Are Bluetooth Headsets Secure in the Era of Remote Work?

ByStefan Karg

Since the onset of the COVID-19 pandemic, the world has seen a significant shift towards remote working. This shift has led to an increase in virtual meetings and, as a result, the use of Bluetooth headsets for convenience. But one question arises – are these Bluetooth headsets secure?

Man in Black Suit Jacket While Wearing White Headphones

To understand the security of a typical modern Bluetooth headset, let’s look at the three stages of a Bluetooth connection.

Pairing

Let’s begin with your new headset. After unboxing it, you may wonder why you have to pair it with your device.

Since headsets usually lack displays and keyboards, you cannot enter a PIN or compare numbers to pair. Instead, you can usually put your device in pairing mode by pressing a button, which will make it visible to your computer or smartphone.

The objective of pairing is to establish a relationship between two devices, namely your headset and your computer. This relationship enables the authentication (= is it really my headset my computer is talking to?) of the device when you reconnect.

The pairing process derives a link key using the ECDH (Elliptic-curve Diffie–Hellman) protocol, which involves a public/private-key pair on each device.

The reason for the use of the ECDH protocol is that the link key is never transmitted over the wireless link, whether unencrypted or encrypted. The mathematics behind the ECDH protocol enable both devices to derive the same link key securely, even if the channel is being eavesdropped. For more information, refer to Elliptic-curve Diffie–Hellman – Wikipedia

Pairing process: Derivation of a link key

After pairing, both devices store the link key and can now establish encrypted connections.

Authentication

Each time a connection is established between the headset and the computer, an authentication process occurs.

The purpose of authentication is to prove that both devices possess the same link key, indicating that they have been paired before.

To verify possession of the link key, a challenge-response mechanism is used. I’ll explain it in a simplified way – the full technical process can be found in the NIST guideline.

  1. Both devices A and B generate random values.
  2. A sends its random value to B.
  3. B encrypts the random value of A using the link key and sends it back to device A.
  4. Device A also encrypts its own random value with the link key and compares, if it’s the same result as sent back from device B.
  5. B sends its random value to A and the same steps are being repeated.

After this process, both devices will know that they possess the link key and can establish the connection.

Encryption of the connection

To enhance the difficulty for an attacker to decrypt the data exchanged between devices, such as the audio data stream in our case, a unique encryption key is used instead of the link key. This encryption key is valid for a single session and will differ for subsequent connections.

The encryption key is derived from the link key and an additional value (ACO), which is based on the random values exchanged during the authentication process.

The audio data stream, including both the input from the microphone and the output to the headphones, is then encrypted using this encryption key.

For modern Bluetooth headsets (using Bluetooth version 4.1 or later), the encryption algorithm used is AES-CCM.

Which factors influence bluetooth security?

Bluetooth security depends on three factors:

  1. the security of the Bluetooth specification
  2. the implementation of the Bluetooth stack in your devices (headset and computer/smartphone)
  3. the Bluetooth version used and the security-related mode/level selected by the manufacturer of your headset

The first factor is beyond your control when choosing between different devices. Any flaws found in the Bluetooth specification must be addressed at the specification level and then implemented in either new devices or by upgrading existing ones, provided that your device manufacturer supports it. Generally, products based on newer versions of the Bluetooth specification are more secure than products based on older versions, e.g. by supporting modern encryption algorithms such as AES-CCM. Therefore use a Bluetooth headset supporting at least Bluetooth version 4.1.

The strength of the second factor depends on the Bluetooth stack used by your device manufacturer. If you have the opportunity to research before purchasing a new headset, it is worth checking if the manufacturer has published any security information, such as past vulnerabilities. Based on the information about past vulnerabilities, you can determine how the manufacturer deals with known vulnerabilities in the Bluetooth stack. An example of such a vulnerability in the past that affected many devices is NVD – CVE-2019-9506 (nist.gov).

To ensure state-of-the-art security standards, it is important not to use outdated Bluetooth devices due to known vulnerabilities in their Bluetooth stack implementations and the use of outdated Bluetooth versions and/or modes. Both your devices (headset, computer/smartphone) should use Bluetooth version 4.1 or higher.

The NIST guidelines for Bluetooth security state that these devices can use Mode 4 Level 4, which provides encryption on the service level, requires encryption, and uses FIPS-approved algorithms. For more information, refer to chapter 3.1 of SP 800-121 Rev. 2, Guide to Bluetooth Security, see SP 800-121 Rev. 2, Guide to Bluetooth Security | CSRC (nist.gov).

REcommendations in a nutshell

So – how can you maximize the security of your Bluetooth headset?

  • Update your devices – both computer/smartphone and headset
  • Pair your headset in a secure location to prevent a man-in-the-middle attack during pairing: non-public area, indoors, away from windows (see NIST recommendation in SP 800-121 Rev. 2, Guide to Bluetooth Security | CSRC (nist.gov).
  • Retire devices using a Bluetooth version older than 4.1. Have a look at the datasheet to find this information.
  • Choose a trustworthy manufacturer and research security awareness of manufacturer

Sources

This article is based on technical information provided in the NIST SP 800-121 Rev. 2 Guide to Bluetooth Security, which was last updated in January 2022. The publication can be found here:

SP 800-121 Rev. 2, Guide to Bluetooth Security | CSRC (nist.gov)

Similar Posts

Rail security standards

ByStefan Karg

In this post, I delve into the most relevant standards that secure our railway systems. Using Europe and Germany as a case study for the local and national level of standards, the following infographics provides a comprehensive overview of the most relevant standards helping to increase security on the tracks. 📄 Download infographics as pdf:…

CVE-2024-3094: xz-utils backdoor

ByStefan Karg

The newly discovered xz-utils backdoor, which was published yesterday (NVD – CVE-2024-3094 (nist.gov)) also affects one of the Linux distributions most used by penetration testers: Kali Linux. ❗Make sure, that you are updating your Kali installations as fast as possible, especially when you updated them before in the time frame between 26.03.2024 and 29.03.2024. 💡For…

From a theoretical scenario to dangerous reality

ByStefan Karg

Since February 2022, cybersecurity threats to railways in the European Union have changed fundamentally: nation-state actors are no longer a theoretical possibility, but a dangerous reality. Russia is trying to sabotage European railways, warns Prague 💡 We therefore need to increase the resilience of the railway system against attacks by very capable attackers with access…

Next conference: Nürnberg

ByStefan Karg

Today I’ve registered for attending the “CNA Forum Bahn+BahnTechnik 2024” conference with the title “Unlocking the opportunities of railtech” CNA Forum Bahntechnik | CNA – Center for transportation & logistics Neuer Adler e.V. (c-na.de) My personal focus for the conference will be the topics around the digitalisation of the railways and how to develop the…