entry

...and each of these has its own flaws: Numeric Comparison requires a display (not all devices have one), while Just Works is vulnerable to attacks and exploitation. Out-of-Band requires a separate channel for communication (not all devices support this) and Passkey Entry can be eavesdropped against (at least in its current state).

Oops.

What can you do about it? Avoid connecting to devices that use older versions of Bluetooth (as of this writing, that means any devices prior to the 4.2 standard). Similarly, upgrade the firmware of all of your Bluetooth devices to the latest version. If that isn't possible, discard those devices or use at your own risk.

2. Many Attack Vectors Still Exist

The security vulnerability mentioned above isn't the only one that still exists for Bluetooth devices. The reality is that many of the attack vectors that existed in previous versions of Bluetooth still exist -- they just happen to be executed in different ways.

Eavesdropping -- An attacker can sniff the air for Bluetooth data in transmission and, by exploiting the right vulnerabilities, read and/or listen to that data. So if you're conversing on the phone with a Bluetooth headset, for example, someone could potentially listen in.
Bluesnarfing -- An attacker can, once devices are paired, access and steal information off of your Bluetooth device. The connection is usually made without your knowledge, possibly resulting in stolen contact info, photos, videos, calendar events, and more.
Bluebugging -- An attacker can also remotely control various aspects of your device. Outgoing calls and texts can be sent, incoming calls and texts forwarded, settings changed, and screens and keypresses can be watched, etc.
Denial of service -- An attacker can flood your device with nonsense data, blocking communications, draining battery life, or even crashing your device altogether.

These attacks can affect any device that's actively using Bluetooth, including headsets, speakers, keyboards, mice, and most importantly, smartphones.

What can you do about it? If you can change the Bluetooth password for your device (possible on phones, tablets, smartwatches, etc.) then do so immediately, making sure you pick a PIN that is safe! This can mitigate against some attack vectors, but the only guaranteed protection is to keep your Bluetooth disabled.

As a side note, if you're skeptical about just how insecure Bluetooth is, check out how many Bluetooth vulnerabilities still exist!

3. Even When Hidden, You Can Be Found

The advent of Low Energy transmissions in Bluetooth 4.0 was widely welcomed, mainly because it allowed devices to have greater battery life. But LE Bluetooth is just as insecure, if not more so, than classic Bluetooth.

The thing about Bluetooth is that when active, it constantly broadcasts information so that nearby devices can be alerted to its presence. This is what makes Bluetooth so convenient to use in the first place.

The problem is that this broadcast information also contains details unique to individual devices, including something called a universally unique identifier (UUID). Combine this with the received signal strength indicator (RSSI), and your device's movements can be observed and tracked.

Most people think that setting a Bluetooth device to "undiscoverable" actually makes it hidden from this kind of stuff, but that's not true. As Ars Technica recently proved, there are open-source tools that can sniff you out even while undiscoverable. Yikes.

My new neighbor was using AirDrop to move some files from his phone to his iMac. I hadn't introduced myself yet, but I already knew his name. Meanwhile, someone with a Pebble watch was walking past, and someone named "Johnny B" was idling at the stoplight at the corner in their Volkswagen Beetle, following directions from their Garmin Nuvi. Another person was using an Apple Pencil with their iPad at a nearby shop. And someone just turned on their Samsung smart television.

I knew all this because each person advertised their presence wirelessly ... and I was running an open source tool called Blue Hydra.

What can you do about it? Nothing, unfortunately, except keep Bluetooth disabled at all times. Once activated, you'll be broadcasting all of that information to your surrounding area.

Bluetooth May Not Be the Future

A safer alternative to Bluetooth might be Wi-Fi Direct, a different short-range device-to-device connection using Wi-Fi. It isn't as ubiquitous as Bluetooth yet, but has the potential to be. Similarly, Wi-Fi Aware should be on your radar as well.

Have you ever experienced any problems due to Bluetooth? Are these risks enough to turn you off from using it ever again? Or will you keep using it as you always have? Let us know in the comments!