We’ve seen a bumper crop of scary-sounding headlines these past few days, including, “Bluetooth is bad and you should stop using it,” “Turn off your Bluetooth, experts warn amid ‘profound security risk,'” and “Critical Bluetooth flaw leaves millions open to attack.”
Based purely on the content of these statements, you might think that Bluetooth has suddenly become a wide-open door on your devices, through which anyone with ill intent could walk and cause irreparable harm, or steal all of your personal info. But the truth is that while these newly discovered threats are real, the odds of your Bluetooth devices being hacked are low — and lower still if you’re only using Bluetooth with your headphones. Here’s what’s really going on.
Beware the KNOB
It was revealed on August 13 that older Bluetooth chips and communication protocols are able to be forced into accepting unwanted connections — and that those connections can be used with nefarious intent. Little panic ensued at the time, and fixes for the exploit were already being issued by major manufacturers. Then suddenly, on August 23, entities like Mashable and Fox News started warning everyone to turn off Bluetooth. We don’t know why these sources decided to ring the alarm now, but here’s a quick recap of the problem.
The exploit in question is known, somewhat hilariously, as KNOB: Key Negotiation of Bluetooth. Without getting too technical, it uses a recently discovered weakness in the way Bluetooth devices ask for and receive permission to exchange data. That weakness means that a receiving device could be tricked into accepting a much lower level of security — one that could be easily outfoxed by a hacker — for these data exchange connections. From there, we are led to believe, all kinds of nasty things could be done to the targeted device, from unintended operations (sudden volume changes) to the theft of personal information.
Am I at risk?
In order for a hacker to successfully exploit this weakness, they would need the right gear (not exactly off-the-shelf hardware at your local Best Buy), be near a set of Bluetooth devices that had not already been patched against the vulnerability, and intercept the communication between the two devices at precisely the right moment. In other words, the odds of it happening to you when sitting in a bar, restaurant, bus, or another public place are low — very low. If you’re at home, the odds are lower still.
What could happen?
Let’s say you suffered from extremely bad luck and just happened to sit down next to someone with all of the right gear and the ability to use it, and you were using Bluetooth to listen to Spotify on your phone via wireless headphones. What could happen? Worst-case scenario, your musical guilty pleasure — that Nickelback playlist you hit when you think no one is listening — just made itself known to a complete stranger. OK, they might also be able to turn the volume up or down or skip tracks (maybe that’s not such a bad thing), but the bottom line is, the threat isn’t horrible.
So why the ruckus?
We don’t want to underplay the severity of the exploit that was discovered. It’s a potential nightmare under specific circumstances, which is why every major company that uses Bluetooth technology rushed to issue software patches right away.
If you’re running the latest version of Android, iOS, macOS, Windows, etc., and you’re staying on top of your security updates, you have little to fear. Perhaps the biggest takeaway from this event — and really every other exploit that gets discovered — is that you’re never 100% safe from security risks when using modern technology. But if you’re vigilant when it comes to software updates on ALL of your devices, you’ve taken the most important step toward keeping yourself safe.
Now, we can’t really fault some of the other publications for telling people to turn Bluetooth off. It’s not bad advice. If you’re not using it, you should turn Bluetooth off. It sucks battery life, and in some retail environments, it can be used to acquire tracking info about your device. But we don’t think the average person using
