Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

New Bluetooth flaws could let an attacker steal wireless communications

Researchers find new Bluetooth flaws

Apple users could be affected by newly discovered Bluetooth flaws, allowing attackers to impersonate devices — even those with the newest version of Bluetooth.

A team at Eurecom, a research institution, has discovered a series of security weaknesses in Bluetooth technology named "BLUFFS", or Bluetooth Forward and Future Secrecy. These weaknesses are found in the Bluetooth wireless protocol and could affect billions of devices like laptops, smartphones, and other portable gadgets.

BLUFFS affects Bluetooth versions from 4.2, which came out in December 2014, to the newest 5.4, released in February 2023. Tests show that devices using Bluetooth versions 4.1 to 5.2 are vulnerable to at least three of the six attack types, according to a report from Bleeping Computer.

That includes various iPhone, Mac, and iPad models.

The attacks aim to break Bluetooth communications' privacy, threatening current and future data exchanges. These attacks interfere with how Bluetooth creates secure keys for encrypting data.

The attacker, who needs to be within Bluetooth range, can then figure out or alter these keys to decode or tamper with the data. That requires the attacker to pretend to be one of the devices sharing data.

The researchers have found six different BLUFFS attacks, each involving different ways of impersonating devices or getting in between them (man-in-the-middle attacks). These methods work whether the devices use newer or older Bluetooth security features.

Future Bluetooth security

To improve Bluetooth's security against these threats, the researchers suggest several changes compatible with current technology. These include a new method for generating secure keys in older Bluetooth connections, a shared key for verifying key diversifiers, using only the secure mode of Bluetooth, and keeping track of session key diversifiers to prevent reusing them.

The Bluetooth SIG sets standards for Bluetooth and advises using more robust security modes and rejecting connections that don't meet specific key strength requirements for better encryption.

How to protect yourself from BLUFFS

Although it's not likely that most people will be affected by these Bluetooth flaws, there are still ways to stay safe.

A crucial step is ensuring that their devices are continually updated with the latest software releases from Apple. These updates frequently contain vital security patches that address vulnerabilities like those exploited by BLUFFS.

Additionally, it's advisable to use Apple devices that support the most recent Bluetooth standards.

Turning off Bluetooth when it's not needed reduces exposure to potential attacks. It's equally important to be careful about the devices you pair with, limiting connections to trusted devices and avoiding pairing with unknown or unverified sources.



6 Comments

ItsWatchingEveryone 5 comments · 2 Years

Sounds like the only protection is turning off Bluetooth.   The updates and such, as of late November 2023, mean zip, zero, nada.

chasm 3621 comments · 10 Years

Oh noes, someone might be able to listen in on my music stream!

(Yes I know there are other potential intercepts such as keystrokes, but again, the attacker has to be within Bluetooth range, so the risk on this gathering any useful data seems really, really low)

jellyapple 116 comments · 1 Year

Since upgraded iPhone 15 pro and iOS 17 (now 17.1.1) I found it losing bluetooth connectivity and actually Disabled intermittently. Apple used remote diagnostics to deny any problem. When it happens, Apple watch, earphone and every bluetooth devices disconnect from a few seconds to minutes. It happens 100% when I am 50m close to an Apple Store.  What’s wrong?

chasm 3621 comments · 10 Years

Since upgraded iPhone 15 pro and iOS 17 (now 17.1.1) I found it losing bluetooth connectivity and actually Disabled intermittently. Apple used remote diagnostics to deny any problem. When it happens, Apple watch, earphone and every bluetooth devices disconnect from a few seconds to minutes. It happens 100% when I am 50m close to an Apple Store.  What’s wrong?

At a guess, I’d have an Apple tech take apart your iPhone and have a look at the shielding around your Bluetooth antenna/module. Possibly you’re missing some component there that would protect you from “frequency overload interference.”

citpeks 253 comments · 10 Years

chasm said:
Oh noes, someone might be able to listen in on my music stream!
(Yes I know there are other potential intercepts such as keystrokes, but again, the attacker has to be within Bluetooth range, so the risk on this gathering any useful data seems really, really low)

Your profound love of Michael Bolton might be your own little secret, but BT can, and is used to identify, and track your movements inside places like stores, how often you visit, and if correlated with data from other sources like cell carriers, which stores you visit.

Personally, I find that more than a little creepy, and the real-life manifestation of the trackers and data mining that occurs online.

Here's some reading to get started:

https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2015/04/privacy-trade-offs-retail-tracking

https://www.reddit.com/r/privacy/comments/yo86h2/retail_stores_using_bluetooth_pingers/