One argument I hear often from laypeople, is that they don’t like Bluetooth, because at the user-level, Bluetooth Pairing is hard.
People who are knowledgeable in Computing understand, that every time we create a Bluetooth Pairing, our devices are establishing a communications channel, which is as secure as the authors of Bluetooth can make it, due to Advanced Encryption. So we see that there is a potential benefit to this.
For example, in the case of a keyboard which is connected to a tablet – which means that a BT session is underway – it can happen at any time, that we type in our password to unlock the tablet, or to unlock any of our accounts on the Internet. That could be made a generic wireless link which is extremely easy to set up. But then, since we’re always weary of an eavesdropper, the link would be of an ideal format, to steal all our passwords from us through direct exploitation.
But because we’re using Bluetooth, in fact it’s an encrypted link. So even if the ones and zeroes that make up a communication were intercepted, the hypothetical eavesdropper would still not be able to exploit them.
And so I can empathize with knowledgeable people, who feel that the added difficulty in establishing a Bluetooth Pairing, is well worth the effort.
AFAIK, With most of the Bluetooth Protocols, there exists a moment of vulnerability when the devices are paired, during which, if the hypothetical eavesdropper both intercepts the bits, and knows the PIN number, he can crack the key. But after that, the key that was created when pairing is stored on both sides, and reused on the assumption that the other side ‘knows it’. So as long as such an eavesdropper did not monitor the pairing process, subsequent connections should be secure. This also means though, that there exists a store of information on each side that could get corrupted.
- Now, the standard is flexible in two extremes. A certain level of specification states the Public Key Infrastructure can be used (PKI), which would mean that even if the pairing process was intercepted, the communications should be secure. But the main problem with that is my perception, that most practical BT implementations don’t do the PKI part.
- And, when it comes to certain types of channels, such as ‘the ticks with which a mouse moves’, those channels are considered to be less-critical than, for example, passwords and credit-card numbers. Trying to hack a session by monitoring how the mouse was moved, would be a bit like ‘trying to find out where exactly a card drove, by monitoring how the steering wheel was turned back and forth’. In other words, not suitable for direct exploitation. As well, certain types of data-streams piggyback media-streams, which means that the computational overhead for full encryption might be too high to implement, and to implement while conserving battery power.
But by and large, Bluetooth is secure.