Is Bluetooth Secure?

Technology and convenience go hand-in-hand. As consumers, we are looking for ever-increasing ways of maximizing our use of handy digital devices and Bluetooth technology has added a plethora of options for us over the last few years.

What started as wireless keyboard and mouse options morphed into wireless headphones, printers, hearing aids and smartwatches. The thought of using a mouse with a wire attached to it seems so odd now, yet that was our reality for many years before Bluetooth arrived. Now, your toothbrush might even be Bluetooth enabled!

How Does Bluetooth Work?

It will be helpful to understand how Bluetooth works before we delve into the ways our privacy and digital safety could be compromised when using the technology.

Bluetooth technology is governed by international wireless technology (hardware) standards developed through the Bluetooth Special Interest Group (SIG). Bluetooth SIG a not-for-profit membership organization that oversees the industry requirements, licensing and trademarking.

The technology utilizes short-range radio frequencies to create personal area networks (PANs or “piconets”) to ferry data between electronic devices. The pairing of two devices establishes a trusted relationship for the intermittent exchange of data.

Bluetooth technology has a reach of up to 33 feet, but the stability of the connection varies depending on environmental factors and the specific devices involved in the pairing process. By moving between ultra-high radio frequencies (UHF) rapidly, data exchanged between the devices is stable and the signal remains secure.

During the data transmission process, information is conveyed through “packets” that contain the results of algorithmic “codecs.” This encoding and decoding (sender/receiver) system allows devices to transmit and, at a minimum, SIG standards enforce a universal codec called Subband Coding (SBC).

An important distinction to make is between Bluetooth and WiFi. Although WiFi also uses radio signals to communicate wirelessly, WiFi is designed to create a high-power access point for a network sending and receiving high volumes of data. WiFi is faster, can operate over a broader distance and supports multiple users simultaneously with additional levels of security. Conversely, Bluetooth is a low-power alternative with a slower data transmission rate and direct pairing between two devices.

A Plethora of Potential Problems

Bluetooth relies on the pairing process between devices to establish the small network’s security. Both devices use a security key to establish trust and that paired trust survives through periods of dormancy or even after devices are turned off and then on again.

Data exchanged between paired devices is typically encrypted so that other devices in the area cannot decipher the information. An additional layer of security is built into the process involving frequent changes to the device identification addresses. The paired devices keep track of the address changes, but other not-yet-paired hardware cannot. This additional security layer is important in disabling the ability to track a device user’s location.

Some pairing processes require an authentication code, while others involve electronic devices without any display or input apparatus for when the pairing “broadcasting” and “listening” process is employed in a call-and-response fashion. Computers and mobile phones have privacy settings that can be selected to enable and disable visibility of the device to other equipment looking for Bluetooth activity in the area. This setting can eliminate the unnecessary risk associated with malicious sniffing for a potential Bluetooth pairing.

Bluetooth is prone to security breaches, unfortunately. The ease of connection, silently between two devices, is a risk only slightly mollified by the fact that the devices have to be within close physical distance of each other at pairing and for data packet exchanges. The list of Bluetooth vulnerabilities is frighteningly long. Here’s a listing of some of the names and types of security attacks:

Vulnerability Name	Characteristics
BlueSnarfing	Hacker pairs silently and steals device data (i.e. contacts, personal data, etc.)
BlueBugging	Hacker pairs silently and takes control of paired device
BlueSmaking (Denial of Service)	Hacker gains access to one device and denies messaging/call/email receipt service (or drains battery) through abnormally large data transmissions
BlueJacking	Hacker hijacks a device and uses it to spam other nearby devices with advertising/broadcast messages or makes international calls
Location Tracking	Hackers intercept device to pinpoint location
Viruses/Worms	Downloading of unverified app with malware that in turn silently opens device’s Bluetooth for pairing
BlueBorne	Hacker infects device with malware which spreads to any connected device
Headset Access	Hacker accesses Bluetooth headset and eavesdrops on calls or face-to-face conversations as they take place
Listening In	Bluetooth in vehicles is vulnerable to hackers listening in (or participating in) conversations
Key Negotiation of Bluetooth (KNOB)	Hacker intercepts communication between two paired devices and establishes a weaker exchange “key” with subsequent decryption to access data being exchanged
Data Harvesting	Smartphone apps designed to use Bluetooth to gather device data and location

Additional Bluetooth Security Issues

Scams evolve in a never-ending upping of the ante and risk elimination struggles to keep up. There are a few common threads that are helpful to highlight, as we consider not only what hackers might accomplish but how they could execute their damaging plots:

Widespread Pairing Invitations – hackers will broadcast pairing invitations, hoping for a victim who will unknowingly accept the invitation without thinking about what device is asking and why
Name Tricking Invitations – wily hackers will create a device pairing invitation that is named almost identically to a legitimate device (hoping that the invitee will not notice what could be described as a ‘spelling error’) to establish a nefarious pairing connection instead
If a device’s Bluetooth is ‘on,’ in theory, it is available for invitations, hacking and potential access (hackers can’t find devices that have their Bluetooth turned off)
Fitness tracking devices are particularly susceptible to hacking as they may talk to a smartphone constantly (rather than intermittently) and without changing their device identification address

How to Stay Secure

The information in this article might make Bluetooth seem incredibly vulnerable. Although there are a wide variety of ways for bad actors to use Bluetooth technology to access your information and devices, Bluetooth isn’t as dangerous to use as it might appear. This is for a couple of practical reasons:

Device users can take easy steps to protect themselves (we’ll explain these steps in more detail below)
Hacking generally requires physical proximity, making it harder for maliciously minded individuals to act without being close by
Hackers have a short window of time to act, due to the mobility of Bluetooth-paired devices and the need for immediate proximity during data transfer
Hacking Bluetooth requires some technical know-how and isn’t easily accomplished without experience
The rewards of hacking are relatively low compared to means of nefarious digital access that are more widespread and less labor-intensive for victim targeting

If you’re wondering what to do to keep yourself and your devices safe, let’s list the ways in order of significance:

Turn off your device’s Bluetooth when you aren’t using it….you can’t be “found” and hacked if your Bluetooth is turned off
Disconnect your headset from the Bluetooth pairing connection when the headset isn’t in use
Make sure your device’s software is up to date as security patches and other important protections are intermittently issued by individual hardware manufacturers in response to specific threats
Only download apps from trusted sources to avoid unknowingly becoming infected with malware that will use Bluetooth access later
Reject any pairing request that comes from an unknown source
Don’t ignore minor spelling mistakes in a pairing invitation’s device identification
Buy your devices from respected manufacturers who will ensure device safety is kept up to date and new risks are addressed and patched
Avoid using Bluetooth data transmission when sending sensitive data such as passwords and credit card information
If you must send files containing sensitive data by Bluetooth enabled communications, further encrypt the data before transmission
If your car has Bluetooth capabilities, change the PIN code as the manufacturer’s default code is easily hacked
It’s always a smart rule-of-thumb to avoid using Bluetooth in public places

Is Bluetooth Compatible with VPN?

Recently, it’s become common for device users to add an extra layer of security to their Bluetooth-enabled devices through the use of a VPN (virtual private network). Although VPNs provide excellent identification protection for all points of internet access, they don’t have specific applicability to Bluetooth connections. There is a possibility of transmission improvements when using a VPN on a smartphone tethered to another device’s hotspot for internet access, and you may want to consider this option if you tether your phone often.

However, VPN technology is becoming an essential tool in the prudent IT user’s tool chest. You might want to check out specific VPN providers to see what their product reviews and security benefits are. Certainly, it’s best to have all doors and windows locked through any digital safety means possible. You can find top VPN service providers at PinpointVPN and you might want to check out the reviews for top-rated NordVPN and Surfshark VPN.

Sources:

Screenshot Sources: