Security Technology Explained

Why Bluetooth Is a Security Risk and What You Can Do About It

Joel Lee 21-09-2016

There are many myths and misconceptions about Bluetooth floating around 5 Common Bluetooth Myths You Can Safely Ignore Now Bluetooth has evolved over the past 20 years, and what you thought you knew about it is wrong. Let's dispel those Bluetooth myths. Read More . Since 1989 it has gone through many iterations, and many of the problems that existed back then are now irrelevant.


But each new iteration also has the potential for new security holes and vulnerabilities, so it would be wrong to think that Bluetooth is now secure. It isn’t.

We don’t recommend giving up Bluetooth entirely. It is, after all, useful in a lot of ways. For instance, Bluetooth speakers are super convenient The Best Bluetooth Speakers Under $25 and Up to $300 You can't beat the convenience of going wire-free. Great audio quality may always need wired speakers, but for music on your phone Bluetooth speakers are a must-have accessory nowadays. Read More , Bluetooth increases mobile connectivity How Bluetooth 4.0 Is Shaping the Future of Mobile Connectivity Bluetooth is the forgotten star on the device specifications sheet. Read More , and there are many benefits to take advantage of 6 Top Uses For Bluetooth On Your Android Phone Bluetooth has been an impressive wireless technology to enable all sorts of cool functionality with multiple gadgets. While it was rather limited during the early stages of its life, Bluetooth has evolved to be capable... Read More .

All we’re saying is that you should be aware of the risks. This is what to do to keep yourself safe and secure while using Bluetooth.

1. Secure Connections Aren’t Good Enough

When Bluetooth 2.1 was released in 2007, it introduced a new security feature called Secure Simple Pairing (SSP). Any device that uses Bluetooth 2.0 or prior does not support SSP and is therefore utterly insecure. That being said, even devices that do use SSP aren’t guaranteed to be secure.

It turned out that the encryption algorithm used in Bluetooth 2.1 (the same encryption algorithm used in previous versions) was itself insecure, leading to a new encryption algorithm (AES-CCM) introduced in Bluetooth 4.0, but even this algorithm proved to have exploitable flaws because it didn’t incorporate SSP.


wavebreakmedia via

Then we entered the Bluetooth 4.1 era, which added a new feature called Secure Connections to non-LE Bluetooth devices, and then the Bluetooth 4.2 era, which added that same feature to LE Bluetooth devices. So starting with Bluetooth 4.2, all newer Bluetooth devices supported both SSP and AES-CCM encryption. Sounds good, right?

Not quite. The problem is that there are four different pairing methods under the umbrella term of SSP…

  • Numeric Comparison
  • Just Works
  • Out-of-Band
  • Passkey Entry

…and each of these has its own flaws: Numeric Comparison requires a display (not all devices have one), while Just Works is vulnerable to attacks and exploitation. Out-of-Band requires a separate channel for communication (not all devices support this) and Passkey Entry can be eavesdropped against (at least in its current state).



What can you do about it? Avoid connecting to devices that use older versions of Bluetooth (as of this writing, that means any devices prior to the 4.2 standard). Similarly, upgrade the firmware of all of your Bluetooth devices to the latest version. If that isn’t possible, discard those devices or use at your own risk.

2. Many Attack Vectors Still Exist

The security vulnerability mentioned above isn’t the only one that still exists for Bluetooth devices. The reality is that many of the attack vectors that existed in previous versions of Bluetooth still exist — they just happen to be executed in different ways.

  • Eavesdropping — An attacker can sniff the air for Bluetooth data in transmission and, by exploiting the right vulnerabilities, read and/or listen to that data. So if you’re conversing on the phone with a Bluetooth headset, for example, someone could potentially listen in.
  • Bluesnarfing — An attacker can, once devices are paired, access and steal information off of your Bluetooth device. The connection is usually made without your knowledge, possibly resulting in stolen contact info, photos, videos, calendar events, and more.
  • Bluebugging — An attacker can also remotely control various aspects of your device. Outgoing calls and texts can be sent, incoming calls and texts forwarded, settings changed, and screens and keypresses can be watched, etc.
  • Denial of service — An attacker can flood your device with nonsense data, blocking communications, draining battery life, or even crashing your device altogether.

These attacks can affect any device that’s actively using Bluetooth, including headsets, speakers, keyboards, mice, and most importantly, smartphones 3 Smartphone Security Flaws That You Should Be Aware Of Read More .


What can you do about it? If you can change the Bluetooth password for your device (possible on phones, tablets, smartwatches, etc.) then do so immediately, making sure you pick a PIN that is safe How Safe Is Your PIN? [INFOGRAPHIC] Ah, the trusty PIN number, the 4 digits that separates you from your money. We use our bank PIN number in a wide variety of situations, whether it's taking money out of the ATM machine... Read More ! This can mitigate against some attack vectors, but the only guaranteed protection is to keep your Bluetooth disabled.

As a side note, if you’re skeptical about just how insecure Bluetooth is, check out how many Bluetooth vulnerabilities still exist!

3. Even When Hidden, You Can Be Found

The advent of Low Energy transmissions in Bluetooth 4.0 was widely welcomed, mainly because it allowed devices to have greater battery life Four Hardware Upgrades That Will Boost Your Laptop's Battery Life Read More . But LE Bluetooth is just as insecure, if not more so, than classic Bluetooth.

The thing about Bluetooth is that when active, it constantly broadcasts information so that nearby devices can be alerted to its presence. This is what makes Bluetooth so convenient to use in the first place.


The problem is that this broadcast information also contains details unique to individual devices, including something called a universally unique identifier (UUID). Combine this with the received signal strength indicator (RSSI), and your device’s movements can be observed and tracked.

Most people think that setting a Bluetooth device to “undiscoverable” actually makes it hidden from this kind of stuff, but that’s not true. As Ars Technica recently proved, there are open-source tools that can sniff you out even while undiscoverable. Yikes.

My new neighbor was using AirDrop to move some files from his phone to his iMac. I hadn’t introduced myself yet, but I already knew his name. Meanwhile, someone with a Pebble watch was walking past, and someone named “Johnny B” was idling at the stoplight at the corner in their Volkswagen Beetle, following directions from their Garmin Nuvi. Another person was using an Apple Pencil with their iPad at a nearby shop. And someone just turned on their Samsung smart television.

I knew all this because each person advertised their presence wirelessly … and I was running an open source tool called Blue Hydra.

What can you do about it? Nothing, unfortunately, except keep Bluetooth disabled at all times. Once activated, you’ll be broadcasting all of that information to your surrounding area.

Bluetooth May Not Be the Future

A safer alternative to Bluetooth might be Wi-Fi Direct The Differences Between Bluetooth 4.0 and Wi-Fi Direct You Need To Know If you take a peek into the future, it's hard not to envision an always-on society that features a multitude of connected devices that work in unison to make your life more convenient. Read More , a different short-range device-to-device connection using Wi-Fi. It isn’t as ubiquitous as Bluetooth yet, but has the potential to be. Similarly, Wi-Fi Aware should be on your radar as well Wi-Fi Aware: What's It About, And How Can You Use It? What is Wi-Fi Aware and how does it affect you? Let's find out. Read More .

Have you ever experienced any problems due to Bluetooth? Are these risks enough to turn you off from using it ever again? Or will you keep using it as you always have? Let us know in the comments!

Related topics: Bluetooth, Computer Security, Smartphone Security.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Tristan
    September 13, 2017 at 11:44 am

    My ex gf took full control of my computer through bluetooth including my email. In fact as I talked to my internet provider she was busily changing settings from with 100 yards. Quite frightening