Bluetooth is the invisible glue that binds devices together. Which means that when it has bugs, it affects everything from iPhones and Android devices to scooters and even physical authentication keys used to secure other accounts. The order of magnitude can be stunning: The BlueBorne flaw, first disclosed in September 2017, impacted 5 billion PCs, phones, and IoT units.

As with any computing standard, there's always the possibility of vulnerabilities in the actual code of the Bluetooth protocol itself, or in its lighter-weight sibling Bluetooth Low Energy. But security researchers say that the big reason Bluetooth bugs come up has more to do with sheer scale of the written standard—development of which is facilitated by the consortium known as the Bluetooth Special Interest Group. Bluetooth offers so many options for deployment that developers don't necessarily have full mastery of the available choices, which can result in faulty implementations.

"One major reason Bluetooth is involved in so many cases is just how complex this protocol is," says Ben Seri, one of the researchers who discovered BlueBorne and vice president of research at the embedded device security firm Armis. "When you look at the Bluetooth standard it’s like 3,000 pages long—if you compare that to other wireless protocols like Wi-Fi, for example, Bluetooth is like 10 times longer. The Bluetooth SIG tried to do something very comprehensive that fits to many various needs, but the complexity means it’s really hard to know how you should use it if you’re a manufacturer."

Long in the tooth

Bluetooth, as you probably know from your portable speaker, wireless keyboard, or toothbrush, allows two proximal devices to connect to each other over the air. The pairing can last however long both devices are in use, as with a fitness tracker and smartphone. Or it can be temporary, a way of setting a device up or authenticating a user. Bluetooth Low Energy is a condensed version of the protocol for devices that have limited computing and power resources.

"All of the details are buried in hundreds of pages of unreadable specifications." Matthew Green, Johns Hopkins University

Fundamentally, both Bluetooth and BLE open up a channel for two devices to communicate—an extremely useful arrangement, but one that also opens the door for dangerous interactions. Without strong cryptographic authentication checks, malicious third parties can use Bluetooth and BLE to connect to a device they shouldn't have access to, or trick targets into thinking their rogue device is a trusted one.

"The standard often describes a topic in a scattered way," says Syed Rafiul Hussain, a security engineering researcher at Purdue University. "And it often leaves the complex interactions of the protocol to the manufacturers, which is another source of vulnerability."

Ken Kolderup, vice president of marketing at the Bluetooth SIG, says that the group is very aware of the challenge and importance of training developers to get a handle on Bluetooth's massive scope. He says the documentation is so extensive because the protocol doesn't only define a radio frequency layer for Bluetooth, but also has components at every layer of tech, from hardware up through applications, to guarantee interoperability between Bluetooth devices.

"Bluetooth isn't just wireless audio streaming anymore. There's low power data transfer, mesh network; it’s a very broadened scope," Kolderup adds. "But security is obviously very important. The standard offers operational modes for everything from no security all the way up to 128 AES encryption or 'secure connections only' mode. We've put into it as much as the community has asked for."

A recent example, though, helps illustrate how the process can break down. In February, researchers from the security firm McAfee reported Bluetooth Low Energy misconfiguration issues in a smart padlock known as BoxLock. The device had been designed to use a Bluetooth Low Energy configuration called "Just Works Mode," which lets devices pair without any passwords or other cryptographic protections. As a result, McAfee researchers could connect to any lock, analyze the device's BLE commands, and discern which gave the unlock order. Further, BoxLock had configured this command to be in read-write mode, so once the attackers knew what to target, they could initiate an unlock. BoxLock has since patched the vulnerabilities.