Over a year ago I published Seven Rules for Bluetooth at Starbucks. Recently, Armis, a security firm specializing in the Internet of Things (IoT), announced a new set of Bluetooth vulnerabilities they call BlueBorne. If you read “Seven Rules”, you have a good idea of what BlueBorne is like: hackers can get to your devices through Bluetooth. They can get to you without your knowledge. Windows, Android, Apple, and Linux Bluetooth installations are all vulnerable. Most of the flaws have been patched, but new ones are almost certain to be discovered.
Some of the flaws documented in BlueBorne are nasty: your device can be taken over silently from other compromised devices. Using BlueBorne vulnerabilities, hackers do not have to connect directly to your system. Someone walks within Bluetooth range with a hacked smartphone and you are silently infected. Ugly. Corporate IT should be shaking in their boots, and ordinary users have good reason to be afraid.
What should I do?
A few simple things make you much safer.
Be aware of your surroundings. Bluetooth normally has a range of 30 feet. More with special equipment, but whenever you don’t know who might be snooping within a 30-foot radius sphere, you are vulnerable. That’s half way to a major league pitcher’s mound and roughly three floors above and below.
Keep your systems patched. The problems Armis has documented in BlueBorne have been patched. Don’t give the bad guys a free ticket by leaving known soft spots unprotected. Make them discover their own holes. By patching regularly and quickly, you cut out the stupid and uninformed hackers. Smart hackers are rare.
Turn Bluetooth off when you are not using it or you enter a danger zone. When Bluetooth is turned off, you are safe from Bluetooth attacks, although you may still be affected by malware placed on your device while Bluetooth was turned on.
The seven rules for Bluetooth I published a year ago are still valid. Follow them.
Seven basic rules for Bluetooth
Avoid high-stakes private activities, like banking transactions, when using Bluetooth in public.
If you are not using Bluetooth, turn it off!
Assume your Bluetooth connection is insecure unless you are positive it is encrypted and secured.
Be aware of your surroundings, especially when pairing. Assume that low security Bluetooth transmissions can be snooped and intercepted from 30 feet in any direction, further with directional antennas. Beware of public areas and multi-dwelling buildings.
Delete pairings you are not using. They are attack opportunities.
Turn discoverability off when you are not intentionally pairing.
If Internet traffic passes through a Bluetooth connection, your firewall may not monitor it. Check your firewall settings.
A few weeks ago, I was talking to another engineer about Bluetooth security. Between us, we weren’t sure how secure Bluetooth is. I decided to find out. The first place I went was to the Bluetooth standard. That got me a great answer to the question “How secure is Bluetooth?” The answer: a firm maybe. To remove some of the uncertainty, I compiled seven rules for reducing the chances that your Bluetooth connections will be hacked.
Before I list the rules, I will explain why the answer to Bluetooth security is only maybe.
What Is Bluetooth?
Like Wi-Fi, Bluetooth is a standard designed to be a cord and cable eliminator. It is a well-established hardware and software standard for short-range communication between computing devices and peripherals that most of us use all the time. Bluetooth and Wi-Fi use the same radio frequencies, but they are quite different. Bluetooth connects accessories to computers. Wi-Fi connects computers to networks.
Bluetooth’s normal range is 30 feet, with special antennas, the range can extend to about 100 feet. The signal can penetrate some walls. In contrast, current home Wi-Fi range is over 200 feet and commercial variations on the standard have greater range. Any Bluetooth client device within 30 feet in any direction will be able to communicate with your Bluetooth host computing device, if your host will accept the client. Your host could be a desktop, laptop, tablet, or smartphone. In our Internet of Things world, almost anything, like a coffeepot or a bathroom scales, can be a Bluetooth client device, but headphones, keyboards, and mice are usual the candidates. The client device could be on the other side of a wall or across the room.
Bluetooth Security
Most people realize that an unsecured Wi-Fi connection can be intercepted by hackers, but how secure is Bluetooth? What can hackers do to us through Bluetooth? It is a complicated question.
Let’s be clear. Bluetooth is sometimes completely insecure. For example, the NSA has declared commercial Bluetooth headphones insecure and bans their use in the military and agencies that deal in confidential or classified information. However, some uses of Bluetooth are secure and a lot of uses are secure enough.
Dispelling a Myth
Bluetooth uses frequency hopping to eliminate interference with Wi-Fi and other radio devices that use the same frequencies. Bluetooth rapidly hops from one frequency to another. This blocks interference that doesn’t follow the hops. Occasionally, this scrambling of the signal is proposed to be a security measure that guarantees that Bluetooth is always secure. This is False! Hackers circumvent frequency hopping easily.
Bluetooth Profiles
A standard like Bluetooth is written to be used for many different purposes. To meet varying sets of requirements, standards like Bluetooth use a concept called profiles. A standards profile is a subset of the standard and a set of practices that narrow the scope of the standard to a specific need. Bluetooth has over thirty profiles. If you look at the details of Windows 10 Bluetooth documentation, you find a list of about a dozen Bluetooth profiles that Windows 10 supports. When a Bluetooth device pairs with a host, the devices agree on a profile they both support. A Bluetooth mouse or keyboard, for example, uses the Human Interface Device profile and a Bluetooth TV remote uses the Audio/Video Remote Control profile. Each profile tailors the standard to a specific purpose.
These profiles also determine the security of the connection. Profiles choose between security modes that vary between wide open to quite secure. Those headphones NSA doesn’t like use an insecure mode that makes it quite easy to for a hacker to listen in. Those low-security head phones pair up with phones and music players easily and are not weighed down with extra security circuitry. You may still want those convenient headphones because, unlike the NSA, you may not care if someone listens in.
Threats
Man-in-the-middle Bluetooth attack.
A Bluetooth hacker can listen in on the connection passively without interfering in the traffic, but they can also launch a man-in-the-middle style attack in which the hacker takes control of the traffic over connection. The most dangerous attack is spoofing, in which a hacker tricks your host device into believing that the hacker’s signal is coming from a device you have paired with. The first step in spoofing usually occurs while your host and a Bluetooth device are exchanging security information during pairing. The hacker listens in on the exchange and then uses the information to spoof your host device.
Secure password exchange prevents man-in-the-middle and spoofing. Encryption blocks passive eavesdropping, which may not be so important if you are listening to Beyoncé on Bluetooth headphones, but critical if you are typing in your bank password from a Bluetooth keyboard and an eavesdropping hacker is recording it. Worse, hackers may use the connection to get into your device. A skillful hacker can take over and seriously compromise your laptop or other host device.
Secure Bluetooth
The most secure Bluetooth connections require secure passwords to be exchanged every time they connect. In secure mode, encryption is optional, but if the transmitted data is encrypted, the connection is similar to an HTTPS connection, which is the usual standard for secure network communications.
The big question with Bluetooth is which profile is in use and how it was implemented. A secure profile is secure; a low security profile is not. A rule of thumb is that if you are asked for a password when pairing, the profile is more secure. If you get to choose the password, rather than copy it from printed instructions, even better. The best approach is to find documentation on the security of the Bluetooth implementation. Knowing the profile is not enough to determine the level of security. For example, the Human Interface Device (HID) profile, which is used for mice and keyboards, leaves encryption optional. You can hope that all Bluetooth keyboards encrypt, but the HID profile does not guarantee it. If the situation requires security, you must consult the security documentation for the device. You may have to dig for it. Don’t rely on marketing literature. Marketers often over-simplify security issues.
My recommendation is that Bluetooth can usually be used safely at home if you control at least a thirty foot perimeter in all directions. Using Bluetooth in public is risky, but the risk can be moderated by following precautions.
Seven rules basic rules for Bluetooth safety:
Avoid high-stakes private activities, like banking transactions, when using Bluetooth in public.
If you are not using Bluetooth, turn it off!
Assume your Bluetooth connection is insecure unless you are positive it is encrypted and secured.
Be aware of your surroundings, especially when pairing. Assume that low security Bluetooth transmissions can be snooped and intercepted from 30 feet in any direction, further with directional antennas. Beware of public areas and multi-dwelling buildings.
Delete pairings you are not using. They are attack opportunities.
Turn discoverability off when you are not intentionally pairing.
If Internet traffic passes through a Bluetooth connection, your firewall may not monitor it. Check your firewall settings.
