16

I am considering acquiring Bluetooth headphones for use with my PC and also iPad. How vulnerable am I with Bluetooth on?

Iexist
  • 161
  • 1
  • 1
  • 3
  • bluetooth in general or headphones? – schroeder Jul 17 '16 at 09:09
  • 1
    does this answer your question: http://security.stackexchange.com/questions/26356/what-can-an-attacker-do-with-bluetooth-and-how-should-it-be-mitigated – schroeder Jul 17 '16 at 09:09
  • The main thing in the wireless security is the range. The lower the range the more secure you are. The second thing is the pairing protocol which is crackable. If you have low range transmitter (Class 3 below 10m), then it's more secure than Class 1 which can go up to 100m. – Aria Jul 17 '16 at 10:08
  • @schroeder What I understand from that is if I pair devices it is relatively safe?, like if both devices are on undiscoverable I can relax? I know there is always a risk but is it significant comapred to wifi? – Iexist Jul 17 '16 at 10:34
  • one thing to keep in mind is meta leakage: while it may not be known _what_ you're hearing, it's easy to tell _that_ you're _there_ and listening to _something_ by scanning/triangulating RF "noise". – dandavis Jul 17 '16 at 12:29
  • 2
    Could you clarify what kind of attack you are worried about? – Anders Jul 17 '16 at 15:56
  • @Anders There is nothing in particular, but I would use headphones while at home and maybe when I am out an about, I just want to know the potential threats – Iexist Jul 18 '16 at 10:54
  • 7
    Threat #1: someone hijacks the connection and turns on Justin Bieber. Threat #2: someone intercepts the connection and finds out that you like Justin Bieber. – Jedi Jul 19 '16 at 04:28
  • From reading @schroeder's link, it sounds like the headphones would have virtually limitless access to your PC/smartphone. That could be problematic if someone were able to infect the headphones with malware or impersonate them. It's a bit of a stretch, but still something to consider. – Zenexer Aug 31 '16 at 05:27

2 Answers2

9

When asking a question of the form "How vulnerable does (thing X) make me?", you first need to consider what kinds of attacks you're at risk of being victimized by.

Possible Attacks

When using Bluetooth headphones, I can think of the following attacks you might be concerned about:

  1. Traffic snooping (someone reading the data which is going over the connection, or just noticing that a connection exists at all - perhaps revealing that you're listening to something at that time)
  2. Traffic modification (someone altering the data which is going over the connection)
  3. Service disruption (preventing your headphones from working, probably by flooding the airwaves with random or spammy data)
  4. Infiltration (using your PC or iPad's bluetooth capabilities to gain unauthorized access to the PC or iPad)

Let's consider each attack in turn:

  1. This question here on security.stackexchange indicates that Bluetooth is encrypted by default. Many devices exist for capturing Bluetooth traffic as it passes over the airwaves, but the encryption means understanding your traffic won't be as simple as just setting up a Bluetooth sniffer and reading the traffic directly. On the other hand, I don't think there is a guarantee of a minimum key strength on the encryption -- the encryption isn't guaranteed to be strong. You'll need to read the specifications of your devices to find out how trustworthy the encryption is.

    To listen to your Bluetooth traffic, an attacker would have to either break or bypass the encryption on the traffic which is likely only going to be feasible for an attacker of medium sophistication or better.

    An attacker could merely note the presence of the Bluetooth connection. This attacker wouldn't know what is going over the connection, only that the connection exists. In context, this means the attacker would know your Bluetooth headphones are connected and are communicating with the connected PC or iPad. I suppose this might be usable to try to triangulate your position or determine if you're physically vulnerable (because you're distracted by your killer jams).

  2. As stated above, your Bluetooth connection will likely be encrypted. This means an attacker seeking to modify the traffic must somehow subvert the encryption.

    This is possible, but is even more difficult than the first attack type. I can only think of general techniques for doing this, not specific techniques Bluetooth is definitely vulnerable to right now.

    The attacker might be running attack software on one of your Bluetooth devices so she can modify data as it arrives/departs, she might intercept your traffic then mirror it back out with modifications included, she might act as a relay between your two Bluetooth devices, etc.

    All of these depend on the attacker's ability to rapidly decrypt / re-encrypt the traffic. Casual attackers probably won't have this capability.

  3. Jamming Bluetooth isn't as easy as jamming, say, WiFi. It's possible, but it's illegal and requires specialized equipment / software which a casual attacker is unlikely to possess.

  4. Yes, it is possible to use a Bluetooth connection to gain unauthorized access to a device but this is unlikely to happen to you.

    Such a connection could, in theory, do anything any other data connection could do. Most concerning among these are: exfiltrating sensitive data, running unauthorized code, or causing the device to malfunction. Look up Bluesnarfing and Bluejacking for some details and examples.

    However, and critically, there are many reasons to believe that this is not likely to happen to you. Modern Bluetooth devices generally require some kind of pairing sequence before they begin communicating with each other. This makes it difficult for someone with a Bluetooth device to connect to your device(s) without permission.

    To bypass the pairing procedure, an attacker would have to find some kind of vulnerability in the stack of hardware and software which runs your Bluetooth connections. Really, an attacker would probably need to chain together multiple vulnerabilities to work her way from the Bluetooth connection itself into userspace or kernelspace on the target machine. This is very difficult!

    A sophisticated attacker may be able to find and chain together such vulnerabilities, but most wannabe attackers either won't be able to find and exploit such vulnerabilities or will only be able to exploit well known vulnerabilities which a modern and well maintained device (like an iPad) will be secured against (always install Apple's latest security updates!)

    Without such a vulnerability available, attackers can still contact your device and hope you give them access yourself. Defending against this is dead simple: Don't pair your devices with other unknown devices!

Assessing Your Personal Risk

It is up to you to decide which attacks you're most concerned with, nobody can decide for you how much risk you're taking. Try to consider the likelihood of the attack along with the severity of harm should the attack succeed.

For example, if you're a college student and the attack is a prankster roommate playing music you don't like, then the likelihood may be medium or high but the severity is low. Overall, the risk is probably not a big deal.

On the other hand, if you're a Chinese dissident living in Europe the likelihood of attack may be low or medium but the severity could be extreme (putting your contacts in China at risk of imprisonment or worse). Overall, the risk is strongly concerning.

Mitigating the Risks

You have choices for risk mitigation. You can painstakingly review the Bluetooth implementations in the devices you want to use so you know how new devices connect, how strongly the connection is encrypted, etc. Compare that against your personal risk profile and decide how much risk you're willing to bear in exchange for using the technology. Then you can choose to use the devices or not.

Critically, note that Bluetooth is generally considered to be "short range". These attacks require that the attacker (or the attacker's equipment) be physically close to your Bluetooth connection. This must factor into your mitigation decisions. If you will only use the Bluetooth devices in the country, far from other people, your risk is significantly lowered. If you will use the devices walking along crowded streets every day, your risks are increased.

My Recommendation For Most Users

Realistically, typical users have very little to worry about from using Bluetooth headphones. Unless you know you're some kind of special target (again consider the Chinese Dissident example), you probably can use the headphones without fear. At most you might consider turning off your PC's and iPad's Bluetooth connections when they're not in active use.

I've written this whole answer while listening to music with Bluetooth headphones. I use them nearly every day, in public and private (incl. well trafficked spaces like airports), and have never had a security problem because of them.

AZB
  • 171
  • 6
  • 1
    The mention of illegality of BT jamming is unnecessary IMO; I'm sure that all the other 3 points aren't legal either. Perhaps it's better to simply say that all of these things are ilegal. And it's not like it makes a difference to criminals — they are, by definition, willing to break the law. – Display Name Jun 06 '18 at 09:31
  • 1
    @SargeBorsch It's an Attack of Opportunity thing. An attacker is more likely to operate in a way where they can maintain plausible deniability as much as possible, to hide who is doing it, and to easily remain incognito when not actively attacking. Carrying specialized, illegal equipment raises their vulnerability, so they are less likely to keep it on them. So this would effectively only occur as a deliberate, premeditated attack. – Tezra Jan 22 '19 at 19:03
1

An attacker could launch a denial of service attack known as BlueSmack. Quoting this link:

BlueSmack is a Denial of Service (DoS) attack, hence it is directed at the availability of a Bluetooth device. The attack is done similarly to the ”Ping of Death” against IP-based devices. [...] Those devices (especially known for such a behaviour is the iPaq) reserve an input buffer of fixed length (around 600 bytes). When receiving such a malicious ping request, the input buffer overflows, which normally leads to a seqmentation fault and, by this, to the immediate knock-out of the target device.

An evil neighbor could mess with you by hijacking the connection and turning on annoying songs/noises. Do not underestimate the potential impact of this attack. The author of that video apparently managed to force his neighbours to move out after launching this attack for nearly 10 days, which may lead to financial issues.

A. Darwin
  • 3,592
  • 2
  • 16
  • 27