The risk associated with Bluetooth has been on display at this year’s Def Con hacker convention, but it’s not the kind of security threat you should lose sleep over.
However, that’s not to say that there isn’t a lesson worth remembering here. TechCrunch shared the story of Jae Bochs, a security researcher who has been semi-pranking Def Con attendees.
You know those prompts Apple TV gives your iPhone when you need to enter your Apple ID password for something? Bochs built a cheap device that mimics alerts those on nearby iPhones. But why?
One (reason) was to remind people that to switch off Bluetooth on an iPhone, you have to dig into the Settings app and not just tap it off on the quick-access Control Center, which is displayed by swiping down from the top right corner of the iPhone.
The other was “to have a laugh,” according to Jae Bochs, the security researcher who said they walked around the conference triggering these pop-ups with a custom-made device.
The Bluetooth described behavior started in 2017 with iOS 11. Toggling off Bluetooth from Control Center disables new Bluetooth connections, but it doesn’t disable the Bluetooth radio.
Turning off Bluetooth altogether requires flipping the toggle in Settings, but wireless devices like Apple Watch and AirPods can’t really function at this point. Life without Bluetooth just ain’t for me.
But is there a security risk we should be aware of? The piece references flaws that allow “phone number, Apple ID email, and current Wi-Fi network” to be obtained over Bluetooth
The researcher said these issues are already known, at least since a 2019 academic paper that studied Apple’s Bluetooth low energy protocol and concluded that there are “several flaws” that “leak device and behavioral data to nearby listeners.”
“Individually, each flaw leaks a small amount of information, but in aggregate they can be used to identify and track devices over long periods of time,” the researchers wrote in the paper.
Apple ID email, for example, is used for fast pairing and switching features on AirPods.
Bochs believes, however, that a device like the one they created with Bluetooth LE range cranked up could actually be used to coerce iPhone users into unknowingly giving up their passwords. Combine that with their Apple ID and the user has a problem.
What can you do about it? Turning off Bluetooth to avoid being tricked into giving up your Apple ID password probably isn’t the most practical solution.
However, if you’re tuned in enough to be worried about Bluetooth, you can be tuned in enough to be thoughtful before entering your password to random prompts. If a prompt seems sketchy, dismiss it. If something breaks, it was probably legit. If not, crisis averted.
FTC: We use income earning auto affiliate links. More.