Nasty Bluetooth flaw hits billions of devices — what to do now

(Image credit: Shutterstock)

A flaw in an older version of the Bluetooth protocol lets hackers pair their devices with yours, potentially leaving billions of devices open to attack. Affected devices may include, but are not limited to, iPhones, Pixels, Samsung Galaxy phones, Lenovo, Apple and HP laptops, and Sennheiser, Philips and Plantronics headphones.

The flaw permits what its finders, all European academic researchers, call "Bluetooth Impersonation Attacks," or "BIAS" for short. An attacker's device can impersonate a device that has already been paired with your device, then connect automatically. 

You'll want to update the software and/or firmware on your Bluetooth device ASAP, although whether that fixes things depends on your device's manufacturer. 

Once connected, the attacker can steal information, or even take control of your phone, tablet, laptop or headphones — and can do the same to a device that has previously been paired with yours. 

"After we disclosed our attack to industry in December 2019, some vendors might have implemented workarounds for the vulnerability on their devices," the researchers said in a blog post yesterday (May 19). 

"So, the short answer is: If your device was not updated after December 2019, it is likely vulnerable. Devices updated afterwards might be fixed."

Here's a video, rather charmingly narrated by researcher Daniele Antonioli of the École Polytechnique Fédérale de Lausanne in Switzerland, explaining how the attacks work.

Antonioli and his colleagues tested 31 devices directly and found them to be vulnerable to BIAS attacks. It's not clear whether any devices were tested and found not to be vulnerable, although the researchers hint that they could not find any gadgets that were completely safe. 

"Our attacks work even when the victims are using Bluetooth's strongest security modes," their academic research paper said. "Our attacks target the standardized Bluetooth authentication procedure, and are therefore effective against any standard compliant Bluetooth device."

In other words, the paper said, "a single vulnerability in a security mechanism defined in the standard translates into billions of exploitable devices."

The only device that even partly protected itself was a Lenovo wireless mouse from 2015, which you can get on eBay for about $30.

Which devices are vulnerable to BIAS attacks?

Vulnerable smartphones and tablets included the Apple iPhone 8, iPhone 7 Plus, iPhone 6, iPhone 5s, and the 2018 and 2010 iPads; the Google Pixel 3, Pixel 2 and Nexus 5; the Samsung Galaxy S5 mini, Galaxy J5 and the 2017 and 2016 models of the Galaxy J3; the Nokia 7, X6 and Lumia 530; the OnePlus 6; the LG K4; and the Motorola G3.

Laptops found to be vulnerable included the Lenovo ThinkPad L930, 3rd-generation ThinkPad X1, ThinkPad X230 and IdeaPad U430; the 2017 Apple MacBook Pro; and the HP ProBook 430 G3.

Other proven vulnerable devices included the Lenovo ThinkPad 41U5008 wireless mouse; the Sennheiser PXC 550, Plantronics Backbeat 903+ and Philips SHB7250 wireless headphones; and the Raspberry Pi 3B+ mini-board computer.

The researchers found the Bluetooth flaw in 30 different devices. But because the flaws lie not in the devices themselves, but rather in the embedded Bluetooth chips that are used across a range of brands and devices, hundreds more models from an unknown number of manufacturers are likely to be just as vulnerable. 

The 28 Bluetooth chips in the proven vulnerable devices include the widely used Qualcomm Snapdragon 845, 835, 636, 630, 410, 210 and 200 systems-on-a-chip; the Samsung Exynos 7570, 3475 and 3470 SoCs; the Intel 9560, 8260, 7265, 6205 and 1280 wireless network adapters; and several Apple, Cypress and Cambridge Silicon Radio wireless chips.

For example, phones using the Qualcomm Snapdragon 845, but not tested for this research, include the Samsung Galaxy S9, S9+ and Note 9; the LG G7, V35 and V40; and the Sony Xperia XZ2 and XZ3. It's also possible that other systems-on-a-chip that were not tested might be vulnerable to BIAS attacks.

Likewise, both the original iPad from 2010 and its descendant from 2018 were vulnerable, indicating that other iPad models might be as well.

Some fixes are already available

For its part, the Bluetooth Special Interests Group, which oversees development of the wireless standard, said it was updating the Bluetooth core specifications to correct this flaw. 

"The Bluetooth SIG is also broadly communicating details on this vulnerability and its remedies to our member companies and is encouraging them to rapidly integrate any necessary patches," the group's statement said. "As always, Bluetooth users should ensure they have installed the latest recommended updates from device and operating system manufacturers."

Antonioli's colleagues in this research were Nils Ole Tippenhauer of the CISPA Helmholtz Center for Information Security in Germany and Kasper Rasmussen of the Department of Computer Science at the University of Oxford. Their full research paper can be found here.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.