The Annual Gathering of the Overconfident
There are, at present, any number of people energetically warning us about the terrifying possibilities of Bluetooth exploitation — even at DEF CON. For those unfamiliar with DEF CON, it is not, in this instance, the Pentagon reacting to some distant nation’s ceremonial chest-thumping, but a yearly gathering in Las Vegas where hackers congregate to explain, often in exhaustive detail, the illegal things they have allegedly done while simultaneously congratulating themselves for not yet being arrested.
A good deal of this material inevitably leaks onto YouTube, which would appear to simplify the work of the authorities enormously. One imagines exhausted FBI agents sitting at home with takeaway pizza, watching self-incriminating conference footage uploaded in 4K by the suspects themselves. The modern criminal mastermind, unlike his predecessors, insists on providing subtitles.
But enough of the sociology of the overconfident nerd. Back to Bluetooth.
“Bluetooth Hacking: For Fun and Profit (or Just for Fun) — A Retirement Hobby Guide.”
Scan, Connect, Profit*
Most of these contemporary “exploits” revolve around the revolutionary discovery that Bluetooth devices can be scanned for and, in some cases, connected to. If this sounds underwhelming, that is because it is. There follows, usually, a demonstration involving an unsecured printer. The hacker identifies the device, downloads a freely available app and driver to his phone, and triumphantly prints something mildly offensive as though he has just hacked into NORAD rather than a £49 inkjet from a supermarket bundle.
At this point, one is tempted to point out — in the tone usually reserved for correcting enthusiastic children at a school science fair — that none of this is especially new.
Twenty-Odd Years Ago, It Had a Fashionable Name
Twenty-odd years ago, this same trick had a fashionable name: Bluejacking. It was perfectly achievable from one of my first smartphones, a Sony Ericsson P800, a device so early in the evolution of “smart” phones that it still carried the faint air of having been assembled by optimistic engineers in a shed.
At the time, sending unsolicited Bluetooth messages to nearby devices felt like a glimpse into some lightly anarchic digital future. In retrospect, it was mostly teenagers discovering that proximity-based mischief scales poorly into adulthood.
At this point, I suspect my mother — now in her late seventies and still capable of programming a VHS recorder better than I ever could — would remain entirely able to follow proceedings, and might even begin considering Bluetooth hacking as a suitable retirement hobby.
Antennas Large Enough to Communicate With Neptune
One particularly excitable young man demonstrated how he could harvest Bluetooth identifiers and MAC addresses using a Raspberry Pi festooned with antennas large enough to communicate with Neptune. Quite what civilisation-threatening purpose this served was left obscure. Apparently my headphones, lacking a PIN for pairing, could theoretically be commandeered by this digital buccaneer, who might then inflict upon me the full discography of Justin Bieber — provided he remained within range and sufficiently committed to the joke.
What, Then, Can Be Done in Practical Terms?
Very little that requires panic.
If your devices support pairing PINs, use them. And above all, if you are not using Bluetooth, switch it off. This advice lacks the glamour of a hacker convention presentation, but unlike a man in a hoodie waving a Raspberry Pi around a casino hotel ballroom, it may actually achieve something.
The unsecured printer deserves a brief but sincere mention of its own, since it appears in virtually every Bluetooth demonstration with the reliability of a Shakespeare subplot. Any networked device left visible to anonymous connection is, in the technical vocabulary of the field, an invitation; and the fact that accepting that invitation yields access to something so bathetically useful as a toner-depleted HP in an open-plan office does not, unfortunately, make it less of one. Attend to your printer settings. Disable Bluetooth discovery on any device that has no particular reason to advertise itself to strangers. And resist the urge to applaud when a conference speaker despatches the word “pwned” to your office Brother machine, beaming as though he has taken Constantinople rather than persuaded a £180 peripheral to print something his colleagues will not find amusing.
The Real Lesson From All of This
The deeper truth that twenty years of Bluetooth security theatre has reliably failed to communicate is not that wireless technology is uniquely dangerous, but that the distance between what is technically possible and what is routinely accomplished by criminals with actual intentions tends to be considerably wider than conference presentations suggest. Every Bluetooth attack of the kind described above requires physical proximity, sustained patience, and a target sufficiently careless about their device settings to make the whole enterprise worthwhile. This is not impossible. It is, however, the sort of operational profile that applies more naturally to a determined ex-spouse than to the organised criminal fraternity, who have access to considerably more productive pastimes.
The genuinely hazardous exploits — the ones that quietly drain bank accounts and compromise corporate infrastructure rather than printing impertinent documents on office machinery — do not tend to surface at Las Vegas conventions with merchandise stands and crowd-sourced applause. They emerge instead in the terse language of vendor security advisories, recommending firmware updates for devices their owners have long since misplaced, patching vulnerabilities in routers whose default passwords remain, as of this writing, “admin”.
Switch It Off and Carry On
The practical prescription, stripped of theatrical anxiety, is almost insultingly brief. Bluetooth operates over short distances. Its vulnerabilities exist primarily because people extend it the same unconditional hospitality they once extended to cold callers and encyclopedia salesmen — allowing it to run continuously, visible to all comers, on the reasonable but entirely misguided assumption that nobody nearby could possibly have anything unpleasant in mind. The correction requires no specialist knowledge, no Raspberry Pi, no DEF CON lanyard, and no familiarity with the finer points of MAC address randomisation.
Disable it when it serves no immediate purpose. Activate pairing PINs where the option exists. Satisfy yourself that your office printer is not, at this precise moment, broadcasting its availability to the entire building like a lonely Labrador at a rescue centre.
And should a young man in a hoodie materialise at a technology conference bearing what appears to be a circuit board that has lost an argument with a radio telescope, there is no need to panic. Move, perhaps, to a quieter corner of the room — not because he presents any credible threat to your digital security, but because the anecdote he is so carefully assembling has been in active circulation since the second Bush administration, and life is genuinely too short for material that peaked before the iPhone existed.