Bluetooth is everywhere, and so are its security flaws. But how great is the risk? How concerned should you be about Bluejacking, Bluesnarfing, or Bluebugging? Here’s what you need to know to protect your devices.
Bluetooth Vulnerabilities Abound
At first glance, it might seem like it’s pretty risky to use Bluetooth. At the recent DEF CON 27 security conference, attendees were advised to disable Bluetooth on their devices while they were there. Of course, it makes sense you’d want to be more careful with your device security if you’re surrounded by thousands of hackers in a fairly small venue.
Even if you’re not attending a hackers’ conference, there are valid causes for concern—just read the news. A vulnerability in the Bluetooth specification was recently uncovered. It allows hackers to access your Bluetooth device via a technique called Key Negotiation of Bluetooth (KNOB). To do this, a nearby hacker forces your device to use weaker encryption when it connects, making it easier for him to crack it.
Sound complicated? It kind of is. For the KNOB exploit to work, the hacker has to be physically close to you when you connect your two Bluetooth devices. And he only has a short window of time to intercept the handshake and force a different encryption method. The hacker then has to brute force the password—however, that’s probably pretty easy because the new encryption key can be as short as one bit in length.
Consider also the vulnerability uncovered by researchers at Boston University. Connected Bluetooth devices, like earbuds and speakers, broadcast their identity in a surprisingly detectable way. If you use such a device, you can be tracked as long as it’s on.
Both of these vulnerabilities popped up in the last month, and you only have to scroll back a year to find another. In short, if a hacker is nearby and sends an invalid public key to your Bluetooth device, it’s highly probable she can determine your current session key. Once that’s done, the hacker can intercept and decrypt all data that passes between the Bluetooth devices easily. Even worse, she can also inject malicious messages on the device.
And we could go on. There’s ample evidence that Bluetooth is about as secure as a padlock sculpted from fusilli pasta.
It’s Usually the Manufacturer’s Fault
Speaking of fusilli padlocks, it’s not the exploits in the Bluetooth specification that are to blame. Bluetooth device manufacturers shoulder significant responsibility for compounding Bluetooth’s vulnerabilities. Sam Quinn, a security researcher with McAfee Advanced Threat Research, told How-to Geek about a vulnerability he disclosed for a Bluetooth smart padlock:
“They had implemented it with no pairing required. We discovered that if you sent a particular value to it, it would just open with no username or password needed, using a Bluetooth low energy mode called ‘Just Works.'”
With Just Works, any device can instantly connect, issue commands, and read data without any other authentication. While that’s handy in certain situations, it’s not the best way to design a padlock.
“A lot of vulnerabilities come into play from a manufacturer not understanding the best way to implement security for their device,” said Quinn.
Tyler Moffitt, a senior threat research analyst at Webroot, agreed this is a problem:
“So many devices are being created with Bluetooth, and there’s zero regulation or guidelines about how vendors should implement security. There are a lot of vendors making headphones, smartwatches, all sorts of devices—and we don’t know what kind of security they have built-in.”
Moffitt describes a cloud-connected smart toy he once evaluated that could play audio messages stored in the cloud. “It was designed for people who travel a lot and military families, so they could upload messages for the kids to hear played back on the toy.”
Unfortunately, you could also connect to the toy via Bluetooth. It used no authentication whatsoever, so a malicious actor could stand outside and record anything to it.
Moffitt sees the price-sensitive device market as a problem. Many vendors cut corners on security because customers don’t see or assign much monetary value to it.
“If I can get the same thing as this Apple Watch for less than half the price, I’m going to try that out,” Moffitt said. “But those devices are often really just minimum viable products, made for maximum profitability. There is often zero security vetting going into the design of these products.”
Avoid Attractive Nuisances
The attractive nuisance doctrine is an aspect of tort law. Under it, if something like a pool or a snapping tree that grows candy (only applicable in magical realms) lures a child to trespass on your property and he’s injured, you’re liable. Some Bluetooth features are like an attractive nuisance that put your device and data at risk, and no hacking is required.
For example, many phones have a smart lock feature. It allows you to leave your phone unlocked as long as it’s connected to a specific, trusted Bluetooth device. So, if you wear Bluetooth headphones, your phone remains unlocked as long as you have them on. While this is convenient, it makes you vulnerable to hacking.
“This is a feature I wholeheartedly recommend no one use,” said Moffitt. “It’s just ripe for abuse.”
There are countless situations in which you might wander far enough away from your phone that you aren’t in control of it, and yet it’s still within Bluetooth range. Essentially, you’ve left your phone unlocked in a public place.
Windows 10 has a variation of the smart lock called Dynamic Lock. It locks your computer when your phone goes out of Bluetooth range. Generally, though, that doesn’t happen until you’re 30 feet away. And even then, Dynamic Lock is sometimes sluggish.
There are other devices designed to lock or unlock automatically. It’s cool and futuristic when a smart lock unlocks your front door as soon as you step on the porch, but it also makes it hackable. And if someone takes your phone, he can now come in your house without knowing your phone’s passcode.
“Bluetooth 5 is coming out, and it has a theoretical range of 800 feet,” says Moffitt. “That’s going to amplify these kinds of concerns.”
Take Reasonable Precautions
Clearly, there are real risks with Bluetooth. But that doesn’t mean you have to throw away your AirPods or sell your portable speakers—the risk is actually low. In general, for a hacker to be successful, he has to be within 300 feet of you for a Class 1 Bluetooth device or 30 feet for Class 2.
He’ll also have to be sophisticated with a specific goal in mind for your device. Bluejacking a device (taking control to send messages to other nearby Bluetooth devices), Bluesnarfing (accessing or stealing data on a Bluetooth device), and Bluebugging (taking total control of a Bluetooth device) all require different exploits and skillsets.
There are far easier ways to accomplish the same things. To break into someone’s house, you can try to Bluebug the front door lock or just throw a rock through a window.
“A researcher on our team says the crowbar is the best hacking tool,” said Quinn.
But that doesn’t mean you shouldn’t take reasonable precautions. First and foremost, disable smart lock features on your phone and PC. Don’t bind any device’s security to the presence of another via Bluetooth.
And only use devices that have authentication for pairing. If you purchase a device that requires no passcode—or the passcode is 0000—return it for a more secure product.
It’s not always possible, but update the firmware on your Bluetooth devices if it’s available. If not, perhaps it’s time to replace that device.
“It’s sort of like your operating system,” Moffitt said. “You use Windows XP or Windows 7, you’re more than twice as likely to be infected. It’s the same way with old Bluetooth devices.”
Again, though, if you take proper precautions, you can vastly limit the risk of being hacked.
“I like to think that these devices are not necessarily insecure,” Quinn said. “In the 20 years we’ve had Bluetooth, no one discovered this KNOB vulnerability until now, and there are no known Bluetooth hacks in the real world.”
But he added: “If a device doesn’t need to have open communication, perhaps you could turn off Bluetooth on that device. That just adds another attack vector that hackers could use.”