Your IP: Unknown · Your Status: Unprotected Protected
Blog In Depth

All you need to know about Bluetooth security

Sep 19, 2019 · 4 min read

All you need to know about Bluetooth security

You are surrounded by Bluetooth devices – your fitness tracker, headphones, speakers, and smart home devices can all use it. They share your data with one another and the web, and where there’s data, there will always be hackers trying to steal it. Is Bluetooth actually as unsafe as it seems? Let’s find out.

The most common Bluetooth hacks

Bluetooth connections have been around for a few decades, so hackers have found many ways to abuse it. There are three most-known and common Bluetooth attacks:

  • Bluejacking is an attack during which a hacker uses a Bluetooth connection to get into your phone and send anonymous messages to other nearby devices. Hackers can also use it to make international or expensive pay-per-minute calls and drain your hard-earned money.
  • Bluesnarfing is an attack in which a hacker steals information on your phone, including calendars, emails, texts, photos, videos, and your phone book via Bluetooth. The hacker needs to download all this information fairly quickly – while you’re within range.
  • Bluebugging is probably the worst as it allows the hacker to completely control your device. It gives them the ability to listen in on your calls and access all data stored on your device.

If a hacker manages to get into your smartphone, they can get tons of sensitive information about you. This can later be used in social engineering attacks, to blackmail you, or to hack into your bank and other accounts.

However, the worst part about Bluetooth attacks is that security researchers find new ways the connection can be exploited every year.

There’s more…

It reveals your location

Hackers can use Bluetooth to track your location. To do so, they only need two things: a device that constantly uses Bluetooth connections and a unique device identifier. How does it work?

Two devices that connect over Bluetooth recognize each other by exchanging a piece of information that you can think of as something similar to an device address. Most devices change them regularly, like when the connection is reestablished or when their batteries are drained. However, security researchers have recently found that some devices, like fitness trackers, keep the same address no matter what. Hackers can use this number as a unique device identifier.

To make matters worse, such devices constantly transmit this signal to remain connected to your phone and provide accurate, real-time results.

Bluetooth encryption can be easily broken

Bluetooth vulnerabilities

Security researchers have also recently discovered a hacking technique that weakens Bluetooth encryption and makes it easier to crack. Two devices connecting over Bluetooth need to exchange cryptographic keys to establish a secure connection. However, not all devices support long and secure encryption keys. Therefore, they need to “talk” to each other to decide on the key length.

In Key Negotiation of Bluetooth (KNOB) attack, hackers intercept this process and make one of the devices “offer” to use a weak encryption key that can be as short as 1 byte. Once such a connection is established, a hacker can use a simple brute force attack to break the encryption and start watching the traffic being exchanged between the devices.

It can cause a Denial of Service (DOS)

Hackers can also use Bluetooth to cause a Denial of Service. They can crash your device, block your smartphone from receiving or making calls, or drain your battery. Even though it may not help them steal your data, it may cause confusion or simply be very annoying.

Your apps can use it maliciously, too

Apps on your phone might also be secretly using your Bluetooth connection to harvest data and track your location. The new iOS 13 was designed to notify users of apps that compromise their privacy, and it did exactly that. It has already picked up on Facebook and Youtube abusing users’ Bluetooth.

How safe is Bluetooth?

If Bluetooth has so many vulnerabilities, why do we still use it? Mostly because Bluetooth hacking isn’t that common in real life. Why?

  • In order to exploit your Bluetooth connection a hacker needs to be in close proximity (within 300 feet of you for a Class 1 Bluetooth device or 30 feet for Class 2 Bluetooth device) and they need to get results before you move out of the vicinity;
  • Security researchers identify Bluetooth hacking difficulty as Intermediate, meaning that it’s unlikely that any wannabe hacker will be able to perform it. Bluetooth attacks require advanced technical knowledge and sometimes resources, like money and special equipment. Therefore, it would be easier and quicker for a hacker to break your window than your smart door lock;
  • The results might not be that fruitful. Yes, if a hacker gets into your phone, they can get a lot of information about you. However, sniffing the traffic between your Spotify and your wireless speakers – not so much.

Taking this into account, it's safe to say that you wouldn’t want your Bluetooth on at DEFCON, the biggest hacking conference in the world. But in reality, using Bluetooth regularly should generally be OK.

That doesn’t mean you shouldn’t do your best to protect yourself, however, so here are a few easy steps you can take to secure your Bluetooth connection.

What to do to make Bluetooth safer

  1. Turn it off when you don’t use it and avoid using it in public places.
  2. Don’t accept pairing requests from unknown parties.
  3. Update firmware regularly if possible. If not, change your devices every few years.
  4. Do your research before buying a new device. Find out what security measures the manufacturer has added to secure your device and what their reputation for security is like.

For more cybersecurity tips, subscribe to our free monthly newsletter below!

Emily Green
Emily Green successVerified author

Emily Green is a content writer who loves to investigate the latest internet privacy and security news. She thrives on looking for solutions to problems and sharing her knowledge with NordVPN readers and customers.

Subscribe to NordVPN blog