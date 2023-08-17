At this year’s Def Con hacker convention, the risk associated with Bluetooth was showcased by security researcher Jae Bochs. Bochs built a device that triggered prompts on nearby iPhones, mimicking the alerts seen when entering an Apple ID password. The purpose of this prank was twofold. First, it served as a reminder that turning off Bluetooth on an iPhone requires navigating the Settings app, rather than simply tapping it off on the Control Center. Second, it was meant to be a light-hearted prank.

The behavior of Bluetooth described by Bochs debuted in 2017 with iOS 11. Toggling off Bluetooth from the Control Center disables new Bluetooth connections, but it does not turn off the Bluetooth radio completely. To completely disable Bluetooth, the toggle in Settings must be flipped. However, this means that wireless devices like the Apple Watch and AirPods will not function properly.

While there are known flaws in Apple’s Bluetooth low energy protocol that can leak device and behavioral data to nearby listeners, it is unclear if there is a significant security risk associated with these vulnerabilities. A 2019 academic paper highlighted these flaws, stating that while each individual flaw may only expose a small amount of information, collectively they can be used to identify and track devices over long periods of time.

Bochs believes that a device similar to the one they created, with an extended Bluetooth Low Energy range, could potentially be used to coerce iPhone users into unknowingly divulging their passwords. This, combined with their Apple ID, could pose a major problem.

While turning off Bluetooth may not be the most practical solution to avoid falling victim to such attacks, users can exercise caution when entering passwords into random prompts. If a prompt seems suspicious, dismiss it. If something breaks as a result, it was likely a legitimate prompt. By being vigilant, users can mitigate potential risks associated with Bluetooth vulnerabilities.