You are surrounded by Bluetooth devices – your fitness tracker, headphones, speakers, and smart home devices can all use it. They share your data with one another and the web, and where there’s data, there will always be hackers trying to steal it. Is Bluetooth actually as unsafe as it seems? Let’s find out.
Bluetooth connections have been around for a few decades, so hackers have found many ways to abuse it. There are three most-known and common Bluetooth attacks:
If a hacker manages to get into your smartphone, they can get tons of sensitive information about you. This can later be used in social engineering attacks, to blackmail you, or to hack into your bank and other accounts.
However, the worst part about Bluetooth attacks is that security researchers find new ways the connection can be exploited every year.
Hackers can use Bluetooth to track your location. To do so, they only need two things: a device that constantly uses Bluetooth connections and a unique device identifier. How does it work?
Two devices that connect over Bluetooth recognize each other by exchanging a piece of information that you can think of as something similar to an device address. Most devices change them regularly, like when the connection is reestablished or when their batteries are drained. However, security researchers have recently found that some devices, like fitness trackers, keep the same address no matter what. Hackers can use this number as a unique device identifier.
To make matters worse, such devices constantly transmit this signal to remain connected to your phone and provide accurate, real-time results.
Security researchers have also recently discovered a hacking technique that weakens Bluetooth encryption and makes it easier to crack. Two devices connecting over Bluetooth need to exchange cryptographic keys to establish a secure connection. However, not all devices support long and secure encryption keys. Therefore, they need to “talk” to each other to decide on the key length.
In Key Negotiation of Bluetooth (KNOB) attack, hackers intercept this process and make one of the devices “offer” to use a weak encryption key that can be as short as 1 byte. Once such a connection is established, a hacker can use a simple brute force attack to break the encryption and start watching the traffic being exchanged between the devices.
Hackers can also use Bluetooth to cause a Denial of Service. They can crash your device, block your smartphone from receiving or making calls, or drain your battery. Even though it may not help them steal your data, it may cause confusion or simply be very annoying.
Apps on your phone might also be secretly using your Bluetooth connection to harvest data and track your location. The new iOS 13 was designed to notify users of apps that compromise their privacy, and it did exactly that. It has already picked up on Facebook and Youtube abusing users’ Bluetooth.
If Bluetooth has so many vulnerabilities, why do we still use it? Mostly because Bluetooth hacking isn’t that common in real life. Why?
Taking this into account, it's safe to say that you wouldn’t want your Bluetooth on at DEFCON, the biggest hacking conference in the world. But in reality, using Bluetooth regularly should generally be OK.
That doesn’t mean you shouldn’t do your best to protect yourself, however, so here are a few easy steps you can take to secure your Bluetooth connection.
For more cybersecurity tips, subscribe to our free monthly newsletter below!