Bluetooth is everywhere — headphones, keyboards, mice, medical devices, smart locks, cars, and wearables all rely on it. Its ubiquity makes it a persistent attack surface, and research continues to surface serious vulnerabilities in the protocol and its implementations. In 2026, Bluetooth threats range from classic information theft to sophisticated relay attacks enabling keyless car theft and targeted surveillance.
The Bluetooth Protocol: A Quick Security Foundation
Bluetooth operates in the 2.4 GHz ISM band using frequency hopping spread spectrum (FHSS) — hopping across 79 channels 1,600 times per second. Classic Bluetooth (BR/EDR) handles high-bandwidth streaming; Bluetooth Low Energy (BLE) handles sensor and IoT communication. Both share the same radio hardware on modern chips but use distinct protocol stacks.
Security in Classic Bluetooth relies on a pairing process that establishes a Link Key (session key) from a Long Term Key (LTK) negotiated during initial pairing. Bluetooth Low Energy similarly establishes session keys through a pairing procedure.
BLUFFS: Bluetooth Forward and Future Secrecy Attacks
Published by EURECOM researchers in 2023 and affecting devices well into 2026, BLUFFS (Bluetooth Forward and Future Secrecy) attacks (CVE-2023-24023) exploit fundamental weaknesses in how Bluetooth BR/EDR negotiates session keys.
The core issue: the Bluetooth spec allows a central device to force use of a short, low-entropy session key — as short as 1 byte — during session key derivation. An attacker acting as a man-in-the-middle between two paired devices can:
- Force both sides to negotiate a weak session key
- Brute-force the weak key (trivial with 1-7 byte keys)
- Decrypt past and future sessions between those devices
This breaks both forward secrecy (past sessions exposed) and future secrecy (future sessions compromised). The attack works even against previously paired, trusted devices because the spec allows renegotiation.
Affected devices: Virtually all Bluetooth BR/EDR implementations — billions of devices. Mitigations require firmware updates that enforce minimum key length (7 bytes) per the Bluetooth SIG’s guidance.
BlueSnarfing
BlueSnarfing exploits vulnerabilities in the Object Exchange (OBEX) protocol — specifically in OBEX Push and OBEX Pull profiles — to access a device’s contacts, messages, calendar entries, and files without authorization or pairing.
While most modern devices have patched the original OBEX vulnerabilities, BlueSnarfing still appears against:
- Legacy devices that haven’t received firmware updates
- Medical equipment running outdated Bluetooth stacks
- Industrial IoT devices with long update cycles
CVEs: The original attacks predate formal CVE tracking; implementation-specific variants continue to receive CVEs as new Bluetooth stacks are audited.
BlueBorne: Remote Code Execution via Bluetooth
BlueBorne (2017, Armis Research) comprised eight vulnerabilities across Android (CVE-2017-0781, CVE-2017-0782), Windows (CVE-2017-8628), Linux (CVE-2017-1000251), and iOS (CVE-2017-14315) Bluetooth stacks. The critical aspect: BlueBorne required no user interaction and no pairing — any device with Bluetooth enabled and within range was vulnerable.
The Linux kernel Bluetooth stack (BlueZ) had a stack buffer overflow in the L2CAP (Logical Link Control and Adaptation Layer) handling code. An attacker could trigger this remotely to achieve kernel-level code execution on an unpatched Linux host — including Android devices.
While the original BlueBorne vulnerabilities are patched, the research methodology revealed a systematic lack of security review in Bluetooth stack implementations. Similar issues continue to emerge (CVE-2022-20420 in Android Bluetooth, CVE-2023-45866 affecting multiple stacks with unauthorized HID injection).
CVE-2023-45866 is particularly notable: it allows an unauthenticated attacker to pair a fake keyboard with many Android, Linux, and macOS devices, then inject keystrokes — effectively a wireless BadUSB attack.
BLE Relay Attacks: Keyless Car Theft
Bluetooth Low Energy relay attacks exploit keyless entry systems used in premium vehicles. Modern cars use BLE to detect when the key fob is within range and automatically unlock. The attack:
- Attacker A stands near the car with a relay device
- Attacker B stands near where the key fob is stored (inside the house)
- The relay amplifies the BLE signals between the car and the key fob
- The car believes the key is within range and unlocks — then starts
The entire attack can be executed in under a minute using commercially available relay devices costing under $100. No cryptographic vulnerability is exploited — the relay simply extends the communication range beyond what the designers anticipated.
Affected vehicles: Virtually all cars using passive keyless entry systems based on BLE, including Tesla Model 3 (NCC Group demonstrated this in 2022), BMW, Mercedes, Audi, and others.
Defense: Ultra-wideband (UWB) ranging — used in newer iPhones and growing in automotive — provides centimeter-accurate distance measurement that relay attacks cannot defeat. Some manufacturers also offer motion-based key fob sleep modes.
The KNOB Attack
Key Negotiation of Bluetooth (KNOB) attack (CVE-2019-9506) targets Classic Bluetooth’s encryption key length negotiation. Similar in concept to BLUFFS, KNOB allows a man-in-the-middle to downgrade the entropy of the encryption key to 1 byte during connection establishment — making brute force trivial.
Both devices in a Bluetooth connection independently accept the attacker’s suggested key length without verifying the other party’s preference, allowing the MITM to impose a weak key on both sides simultaneously.
Affected: All Bluetooth BR/EDR implementations before patches were distributed. Many embedded and IoT devices remain unpatched years later.
Bluetooth Tracking and Stalking
AirTags and the broader “Find My” ecosystem expose a Bluetooth-based tracking infrastructure that can be weaponized for stalking. AirTags broadcast rotating Bluetooth advertisements; nearby Apple devices (unknowingly) relay their location to Apple’s servers. The tag owner sees precise location updates.
While Apple implemented anti-stalking alerts (iPhone proximity alerts, randomized BLE addresses that rotate), research has repeatedly demonstrated bypasses — including devices that rotate addresses in predictable patterns or that can be physically modified to disable NFC (used for owner lookup).
Other tracking networks (Tile, Samsung SmartTag, Google’s Find My Device) have similar properties and similar abuse potential.
Defense Strategies
| Threat | Defense |
|---|---|
| BLUFFS / KNOB | Update firmware; enforce minimum key size in enterprise Bluetooth policies |
| BlueBorne / stack vulnerabilities | Patch OS and firmware immediately; disable Bluetooth when not in use |
| BLE relay (car theft) | Use UWB-equipped keys; use motion-sleep mode; store key in RFID-blocking pouch |
| Unauthorized pairing (CVE-2023-45866) | Update OS; use “Non-discoverable” mode; reject unexpected pairing requests |
| Bluetooth tracking/stalking | Use Apple’s “Tracker Detect” or Android’s built-in alerts; physically inspect items |
| BlueSnarfing | Update device firmware; use Non-discoverable mode |
Practical Steps for Users
- Disable Bluetooth when not actively using it. On most platforms this takes two taps in the control center.
- Keep all firmware updated — phones, laptops, headphones, and especially vehicles.
- Reject unexpected pairing requests. If you didn’t initiate a pairing, deny it.
- Use Non-discoverable mode on devices that don’t need to be found by new devices.
- Check your surroundings — Bluetooth attacks require physical proximity (typically under 100 meters for standard adapters, less in practice).
Bluetooth vulnerabilities are not theoretical — they are regularly demonstrated at security conferences and increasingly exploited in the wild. The convenience of wireless connectivity comes with a responsibility to keep the underlying protocol implementations current and to minimize exposure when the feature isn’t needed.