Bluetooth can be unreliable. From unwanted images AirDropped to your phone to location tracking, to compromised device pairing, there's a lot of potential for things to go wrong, and Bluetooth's problems have ranged from low-grade privacy risks to major security breaches.
Notable vulnerabilities include 2017's BlueBorne, which affected the Bluetooth implementations then used by all major operating systems and allowed any Bluetooth device to be taken over and exploited with remote code execution and well as man-in-the-middle attacks, a 2018 attack that manipulated Bluetooth pairing flaws to gain access to devices and, just this month, a more specific pairing vulnerability affecting products including Google's Titan Security Keys.
Bluetooth is also often insecure by design, which is exactly what you want for low-security uses like pairing your phone to a speaker or headset. The BR/EDR (Enhanced Data Rate) protocol can use a PIN to confirm connections, but often uses the "Just Works" connection system, which dispenses with this step.
David Lodge of PenTest Partners has demonstrated that this can produce unexpected vulnerabilities in products you'd expect to be secure: "you may be able to pair to a device if it is on and the owner has walked out of range. This is one of the attacks we used on the Cayla doll, which is just a Bluetooth headset embedded in a doll."
Fortunately, there are measures you can take to defend your devices.
Keep everything up to date
Numerous Bluetooth security vulnerabilities have been discovered, and they've almost invariably been patched through firmware and software updates, rather than simply being left until the next hardware generation to fix.
Make sure that your phone firmware and laptop operating system are up-to-date, and you'll go a long way towards safeguarding against vulnerabilities, Bluetooth-related or otherwise. Unfortunately, not every maker of Bluetooth devices provides reliable security updates, particularly when it comes to the Internet of Things.
When it comes to Bluetooth peripherals, security-critical ones are often replaced by the manufacturer. For example, Google is currently running a return scheme for Bluetooth Low Energy (BLE) Titan Security Keys affected by a vunerability that makes it possible for an attacker in close physical proximity to communicate with your key or the device it's paired to when you use it to identify yourself.
Turn it off
Webroot Security Analyst Tyler Moffitt advises that disabling Bluetooth is "definitely one of the top recommendations to increase security", in addition to always patching your systems.
If you don't actually use Bluetooth on your phone, tablet or laptop, there's certainly no need to leave it active. However, if you use it all the time – to connect your headphones, for example – security researcher Lodge has some reassurance. "In terms of disabling BT on your phone or laptop: I would not be too worried about attacks through the BT interface to exploit vulnerabilities in the BT stack," he says, "as long as you patch your devices regularly."
But although you can protect against outright attacks with prompt patching, leaving Bluetooth switched on can make it more likely for your privacy to be invaded. Lodge says that Bluetooth sensor beacons are increasingly being deployed in places such as shopping centres and airports.
These scan for Bluetooth MAC addresses and use them to map a device's journey through an area. This can also be done using a device’s Wi-Fi interface, which is also worth keeping off if you don't use it – data plan allowing.
Limit app permissions
Some apps can turn your phone into a Bluetooth peripheral, such as AirDrop and the music player in iOS. "This has been abused in the past by people sending unsavoury images over AirDrop, which then provides a thumbnail of the image," Lodge says. He recommends that people to disable AirDrop, or set it to 'Contacts Only' mode unless it's being actively used.
Whether you use iOS or Android, it's important to read new or updated apps' permissions manifests to ensure that you don't get surprised by unexpected connectivity features.
On iOS, you can check this via the Apps & notifications settings, under App permissions to sort by type or in each app's entry in the App info menu. On recent versions of Android, you'll find permissions for all your apps under Apps & notifications > Advanced > App permissions.
Keep your distance
Most Bluetooth attacks can only be carried out at close range so, if you're doing something particularly sensitive involving Bluetooth, you should be aware of your surroundings for more than just over-the-shoulder password snoopers.
Lodge says that the range for Bluetooth attacks depends on the type of Bluetooth in use, but within 10 metres is a good rule of thumb. "Although this doesn’t sound like much, it can cover a neighbour’s rooms, a busy bar or restaurant or a train/tube," he says. And although Bluetooth attacks aren’t that common, he and his colleagues at Pen Test Partners are hearing more about random AirDrops on public transport.
Webroot Security Analyst Tyler Moffitt adds that "it all depends on the class (Watt use) of the device," he says. Class 1 devices transmit at 100 mW with a range of 100 meters. Class 2 devices transmit at 2.5 mW with a range of 10 meters."
Most Bluetooth headsets or smartwatches are common Class 2 devices but Moffitt notes that, under best possible conditions, Bluetooth 5's Low Energy protocol has a maximum range of up to 245 metres: four times the greatest range possible with Bluetooth 4.2 LE.
While the threats presented by Bluetooth are relatively rare and easily combated by good security practices, especially regular updates, it's important to recognise that just because a feature is convenient and widely used, that doesn't necessarily mean that it comes with iron-clad safety.
This article was originally published by WIRED UK
