Bluetooth has been around since 1994 as a wireless connectivity specification, but the first mobile phones did not appear with basic Bluetooth services until 2001. Throughout the last 20 years, the specification has evolved to allow high fidelity stereo headphones, low power efficiency, and the advanced communications for device synchronization like Apple Carplay and Android Auto.
While connected cars, stereo speakers, headphones, and even lightbulbs can be connected via Bluetooth, there are some risks associated with connecting to devices without security PINs (used during initial pairing) and ephemeral devices like rental cars. While many users may discount these risks, the risks to a business when a mobile device is used for both personal and business communications is a serious threat that should be understood.
To begin, consider the simplest and most well-known risk. An employee rents a car and pairs their phone to the entertainment system to make calls or listen to music while they drive. By default, most car head units synchronize contact lists and remain persistent in the car's memory even when the device is no longer connected. Most users forget to unpair their device after they return the car, are unfamiliar with the risk, or do not know how to navigate the car's entertainment system to unpair and erase all the synchronized data. This means the next renter of the car now potentially has access to all their contacts, even though they will probably never use or see that vehicle again.
Depending on what is in your contact information, the risks for Personally Identifiable Information (PII) disclosure could be similar to some of the most modern data leaks that have hit the news. This is a well-known risk. If you pair your phone with a rental car, remember to delete the connection and all your data after your return the vehicle. If you do not know how, you probably should not pair your phone in the first place.
While this is a simple recommendation, and many of you have probably already heard of this risk, there are plenty others that are just as risky or could be intrusive. Therefore, here are some of the other Bluetooth threats we should consider before we pair another new Bluetooth device.
Share audio devices
Sharing Bluetooth speakers is a common trend at parties, beaches, hotels, and any public place that a user may want to share audio. While the risk for pairing is actually low, and users should delete the device when they are done, there is an intrusive risk that is inherent to many of these devices. When Bluetooth speakers are not connected, they tend to broadcast their Bluetooth name so someone new can connect. Many times, this feature is on by default and does not require any physical contact with the device like pressing a button. If the device is in a hotel room, bedroom, or other public area, anyone can connect and potentially use the speaker to play inappropriate music or undesirable noises. Worse, many of these devices do have microphones for hands-free calling and can be used to eavesdrop on discussions in the room. Therefore, a simple recommendation to all: if there are Bluetooth speakers in your room, and you are not using them, turn them off or simply unplug them.
Input device PIN codes
Modern Bluetooth keyboards, car head units, and other input devices can pair Bluetooth silently or require an end-user PIN for added security. The PIN can be displayed on both devices to confirm the proper device is being paired or typed in using a keyboard. As simple as this feature is, pairing the wrong device without some form of verification can be a security nightmare to the potential access a Bluetooth device can have for audio, contacts, calendar, and other features on your laptop or smartphone. Therefore, always pair a device used for human accessibility with a Bluetooth PIN code to avoid pairing the wrong device, a potential hack or data leakage, or other attack vector due to poor Bluetooth security hygiene.
Random pop-ups on your device
Attacking Bluetooth is not new. In fact, through the years, a wide variety of security patches have been published for Microsoft Windows as well as for Apple macOS and iPhones. One recent trend is to simply create a Denial of Service (DoS) on modern smart phones that a device nearby is waiting to connect. The pop-up repeats over and over and no matter what the end user selects, Connect or Cancel, another pop-up appears immediately afterwards. While the attack uses Near Field Communications (NFC) as well as Bluetooth to be successful, the result is an annoyance that potentially could have an exploit or rogue connection if the end-user selects Connect. Therefore, the recommendation is simple: turn off Bluetooth when not needed and apply the latest security patches from your device's manufacturer. Soon or later, all devices will be protected from this modern DoS attack vector, but today, we are still waiting for all vendors to release their security updates.
Headphone sharing
The latest Bluetooth headphones are a marvel of sound quality, convenience, and longevity, and can command a hefty price tag. To mitigate the risks of theft, many of the newer devices have geolocation services built directly in so that if they are lost or stolen, they can be tracked. However, when they are shared, their location is broadcast, as well. This means that the location of the owner, shared user, or any other family member with geolocation access can track the devices and potentially the location of the current user, violating their privacy. Therefore, when sharing modern Bluetooth headphones, remember to unshare them when they are returned or turn off geolocation services in the Bluetooth settings for the device. For the latter, you may lose stolen or lost tracking information if you turn this feature off.
Semi-public Bluetooth
There is a trend in the aviation industry and other locations to create Bluetooth devices that are semi-publicly shareable. The concept is based on the in-seat video monitors per passenger pairing with personal headphones versus the airline carrier supplying cheap or disposable (low cost e-waste) wired headphones. While the risks are not immediately apparent, since it is your Bluetooth headphones pairing with a head video unit supplied by the airline, the annoyance of re-pairing your headphones back to your smartphone or mobile device may limit their adoption. Most Bluetooth headphones can only be paired once, and changing the connection overwrites previous settings. Therefore, be warned: if you connect to these semi-public devices, you may need to re-pair your device when your flight is complete due to limitations in the technology. Any attack vectors while using these new systems have yet to materialize, but I am certain they will in the near future.
With these threats in mind, here are some recommendations to keep Bluetooth from becoming a liability:
- Periodically review all your Bluetooth paired devices and delete any pairing that you do not recognize or that you will no longer need. Keeping a short and concise list of actively used devices is just good cybersecurity hygiene.
- When upgrading to a new smartphone, tablet, or other mobile device with Bluetooth, many migration tools in the operating system will transfer your previous Bluetooth connections. It is always a good practice to review what has been migrated over since some devices may be from an old backup that were subsequently deleted.
- If you use your mobile device as a personal hotspot, turn off sharing or Bluetooth name broadcasting while not in use. This prevents others from seeing the name of your device when they are in range, mitigates the risk of any Bluetooth vulnerabilities that could be leveraged via an unsuspecting connection, and conserves power due to unnecessary wireless services. Essentially, do not leave your hotspot always on with Bluetooth enabled.
- Never just connect to a Bluetooth device in your Bluetooth discovery list just to see what happens. Sometimes it is tempting, I know, but the risks of a hack, especially in a public location, could potentially extract a myriad of sensitive information from your device without you even knowing.
While Bluetooth connectivity has been around for more than 20 years and has become mainstream for daily communications and entertainment, the risks for inappropriate usage are serious. Everyone should practice basic cybersecurity hygiene when using Bluetooth and remember that a hack of your data, including work information, is very real if rogue connections are made and personal data allowed to be synchronized with your Bluetooth device. Always trust but verify all of your Bluetooth connections.