Bluetooth Security Vulnerability: The Ultimate Manual

Bluetooth seems like an innocuous technology for sharing files within a restricted Personal Area Network, usually covering 30 feet. However, many Bluetooth users don’t appreciate this technology’s risk. This guide covers why and how your Bluetooth-enabled devices may be vulnerable to attack. We also outline the steps you might take to protect your devices and the sensitive information they contain. 

What is Bluetooth Security Vulnerability Anyway? 

A Bluetooth security vulnerability is a general term that describes the possibility of attackers intercepting, modifying, or reading information between two devices communicating wirelessly via Bluetooth.

This vulnerability also extends to the potential for hackers to inject their own traffic between paired devices. During these attacks, hackers can bypass the authentication and cryptographic security features built-in to Bluetooth communications.

How Bluetooth Security Vulnerability Works

Traditionally, Bluetooth was used to send continuous voice and data streams. Typical Bluetooth connections included data transfers between devices, wireless speakers, wireless headsets, and wireless keyboards and printers.

However, the emergence of the internet of things (IoT) has brought more devices to the Bluetooth fold. This shift led to the development of Bluetooth Low Energy (BLE) to support devices that don’t need to consistently exchange large amounts of data. This category includes IoT devices such as monitoring sensors, beacons, digital signs, smartwatches, and fitness trackers.

Just like any other technology, Bluetooth is susceptible to vulnerabilities and attacks. Particularly, the widespread use of Bluetooth technology presents new and emerging security concerns. Some of the most common Bluetooth vulnerabilities include:

Bluejacking

Bluejacking typically involves hijacking another device’s Bluetooth to send unsolicited messages, including business cards, advertisements, and pictures. Bluejacking usually happens within a 10-meter range for smartphones or up to 100 meters for laptops. Bluejacking is not technically illegal since the bluejacker doesn’t access or steal the target device’s resources, but it’s still annoying when it happens to you. 

Most bluejackers aren’t truly bad actors. They search for discoverable devices within their range to send funny pictures or flirtatious images—frustrating, but not damaging. However, some bluejackers are malicious. They send offensive, distressing, or insulting images or messages. This practice may be considered illegal in most cases.  

Bluesmacking

Bluesmacking is a more severe attack used to execute Denial of Service (DoS) attacks. This method works by sending the target device oversized packets via the Logic Link Control and Adaptation Protocol (L2CAP) to overwhelm it. As a result, the targeted Bluetooth-enabled device is forced to shut down.

These attacks are not devastating, as you can usually recover the target device simply by rebooting it. However, DoS attacks are often used as the gateway for more severe attacks while the device is incapacitated.

Bluesnarfing

Bluesnarfing is an even more sinister attack used to covertly retrieve sensitive information from a target device. Bluesnarfing is similar to bluejacking, except the hackers access your data, including text messages, emails, and photos. Attackers can also take your device’s unique identifying information, such as IMEI or ISP.

Hackers can use this information to reroute addresses, calendar information, bank details, or phone calls to the attackers’ devices. Bluesnarfing exploits vulnerabilities in the Object Exchange (OBEX) protocol to stage their attacks.

Bluebugging

Bluebugging is when the hacker uses a Bluetooth connection to install malware on the target device. This malware gives the hacker a backdoor to the target device, allowing them complete control of the device. For example, the attacker may be able to eavesdrop or initiate phone calls, access contact information, and read and send messages.

Location Tracking

BLE used in fitness wearables such as Fitbits may be exploited to provide a live stream of your location. Additionally, hackers can use Bluetooth signals, which aren’t unlike IP addresses, to track your location in real-time. Although unlikely, location tracking via Bluetooth is still within the realm of possibility. iOS and Windows 10 devices appear to be the most vulnerable to this attack.

Below are a few great examples of Bluetooth security vulnerabilities and how a hacker might exploit them:

Example #1 – BrakTooth

BrakTooth refers to a collection of 16 vulnerabilities discovered in commercial Bluetooth stacks. These vulnerabilities existed on more than 1,400 chipsets found in billions of devices. The worrying fact is that these chipsets are used in various everyday Bluetooth-enabled devices, including smartphones, laptops, industrial equipment, toys, and internet-of-things (IoT) devices.

BrakTooth was discovered by researchers at the University of Singapore and subsequently published in a research paper. The researchers were able to exploit the vulnerabilities to perform arbitrary code execution (ACE) and initiate DoS attacks using firmware crashes.

The list of affected vendors includes huge brands like Intel, Qualcomm, Zhuhai Jieli Technology, and Harman International. Many vendors have since released patches for the discovered vulnerabilities. However, others are still in the process of patching the vulnerabilities, while some have no plans to fix the bugs at all.

Bluetooth connections are vulnerable to attack, just like WiFi connections. Therefore, it is prudent to educate yourself about the potential vulnerabilities present in Bluetooth technology. This information can help you to stop these attacks from happening in the first place.

Example #2 – Blueborne

Blueborne is a set of nine Bluetooth vulnerabilities first discovered by Armis security researchers in 2017. According to researchers, the exploitable vulnerabilities affected an estimated 5.3 billion devices, including operating systems like Windows, Linux, Android, and iOS 9 and before.

Although security patches have already been issued to fix the bugs, many devices remain vulnerable to date. Armis estimates at least two billion devices are still vulnerable to Blueborne. In addition, the virus doesn’t spread over an IP connection, rendering traditional antivirus solutions ineffective.

In the worst case, Blueborne is capable of taking over a device. Hackers could potentially access corporate networks via vulnerable Bluetooth-enabled devices to steal data or spread malware to adjacent devices.

Blueborne is also capable of attacking a range of devices, including laptops, mobile phones, and IoT devices. The target device doesn’t need to be discoverable or paired to the attacker’s device.

Again, this example further highlights the security vulnerabilities present in Bluetooth devices. In this case, a hacker can target the weakest point in a network that traditional cybersecurity solutions cannot protect. This example also illustrates the importance of updating your devices immediately when new security patches are available.

Example #3 – Helomoto

This aptly named attack first targeted Motorola phones. This attack targets Bluetooth devices with poorly implemented “trusted device” management. The attacker initiates a Bluetooth connection, usually sending a vCard via an unauthenticated OBEX Push Profile on the target device.

The attacker then cancels the file transfer before it is completed. Finally, the target device adds the attacker to its list of trusted devices. The hacker is free to use AT commands to take over the device. Older devices using outdated Bluetooth versions are most susceptible to Helomoto attacks.

This example further demonstrates the vulnerabilities present in older Bluetooth versions. It’s important to update your hardware and software regularly. 

How to Get Started With Securing Bluetooth Vulnerabilities

Understanding that Bluetooth connections are vulnerable to attacks is the first step to securing your devices. Below are some practical steps to help you secure your devices against potential Bluetooth vulnerabilities.

Step 1 – Study the Scope of Bluetooth Vulnerabilities

All Bluetooth versions have vulnerabilities. However, older versions such as versions 2.1 and 3.0 are particularly susceptible to attack. For instance, these versions do not provide Man in the Middle (MITM) protection during pairing.

Furthermore, all Bluetooth versions have the following vulnerabilities:

  • Negotiable encryption key length
  • Unknown pseudo-random number generators (PRNG) strength
  • Lack of end-to-end security
  • Limited security services
  • Nonexistent user authentication
  • The possibility of improperly stored keys
  • Connectable or discoverable devices are prone to attack

The National Institute of Standards and Technology (NIST) has published several Bluetooth security guides, including the NIST Special Publication 800-121. This guide outlines all known Bluetooth vulnerabilities, including suggested remediation measures.

Ideally, this and other similar documents should be mandatory reading for any individuals or organizations that manufacture or develop Bluetooth-enabled devices. This document is also ideal for people tasked with implementing Bluetooth technology and employees responsible for assessing wireless security.

Step 2 – Address Bluetooth Use in Your Security Policy

This step applies to the organizational use of Bluetooth devices. Many devices in today’s workplace rely on Bluetooth technology. Examples include wireless headphones, hands-free headsets, health monitoring tools, and wireless mice.

It is crucial to address Bluetooth use in your organization’s security policy. In addition, the policy should outline the employees’ responsibilities when using Bluetooth-enabled devices.

Similarly, the policy should include a list of all approved Bluetooth devices, including the approved uses for workflow. It should also indicate the type of information that employees can share over the Bluetooth network. Finally, it is worth implementing a security awareness program specifically covering Bluetooth security vulnerability.

Step 3 – Install Security Patches and Updates

Most Bluetooth vulnerabilities are known, and vendors have quickly provided patches for old and newly-discovered vulnerabilities. Therefore, it is crucial to update your operating systems immediately as new patches and fixes become available. Automated updates are great for staying current with the latest security fixes.

Similarly, ensure that your devices use the latest Bluetooth versions where possible. This step may necessitate upgrading your hardware every few years. However, the extra cost of replacing older or legacy devices is worth it in the long term, especially in an organization. For instance, older Bluetooth versions and devices use outdated and vulnerable pairing algorithms and encryption.

It is also worth mentioning that the devices you pair with can affect Bluetooth security. For instance, a newer device pairing with an old device may cause the former to fall back on outdated pairing algorithms and encryption. So you should be cautious about pairing with older devices. It is much better to upgrade your hardware across the board.

Step 4 – Consider Application-Level Encryption

Application-level encryption provides an additional security layer when transmitting information via Bluetooth. Here, your data is encrypted before being transferred. The data is then decrypted when it reaches its destination.

This step may prolong data transmission depending on the encryption algorithm you choose. Some algorithms like DES take a reasonably short time. Other options like Triple-DES and AES take a longer time but provide better security. When selecting your ideal application-level encryption solution, it’s worth considering the performance vs. security tradeoff.

You may also use additional Bluetooth independent re-authentication such as fingerprints if the device allows it. The extra measure can help prevent Bluebugging attacks and other similar attacks.

Lastly, check the default pairing mechanisms. Most Bluetooth-enabled devices offer multiple pairing mechanism options. But many devices default to Just Pairing, a quick and simple mechanism that allows devices to connect without needing a PIN. On the other hand, the Passkey Entry mechanism requires solid and complicated passwords to initiate a connection. Therefore, the Passkey Entry pairing mechanism is far more secure and worth implementing.

Step 5 – Follow Bluetooth Use Best Practices

A few simple best practices can help you secure your Bluetooth-enabled device. You can start by being careful with the types of files you transfer via Bluetooth. It is good practice to avoid sending sensitive PINs, bank account details, passwords, private photos, and personally identifiable information.

Next, limit the number of apps that have access to your Bluetooth. Applications such as AirDrop use your phone as a Bluetooth peripheral. Although convenient, these apps can provide hackers with a gateway to your phone. At the very least, limit app permission unless you’re actively using the application.

Furthermore, set your Bluetooth to “not discoverable” in your phone settings. Some Bluetooth attacks may still be able to connect to your phone, so it is not a full-proof security measure. However, discoverable devices are far easier targets for hackers.

Also, be sure to set your device back to not being discoverable whenever you need to connect to a new device. Consider removing old devices, including lost or outdated devices that you previously connected to. Finally, don’t forget to change the default Bluetooth PIN, which attackers already know and can exploit. Instead, set a new strong PIN that’s difficult to guess.

You should also keep your Bluetooth turned off when not in use. Bluetooth sensor beacons scan for MAC addresses. Unscrupulous people could potentially use this information to map or track your device. Lastly, avoid pairing or sharing information over Bluetooth in public places.

Every company that uses Google Workspace should be using Nira.
Bryan Wise
Bryan Wise,
CIO of GitLab

Incredible companies use Nira