Bluetooth is most common way people connect wireless headsets to their phones, and, in many cases, also connect other devices to one another. The convenience that Bluetooth offers has transformed the headset market from wired to wireless in less than a generation, and has helped usher in the era of wearable technology.
Yet, there are numerous security risks associated with using Bluetooth-ranging from the ability to eavesdrop on some devices, to the ability to crash devices and drain batteries on others.
Even the modern Bluetooth versions 4.0 and 4.1-which solved some earlier risks-allow unauthorized parties to potentially eavesdrop on communications if a device utilizes low energy transmissions (LE), a feature of Bluetooth used to maximize battery life. It should be noted that if a manufacturer configures a device to communicate using LE, a user cannot normally instruct the device to do otherwise. Even the latest version 4.2-which few devices even support yet-suffers from significant security issues. Furthermore, software vulnerabilities in devices utilizing Bluetooth remain a serious concern; on more than one occasion security researchers have claimed to have hacked cars via the vehicles' Bluetooth connectivity.
Bluetooth headset security concerns are severe enough that the NSA states bluntly as the first of its security guidelines for Bluetooth "Never use standard commercial Bluetooth headsets." In fact, the core specification for Bluetooth Low Energy states explicitly "The overall goal of keeping the cost of the Controller and the complexity of a slave device to a minimum was used in making compromises on security capabilities in LE."
Bluetooth certainly serves a purpose, and, like most other people, I have, and use, a Bluetooth headset and various other Bluetooth-enabled devices. People should, however, understand the risks; per the NSA, Bluetooth may be inappropriate for highly-sensitive transmissions. Also, for both security and power consumption reasons, whenever practical, turn off Bluetooth when it is not in use.
While future iterations of Bluetooth might address some of today's concerns, various tradeoffs serve as potential roadblocks to making Bluetooth-enabled devices fully secure; vendors do not wish to make their products more difficult to use, shorten their battery life, increase the cost of their manufacture, or make their devices incompatible with other products. A trend toward increasingly comfortable wearable technology is highly unlikely to be disrupted, for example, by larger and heavier devices offering no new capabilities other than the better security achieved by not leveraging LE.
Perhaps as battery technologies improve we will see LE disappear-but I would not hold my breath for such a development; the market has a tendency to leverage any power gains for new applications, not for preserving the same functionality with better security.
Alternative improvements may arrive sooner.
While the difference is effectively invisible to users, headsets and other devices that communicate via near field magnetic induction rather than with radio frequency signals use considerably less power than Bluetooth (even when Bluetooth is operating in LE mode) and make eavesdropping much more difficult; such technology already exists from firms including NXP Semiconductors, ON Semiconductors, and FreeLinc Technologies. Other possibilities for addressing the shortcomings of Bluetooth include the creation of devices that charge via motion in order to improve battery life (since headsets and wearable technology are often in motion for a large portion of the time that they are used), and devices with specialized security technology overlaid on top of Bluetooth. Future versions of the Bluetooth protocol might also offer some improvements.
In the meantime, understand that your headset and wearable devices may be convenient, but they may not be secure.
Please feel free to discuss this article with me. I'm on Twitter at @JosephSteinberg.