Millions of devices could be affected by recently-discovered Bluetooth flaw — what you need to know

Bluetooth logo on phone
(Image credit: Shutterstock)

A recent report has potentially unveiled a major Bluetooth security issue that could allow criminals to impersonate other devices. This could affect even the latest update of Bluetooth and some of the older versions.

The security weaknesses were developed by a team at the research institute Eurecom. These weaknesses have been named “BLUFFS” or Bluetooth Forward and Future Secrecy. The weakness appears to affect Bluetooth versions from 4.1 to 5.4. Any phone model running these versions would be vulnerable to at least three of the six attack types developed, according to a report from Bleeping Computer. This would mean that every phone from the iPhone 6 to the iPhone 15 could be affected by BLUFF. 

BLUFFS is not listed as a hardware or software configuration, but is instead architectural, which means it can't be fixed easily. The exploit has to do with two previously unknown flaws related to how session keys are derived to decrypt date.

BLUFFS requires the two phones to be within Bluetooth range of each other to work. Once within range, the attacker can alter the secure keys used for encrypting data. They can decode or tamper with the data, which requires the attacker to pretend to be one of the devices sharing data.

It is important to state that there is no guarantee that the majority of people will be affected by these flaws. However, there are a few things that can be done to protect your device. The first is to turn off Bluetooth when not in use. It is also a good idea to only connect with verified devices and never an unknown source. 

Bluetooth is likely working on solving the issue and there have been a few suggestions. The first is to introduce a secure key generation. This would be a quick fix and would allow people to confirm their data is being sent to the right place. However, there will likely be more information to come on the proposed fixes.

Bluetooth SIG responds

Following the discovery of the flaw, Bluetooth SIG has released an official statement on the issue. In the statement, Bluetooth SIG has acknowledged the existence of the vulnerability and has advised that the potential impact can be mitigated by either denying access to specific resources or implementing security measures. 

For instance, the inclusion of sufficient key entropy to make session key reuse of limited utility to an attacker. Key entropy, in regards to cyber security, is used to produce random numbers, which in turn are used to produce security keys to protect data while it's in storage or in transit. The higher the quality of the number, the better the security.

In response to this vulnerability, Bluetooth has strongly advised implementations to reject service-level connections with encryption keys below certain octets, a unit of digital information consisting of eight bits, depending on the device. They recommend having both devices operating in Secure Connections Only Mode will also ensure sufficient key strength.

Secure connections mode can also help by tracking a link key to see if it was established by Bluetooth Basic Rate/Enhanced Data Rate (BR/EDR). This would mean that known devices that aimed to connect but weren't using the saved keys from prior connections would be flagged. The lack of prior saved keys, or if the octets key is too small, then do not connect. 

How to protect yourself from potential attacks

Control Center on an iPhone 14 Pro Max

(Image credit: Tom's Guide)

At the time being, there's no real fix for the flaws described above and since they exist in the Bluetooth architecture, there won't likely be one until the next Bluetooth version is released. In the meantime though, there is one easy way to protect yourself from any attacks leveraging these flaws but, you're not going to like it.

For now, if you're really concerned about falling victim to a Bluetooth attack, you're best bet will be to disable Bluetooth when out and about. If you use the best Bluetooth headphones, this will be less than ideal but for those who don't, this is the best course of action you can take at the moment. 

As 9To5Mac points out though, this isn't really convenient, so a more practical way to stay safe would be to avoid sending any sensitive files, photos or other data over Bluetooth while in a public setting. For iPhone users, this includes using AirDrop to send any photos or documents that contain sensitive personal info.

We'll likely find out more regarding how Bluetooth SIG plans to nip this problem in the bud once and for all once the next major Bluetooth release is ready to make its way into upcoming devices.

More from Tom's Guide

TOPICS
Josh Render
Staff Writer

Josh is a staff writer for Tom's Guide and is based in the UK. He has worked for several publications but now works primarily on mobile phones. Outside of phones, he has a passion for video games, novels, and Warhammer. 

With contributions from
Read more
Find My iPhone
Apple Find My hack turns any Bluetooth device into a secret AirTag — what we know
iPhone 16e review.
iPhone 16e is facing Bluetooth problems — here's what's going on
iPhone 15 Pro Max shown in hand
5 iPhone settings you should always shut off — because they’re a security nightmare
iPhone 16 Pro shown held in hand
Apple just patched its first zero-day flaw of the year — update your iPhone and Mac right now
A padlock resting next to the Apple logo on the lid of a gold-colored Apple laptop.
Mac and iPhone users beware — Apple processors can be exploited to steal sensitive information
Apple iPhone 16 held in the hand.
iOS 18.3.1 — update your iPhone right now to fix critical zero-day vulnerability
Latest in Phones
OnePlus 13 back, leaning against blue wall
OnePlus 13T could come with an even bigger battery than OnePlus 13 — this is incredible
Apple maps logo on iPhone screen
I avoided Apple Maps for trip planning — but these iOS 18 features are changing my mind
New emojis with iOS 18.4 beta release.
iOS 18.4 beta brings 8 new emoji to your iPhone — here's all the new options
Amazon Big Spring Sale phone deals.
Amazon Big Spring Sale: 17 best phone deals you can get right now
Galaxy S25 Plus held in the hand.
Samsung could delay One UI 7’s release in the US — here’s what we know
Apple iPhone 16 & 16 Plus hands-on.
iPhone 17 just tipped for this long overdue Pro feature in new report
Latest in News
OnePlus 13 back, leaning against blue wall
OnePlus 13T could come with an even bigger battery than OnePlus 13 — this is incredible
Apple Watch Ultra 2
Apple Watch Ultra 3 just tipped for two major upgrades
NYTimes Connections
NYT Connections today hints and answers — Tuesday, March 25 (#653)
Titus Welliver in Bosch Legacy season 3
‘Bosch’ season 3 preview: 5 things to know before the final season on Prime Video
A first look at Amazon's Fallout TV series coming to Prime Video
‘Fallout’ season 3 plans are reportedly being made — while season 2 is still filming
Surface Laptop 7 from the front
Amazon just gave Surface Laptop 7 a 'frequently returned' label — here's what's going on
  • McDork
    My wife is quite deaf and relies on Bluetooth which allows her to connect directly from her hearing aids to her iPhone 14.

    This is potentially a BIG problem for us.
    Reply